Malware Analysis Report

2024-11-30 19:49

Sample ID 220128-v5sqbshfe8
Target ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d
SHA256 ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d
Tags
rms persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d

Threat Level: Known bad

The file ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d was found to be: Known bad.

Malicious Activity Summary

rms persistence rat trojan

RMS

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

autoit_exe

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-28 17:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-28 17:34

Reported

2022-01-28 17:43

Platform

win7-en-20211208

Max time kernel

156s

Max time network

128s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d.msi

Signatures

RMS

trojan rat rms

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation C:\ProgramData\btc\winserv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\bitcoin = "c:\\ProgramData\\btc\\winserv.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76c4a6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c4a6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID50B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c4a7.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76c4a7.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c4a9.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
PID 756 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
PID 756 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
PID 756 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
PID 756 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
PID 756 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
PID 756 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
PID 1688 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1688 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1688 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1688 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1688 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1688 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1688 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1568 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\btc.exe
PID 1744 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\btc.exe
PID 1744 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\btc.exe
PID 1744 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\btc.exe
PID 1744 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\btc.exe
PID 1744 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\btc.exe
PID 1744 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\btc.exe
PID 1112 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\btc.exe C:\ProgramData\btc\exit.exe
PID 1112 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\btc.exe C:\ProgramData\btc\exit.exe
PID 1112 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\btc.exe C:\ProgramData\btc\exit.exe
PID 1112 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\btc.exe C:\ProgramData\btc\exit.exe
PID 1112 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\btc.exe C:\ProgramData\btc\exit.exe
PID 1112 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\btc.exe C:\ProgramData\btc\exit.exe
PID 1112 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\btc.exe C:\ProgramData\btc\exit.exe
PID 1128 wrote to memory of 1736 N/A C:\ProgramData\btc\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 1736 N/A C:\ProgramData\btc\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 1736 N/A C:\ProgramData\btc\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 1736 N/A C:\ProgramData\btc\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 1736 N/A C:\ProgramData\btc\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 1736 N/A C:\ProgramData\btc\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 1736 N/A C:\ProgramData\btc\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1736 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1736 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1736 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1736 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1736 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1736 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1736 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\btc\winserv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000003AC" "0000000000000548"

C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe

"C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe"

C:\Users\Admin\AppData\Local\Temp\exit.exe

"C:\Users\Admin\AppData\Local\Temp\exit.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c i.cmd

C:\Windows\SysWOW64\PING.EXE

ping ping-test.hldns.ru -n 3 -w 6000

C:\Windows\SysWOW64\PING.EXE

ping ping-test.hldns.ru -n 3 -w 6000

C:\Users\Admin\AppData\Local\Temp\btc.exe

btc.exe x -p3KPnoNJ3ReME4bEU5W9APkKS5ErkR3tNRT -y

C:\ProgramData\btc\exit.exe

"C:\ProgramData\btc\exit.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c i.cmd

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bitcoin" /t REG_SZ /d "c:\ProgramData\btc\winserv.exe"

C:\ProgramData\btc\winserv.exe

"C:\ProgramData\btc\winserv.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\ProgramData\btc\winserv.exe

C:\ProgramData\btc\winserv.exe -second

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ping-test.hldns.ru udp
DE 89.144.25.16:5655 tcp
DE 89.144.25.16:5655 tcp
DE 89.144.25.16:5655 tcp
DE 89.144.25.16:5655 tcp
DE 89.144.25.16:5655 tcp
DE 89.144.25.16:5655 tcp
DE 89.144.25.16:5655 tcp
DE 89.144.25.16:5655 tcp
DE 89.144.25.16:5655 tcp

