Trojan.Win32.SwrortProxy_e033bfd4d7

by malwarelabrobot on June 22nd, 2018 in Malware Descriptions.

Trojan.GenericKD.30977394 (BitDefender), Backdoor:Win32/Slingup.A (Microsoft), Trojan.GenericKD.30977394 (B) (Emsisoft), Artemis!E033BFD4D78E (McAfee), ML.Attribute.HighConfidence (Symantec), Backdoor.Win32.Slingup (Ikarus), Trojan.GenericKD.30977394 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R002C0DFG18 (TrendMicro), TrojanSwrortProxy.YR, WormAutoItGen.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor, Worm, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: e033bfd4d78e63d7e6b89907d84e221a
SHA1: 4280ccef4b1d3e85cfebd5ba46d555ad53521279
SHA256: 0e0801698b0879cb1a2065abf5ae245c4410b6f94d8e220322c130e35244f8f9
SSDeep: 393216:yOLeYYS9sruVE7mafiqm1RCfXZYA94won:DSS9sruVEhtCEKA
Size: 15714304 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: CHIP Digital GmbH
Created at: 2018-06-08 11:40:56
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

System.exe:3832
Vega.exe:2288
netsh.exe:3428
netsh.exe:3100
DrvInst.exe:3056
%original file name%.exe:2932
taskhostw.exe:3820
csrs.exe:1280
WScript.exe:3592
WScript.exe:1872
WScript.exe:3628
WScript.exe:3412
WScript.exe:804
rutserv.exe:3620
rutserv.exe:2788
rutserv.exe:4012
rundll32.exe:1856
powershell.exe:2232
powershell.exe:1872
RDPWInst.exe:3448
RDPWInst.exe:3652
1.exe:2132
Rar.exe:668
Cheat32.exe:3620
Cheat.exe:3200
Vegas.sfx.exe:2076
taskhosst.exe:1928
Logs.exe:2088
Vegas.exe:3712
rfusclient.exe:2252
MOS.exe:3004
M.exe:1592
winit.exe:2516
R8.exe:512
P.exe:1420
P.exe:1016
regedit.exe:2940
winlog.exe:776

The Trojan injects its code into the following process(es):

rutserv.exe:2864
rfusclient.exe:3624
rfusclient.exe:3704

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process System.exe:3832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\TaskList\folders.cfg (1 bytes)
C:\ProgramData\Microsoft\TaskList\whitelist.cfg (10 bytes)
C:\ProgramData\Microsoft\TaskList\System.exe (13022 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Microsoft\TaskList\__tmp_rar_sfx_access_check_12748308 (0 bytes)

The process Vega.exe:2288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe (3780 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut8F86.tmp (2513 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut8F86.tmp (0 bytes)

The process DrvInst.exe:3056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\inf\setupapi.dev.log (544 bytes)

The process %original file name%.exe:2932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut52FA.tmp (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6304.tmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5028.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\winhost.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6363.tmp (784 bytes)
C:\ProgramData\Microsoft\Intel\Cheat.exe (77670 bytes)
C:\ProgramData\Microsoft\temp\Clean.bat (196 bytes)
C:\ProgramData\System Idle.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Bot.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6374.tmp (784 bytes)
C:\ProgramData\Iostream.exe (1372 bytes)
C:\ProgramData\Microsoft\Check\Check.txt (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6411.tmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5006.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5038.tmp (196 bytes)
C:\ProgramData\Microsoft\Intel\winit.exe (30909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut62E3.tmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6373.tmp (784 bytes)
C:\ProgramData\Microsoft\temp\Temp.bat (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut520E.tmp (32962 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5049.tmp (81019 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6422.tmp (784 bytes)
C:\ProgramData\olly.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Nvidiadriver.exe (1372 bytes)
C:\ProgramData\Microsoft\temp\H.bat (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5017.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Helper.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut52EA.tmp (1209 bytes)
C:\ProgramData\SystemIdle.exe (1372 bytes)
C:\ProgramData\Microsoft\temp\5.xml (980 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut62F3.tmp (784 bytes)
C:\ProgramData\Microsoft\Intel\Logs.exe (2734 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut52FA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut62E3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6304.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6363.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5028.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6374.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5017.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6373.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut520E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut52EA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5049.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6411.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6422.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5006.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5038.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut62F3.tmp (0 bytes)

The process taskhostw.exe:3820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut533C.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F348B123E6C117695082B456C0FB065D (2184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE977.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE98A.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFEFF.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1944 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (2052 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab39ED.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\Server[1].htm (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE978.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE989.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFEFE.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Server[1].htm (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar39FE.tmp (2712 bytes)
C:\ProgramData\WindowsTask\csrs.exe (1942 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\Login[1].htm (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F348B123E6C117695082B456C0FB065D (527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Password[1].htm (185 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut532A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFEFF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE98A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFEFE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut533C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab39ED.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE978.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE989.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar39FE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE977.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut532B.tmp (0 bytes)

The process csrs.exe:1280 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFC040A8337721DCFF.TMP (0 bytes)

The process WScript.exe:1872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\rdp\pause.bat (4 bytes)