Files

memory/1292-54-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe

MD5 c3c3407f19d8fcdc6ef55f059f6beea6
SHA1 134185c71c2e6a2dd5441bff027de85f3a9b5c91
SHA256 8598695a8c7ef4672ba9357022abcb8b61ec6f6db3ff5588058872c17a9e75bb
SHA512 fb17dd760cfd691fb4d4005f56b55518bc3c51d7e7afafdab0ac50cca02af714b1391e2435732bae8e766985e031d855ed976750a125a9417e6257f0fa051818

memory/1688-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe

MD5 c3c3407f19d8fcdc6ef55f059f6beea6
SHA1 134185c71c2e6a2dd5441bff027de85f3a9b5c91
SHA256 8598695a8c7ef4672ba9357022abcb8b61ec6f6db3ff5588058872c17a9e75bb
SHA512 fb17dd760cfd691fb4d4005f56b55518bc3c51d7e7afafdab0ac50cca02af714b1391e2435732bae8e766985e031d855ed976750a125a9417e6257f0fa051818

\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

C:\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

C:\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

C:\Users\Admin\AppData\Local\Temp\i.cmd

MD5 4873668f4a034b615f15fd8983001468
SHA1 162dcd46d5e171535eb81d284126bfd68cb4d29c
SHA256 d91c01dc76613d7342f541703df60b6519fc4f0107db24b56a49a6ac220304a7
SHA512 f6b5fb56cf8a380451db16fd2af6b9bf994425b9ba86180c2ff38556c080d1d16123c0341d3cec4a84cd36972a5cc4bb8618d24cccc879751f2b455c4ed1070c

C:\Users\Admin\AppData\Local\Temp\syst.dll

MD5 1a81bdde68862f89ddde3276abe33c94
SHA1 fc5148ad9b387e91febd695d92f4233c2e92f600
SHA256 0b4797e50e773329365b83eb84da804f4d75483e6faa25b2b0c97c6c21ff1715
SHA512 048f441091c06759c4e81b6a331ed2aa489f1630e84162d40d3b7dab549f5f100dea61d8e51a806033c8121c29258c262f9de66af90a6e80d3d90f0e329bbe7a

\Users\Admin\AppData\Local\Temp\btc.exe

MD5 1a81bdde68862f89ddde3276abe33c94
SHA1 fc5148ad9b387e91febd695d92f4233c2e92f600
SHA256 0b4797e50e773329365b83eb84da804f4d75483e6faa25b2b0c97c6c21ff1715
SHA512 048f441091c06759c4e81b6a331ed2aa489f1630e84162d40d3b7dab549f5f100dea61d8e51a806033c8121c29258c262f9de66af90a6e80d3d90f0e329bbe7a

C:\Users\Admin\AppData\Local\Temp\btc.exe

MD5 1a81bdde68862f89ddde3276abe33c94
SHA1 fc5148ad9b387e91febd695d92f4233c2e92f600
SHA256 0b4797e50e773329365b83eb84da804f4d75483e6faa25b2b0c97c6c21ff1715
SHA512 048f441091c06759c4e81b6a331ed2aa489f1630e84162d40d3b7dab549f5f100dea61d8e51a806033c8121c29258c262f9de66af90a6e80d3d90f0e329bbe7a

\ProgramData\btc\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

\ProgramData\btc\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

\ProgramData\btc\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

\ProgramData\btc\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

C:\ProgramData\btc\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

C:\ProgramData\btc\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

C:\ProgramData\btc\i.cmd

MD5 2769f4f3c0c132044c66e249f03c1828
SHA1 9085fa6517cd20e62bc525d756daf74f6cede8d6
SHA256 28771275ee7c58967e49acf1d939d7c9231ed952c1125109999e3cb9b3a6b8dd
SHA512 e9dd96e11c5a8e2ed59bf7c7ba320ed25ffdafbdc4f7d5a070467facf1328b9c0602639396a03358c4b35282a40934a96fb3b8d028dd05e12177505967751d2c

\ProgramData\btc\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

C:\ProgramData\btc\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

C:\ProgramData\btc\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

memory/1752-89-0x0000000000400000-0x0000000000E2B000-memory.dmp

C:\ProgramData\btc\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

C:\ProgramData\btc\settings.dat

MD5 b5cfaef747d52a05a7ba1d74b944042f
SHA1 eb187a5ee6895c34747b84ae238f8911cfb932da
SHA256 c88a30f3fa8534d51fe8b38c0d3c1f1f8d46d91a856614698f51b61f80cff6f6
SHA512 cda564b389d0333a0dbf3bc3535346c2015c588bae71f1dcc165ffafaaae3c3d8aaea03bb4109bbac03a80bcf24cc7a9cfa1c4edc51e0472bfc559984e18ce08

memory/1672-98-0x00000000042F0000-0x00000000042F1000-memory.dmp

memory/1672-101-0x0000000004E20000-0x0000000004E21000-memory.dmp

memory/1672-100-0x0000000004310000-0x0000000004311000-memory.dmp

memory/1672-99-0x0000000004300000-0x0000000004301000-memory.dmp

memory/1672-97-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1672-102-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/1672-104-0x0000000005520000-0x0000000005521000-memory.dmp

memory/1672-103-0x0000000004F10000-0x0000000004F11000-memory.dmp

memory/1672-106-0x0000000005510000-0x0000000005511000-memory.dmp

memory/1672-107-0x00000000058B0000-0x00000000058B1000-memory.dmp

memory/1672-108-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

memory/1672-109-0x0000000006570000-0x0000000006571000-memory.dmp

memory/1672-105-0x0000000005940000-0x0000000005941000-memory.dmp

memory/1672-114-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

memory/1672-124-0x00000000066E0000-0x000000000683C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-28 17:34

Reported

2022-01-28 17:43

Platform

win10-en-20211208

Max time kernel

153s

Max time network

149s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d.msi

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\bitcoin = "c:\\ProgramData\\btc\\winserv.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{31F49B53-7587-4F85-8592-2CA10A3027D8} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI228E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f781b6c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f781b6a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f781b6a.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ \??\c:\windows\system32\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections \??\c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache \??\c:\windows\system32\svchost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 680 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1692 wrote to memory of 680 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1692 wrote to memory of 1144 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
PID 1692 wrote to memory of 1144 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
PID 1692 wrote to memory of 1144 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
PID 1144 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1144 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1144 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 964 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\btc.exe
PID 372 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\btc.exe
PID 372 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\btc.exe
PID 428 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\btc.exe C:\ProgramData\btc\exit.exe
PID 428 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\btc.exe C:\ProgramData\btc\exit.exe
PID 428 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\btc.exe C:\ProgramData\btc\exit.exe
PID 1004 wrote to memory of 1396 N/A C:\ProgramData\btc\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 1396 N/A C:\ProgramData\btc\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 1396 N/A C:\ProgramData\btc\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe

"C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe"

C:\Users\Admin\AppData\Local\Temp\exit.exe

"C:\Users\Admin\AppData\Local\Temp\exit.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c i.cmd

C:\Windows\SysWOW64\PING.EXE

ping ping-test.hldns.ru -n 3 -w 6000

C:\Windows\SysWOW64\PING.EXE

ping ping-test.hldns.ru -n 3 -w 6000

C:\Users\Admin\AppData\Local\Temp\btc.exe

btc.exe x -p3KPnoNJ3ReME4bEU5W9APkKS5ErkR3tNRT -y

C:\ProgramData\btc\exit.exe

"C:\ProgramData\btc\exit.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c i.cmd

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bitcoin" /t REG_SZ /d "c:\ProgramData\btc\winserv.exe"

Network

Country Destination Domain Proto
FR 2.18.105.186:80 go.microsoft.com tcp
US 8.8.8.8:53 dmd.metaservices.microsoft.com udp
SG 168.63.250.82:80 dmd.metaservices.microsoft.com tcp
FR 2.18.105.186:80 go.microsoft.com tcp
FR 2.18.105.186:80 go.microsoft.com tcp
FR 2.18.105.186:80 go.microsoft.com tcp
US 8.8.8.8:53 ping-test.hldns.ru udp

Files

C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe

MD5 c3c3407f19d8fcdc6ef55f059f6beea6
SHA1 134185c71c2e6a2dd5441bff027de85f3a9b5c91
SHA256 8598695a8c7ef4672ba9357022abcb8b61ec6f6db3ff5588058872c17a9e75bb
SHA512 fb17dd760cfd691fb4d4005f56b55518bc3c51d7e7afafdab0ac50cca02af714b1391e2435732bae8e766985e031d855ed976750a125a9417e6257f0fa051818