The process WScript.exe:3628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\rdp\bat.bat (4 bytes)

The process WScript.exe:3412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Intel\OS.bat (4 bytes)

The process WScript.exe:804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Windows\install.bat (4 bytes)

The process rutserv.exe:2864 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Windows\rfusclient.exe (49 bytes)

The process rundll32.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NO7KRI17\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4UK8ANC9\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KJF49513\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TKO9U9U0\desktop.ini (67 bytes)

The process powershell.exe:2232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (222288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LWLU52G5WRQSTUU8KZ5B.temp (196 bytes)

The process powershell.exe:1872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EHB702APDQOYLIKJAAIZ.temp (196 bytes)
C:\Windows\System32\GroupPolicy\gpt.ini (38 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (221044 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFc2b399.TMP (0 bytes)

The process RDPWInst.exe:3448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFA1A.tmp (53 bytes)
%Program Files%\RDP Wrapper\rdpwrap.dll (77 bytes)
%Program Files%\RDP Wrapper\rdpwrap.ini (124 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (1278 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFA1B.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\rdpwrap[1].ini (54865 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFA1A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFA1B.tmp (0 bytes)

The process RDPWInst.exe:3652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\rdpwrap[1].ini (54865 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1D44.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1D43.tmp (53 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1D44.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\rdpwrap[1].ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1D43.tmp (0 bytes)

The process 1.exe:2132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\rootsystem\passwords.txt (2 bytes)

The process Rar.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\rdp\bat.bat (1 bytes)
C:\rdp\install.vbs (80 bytes)
C:\rdp\RDPWInst.exe (21986 bytes)

The process Cheat32.exe:3620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut86BF.tmp (8001 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut872D.tmp (5065 bytes)
C:\ProgramData\RealtekHD\taskhostw.exe (11075 bytes)
C:\ProgramData\WindowsTask\MicrosoftHost.exe (9466 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut86BF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut872D.tmp (0 bytes)

The process Cheat.exe:3200 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Intel\MOS.exe (3301 bytes)
C:\ProgramData\Microsoft\Intel\P.exe (2913 bytes)
C:\ProgramData\Microsoft\Intel\svchost.exe (24525 bytes)
C:\ProgramData\Microsoft\Intel\taskhosst.exe (24537 bytes)
C:\ProgramData\Microsoft\Intel\Vega.exe (19021 bytes)
C:\ProgramData\Microsoft\Intel\R8.exe (4393 bytes)
C:\ProgramData\Microsoft\Intel\System.exe (3017 bytes)
C:\ProgramData\Microsoft\Intel\winlog.exe (3017 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Microsoft\Intel\__tmp_rar_sfx_access_check_12738105 (0 bytes)

The process Vegas.sfx.exe:2076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Intel\Vegas.exe (5367 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Microsoft\Intel\__tmp_rar_sfx_access_check_12752364 (0 bytes)

The process Logs.exe:2088 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Intel\L.bat (599 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Microsoft\Intel\__tmp_rar_sfx_access_check_12735796 (0 bytes)

The process Vegas.exe:3712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\99E2.tmp\99E3.bat (246 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\99E2.tmp\99E3.bat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\99E2.tmp\99E3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\99E4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\99E2.tmp (0 bytes)

The process MOS.exe:3004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\M.exe (4763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\R.vbs (127 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_12743456 (0 bytes)

The process M.exe:1592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Intel\Cheat64.exe (14733 bytes)
C:\ProgramData\Microsoft\Intel\OS.bat (237 bytes)
C:\ProgramData\Microsoft\Intel\Cheat32.exe (21891 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Microsoft\Intel\__tmp_rar_sfx_access_check_12744439 (0 bytes)

The process winit.exe:2516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Windows\rutserv.exe (4882 bytes)
C:\ProgramData\Windows\regedit.reg (14 bytes)
C:\ProgramData\Windows\vp8decoder.dll (158 bytes)
C:\ProgramData\Windows\rfusclient.exe (637 bytes)
C:\ProgramData\Windows\install.bat (354 bytes)
C:\ProgramData\Windows\vp8encoder.dll (703 bytes)
C:\ProgramData\Windows\install.vbs (140 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Windows\__tmp_rar_sfx_access_check_12736077 (0 bytes)

The process R8.exe:512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\rdp\run.vbs (84 bytes)
C:\rdp\Rar.exe (3224 bytes)
C:\rdp\pause.bat (352 bytes)
C:\rdp\db.rar (406 bytes)

The Trojan deletes the following file(s):

C:\rdp\__tmp_rar_sfx_access_check_12746326 (0 bytes)

The process P.exe:1420 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\rootsystem\1.exe (4745 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Microsoft\rootsystem\__tmp_rar_sfx_access_check_12756997 (0 bytes)

The process P.exe:1016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\rootsystem\P.exe (3306 bytes)
C:\ProgramData\Microsoft\rootsystem\P.vbs (390 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Microsoft\rootsystem\__tmp_rar_sfx_access_check_12754626 (0 bytes)