C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe

MD5 c3c3407f19d8fcdc6ef55f059f6beea6
SHA1 134185c71c2e6a2dd5441bff027de85f3a9b5c91
SHA256 8598695a8c7ef4672ba9357022abcb8b61ec6f6db3ff5588058872c17a9e75bb
SHA512 fb17dd760cfd691fb4d4005f56b55518bc3c51d7e7afafdab0ac50cca02af714b1391e2435732bae8e766985e031d855ed976750a125a9417e6257f0fa051818

C:\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

C:\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

C:\Users\Admin\AppData\Local\Temp\i.cmd

MD5 4873668f4a034b615f15fd8983001468
SHA1 162dcd46d5e171535eb81d284126bfd68cb4d29c
SHA256 d91c01dc76613d7342f541703df60b6519fc4f0107db24b56a49a6ac220304a7
SHA512 f6b5fb56cf8a380451db16fd2af6b9bf994425b9ba86180c2ff38556c080d1d16123c0341d3cec4a84cd36972a5cc4bb8618d24cccc879751f2b455c4ed1070c

C:\Users\Admin\AppData\Local\Temp\syst.dll

MD5 1a81bdde68862f89ddde3276abe33c94
SHA1 fc5148ad9b387e91febd695d92f4233c2e92f600
SHA256 0b4797e50e773329365b83eb84da804f4d75483e6faa25b2b0c97c6c21ff1715
SHA512 048f441091c06759c4e81b6a331ed2aa489f1630e84162d40d3b7dab549f5f100dea61d8e51a806033c8121c29258c262f9de66af90a6e80d3d90f0e329bbe7a

\??\Volume{e49a283c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a6bbd6da-6324-491c-ad60-d6de3294ac23}_OnDiskSnapshotProp

MD5 6a625b66e5b239afc16b1b2f7e400a4f
SHA1 2cc92dbb4a3fb03d1d98227b343ec03856bbf469
SHA256 0f658a24bce0e2c134db22f2bdabf96d428f0d1cb6e899bf4174504e6be44a8e
SHA512 63072b7f9d8da5f487e40592586d09aee1844c40bf4c36cd41b39a016703cee2ee9826ac3725987e5e2cdcf9be138612277dc8719491448100fd98c9f1a2d264

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 0da701373f22e9e61034a6a18c9884ff
SHA1 8f6cc291042f6f38e0c62fb5131b5aca650842b6
SHA256 8a00699225cc71933b61c29c83007d26b3430d9994b2e56aeb080af749d06b7e
SHA512 d9fe779b6e1821e237fd1c482f2d92f2a924df6dd1be82b893b19db8aa629385ee09854eaf3348c86e8408385e35d440da76b9e1fc2068d2a1b73f7cff9b5604

C:\Users\Admin\AppData\Local\Temp\btc.exe

MD5 1a81bdde68862f89ddde3276abe33c94
SHA1 fc5148ad9b387e91febd695d92f4233c2e92f600
SHA256 0b4797e50e773329365b83eb84da804f4d75483e6faa25b2b0c97c6c21ff1715
SHA512 048f441091c06759c4e81b6a331ed2aa489f1630e84162d40d3b7dab549f5f100dea61d8e51a806033c8121c29258c262f9de66af90a6e80d3d90f0e329bbe7a

C:\ProgramData\btc\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

C:\ProgramData\btc\exit.exe

MD5 d76c6f53bcbbfb672a1f68a3017c1962
SHA1 976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256 258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512 e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

C:\ProgramData\btc\i.cmd

MD5 2769f4f3c0c132044c66e249f03c1828
SHA1 9085fa6517cd20e62bc525d756daf74f6cede8d6
SHA256 28771275ee7c58967e49acf1d939d7c9231ed952c1125109999e3cb9b3a6b8dd
SHA512 e9dd96e11c5a8e2ed59bf7c7ba320ed25ffdafbdc4f7d5a070467facf1328b9c0602639396a03358c4b35282a40934a96fb3b8d028dd05e12177505967751d2c