The process winlog.exe:776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Intel\winlogon.exe (71 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Microsoft\Intel\__tmp_rar_sfx_access_check_12753783 (0 bytes)

Registry activity

The process System.exe:3832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process netsh.exe:3428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

The process netsh.exe:3100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E\@%SystemRoot%\system32]
"eapqec.dll,-103" = "Microsoft Corporation"
"napipsec.dll,-1" = "IPsec Relying Party"
"napipsec.dll,-2" = "Provides IPsec based enforcement for Network Access Protection"
"napipsec.dll,-3" = "Microsoft Corporation"
"dhcpqec.dll,-101" = "Provides DHCP based enforcement for NAP"
"dhcpqec.dll,-100" = "DHCP Quarantine Enforcement Client"
"dhcpqec.dll,-103" = "1.0"
"dhcpqec.dll,-102" = "Microsoft Corporation"
"eapqec.dll,-101" = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."
"eapqec.dll,-102" = "1.0"
"tsgqec.dll,-100" = "RD Gateway Quarantine Enforcement Client"
"eapqec.dll,-100" = "EAP Quarantine Enforcement Client"
"tsgqec.dll,-102" = "1.0"
"tsgqec.dll,-103" = "Microsoft Corporation"
"napipsec.dll,-4" = "1.0"
"tsgqec.dll,-101" = "Provides RD Gateway enforcement for NAP"

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

The process DrvInst.exe:3056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"Service" = "umbus"

[HKLM\System\CurrentControlSet\Enum\UMB\UMB\1&841921d&0&TSBUS\Device Parameters]
"InterfaceGUIDs" = "{65A9A6CF-64CD-480b-843E-32C86E1BA19F}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemPath%\system32\DRIVERS]
"umbus.sys" = "1"

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"ClassGUID" = "{4d36e97d-e325-11ce-bfc1-08002be10318}"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 5B CA A1 C2"

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"DeviceCharacteristics" = "256"

[HKLM\System\CurrentControlSet\Enum\UMB\UMB\1&841921d&0&TSBUS\Device Parameters]
"RootBus" = "0"

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"Security" = "01 00 04 90 00 00 00 00 00 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"Extended Base" = "14 00 00 00 01 00 00 00 02 00 00 00 04 00 00 00"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"Exclusive"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"DAC9024F54D8F6DF94935FB1732638CA6AD77C13"

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"UpperFilters"
"DeviceType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PnPSysprep\ServiceStartTypeBackup]
"umbus"

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"LowerFilters"

The process %original file name%.exe:2932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"1" = "eav_trial_rus.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"John" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"4" = "essf_trial_rus.exe"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
"DisableEnhancedNotifications" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell]
"UseActionCenterExperience" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration]
"Notification_Suppress" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:]
"ProgramData" = "System"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"3" = "eis_trial_rus.exe"
"2" = "avast_free_antivirus_setup_online.exe"
"5" = "hitmanpro_x64.exe"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting]
"Disable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"7" = "ESETOnlineScanner_RUS.exe"
"6" = "ESETOnlineScanner_UKR.exe"
"9" = "360TS_Setup_Mini.exe"
"8" = "HitmanPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"EnableBalloonTips" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"11" = "Cube.exe"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"LocalSettingOverrideSpynetRepting" = "0"
"SumbitSamplesConsent" = "2"
"DisableBlockAltFirstSeen" = "1"

[HKLM\SOFTWARE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications]
"ToastEnabled" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions]
"Exclusions_Paths" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"10" = "Cezurity_Scanner_Pro_Free.exe"

The Trojan deletes the following value(s) in system registry:

The process taskhostw.exe:3820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 41 03 52 DC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhostw_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Realtek HD Audio" = "C:\ProgramData\RealtekHD\taskhostw.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"DAC9024F54D8F6DF94935FB1732638CA6AD77C13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process WScript.exe:3592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process WScript.exe:1872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process WScript.exe:3628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process WScript.exe:3412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process WScript.exe:804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process rutserv.exe:2864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters]
"Options" = "54 50 46 30 11 54 52 4F 4D 53 65 72 76 65 72 4F"
"InternetId" = "3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31"
"FUSClientPath" = "C:\ProgramData\Windows\rfusclient.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters]
"notification"

The process powershell.exe:2232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\86ce8d18-fbbb-4e6e-9025-28d7213f09f8]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\27ec7e0b-277c-413c-9437-26fbc3f1bf2b]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\2f734359-e07a-492c-b8b4-b63d20faa8df]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\5b9529d8-d973-4dc7-b07c-84dc338d02f7]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\1d644909-5cc5-4bb8-a1ac-628521a5fe04]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\f46a6dc4-2939-4bab-a28c-5ccba9145ecf]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\d8665aac-6383-4302-9df3-6acec6b06508]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\31d2b427-b101-4874-85be-3990e16defab]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\6be7b533-8c93-46f2-94d0-94cd41eca80e]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\26e0acc9-088a-4218-bec9-cf33216c1aec]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\c82cebe5-e9da-4974-a0af-d8f3aa486d62]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\4adf32e3-0c3b-4ef6-88bf-e643bd967824]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\9afd50a0-1995-49bd-b3d1-6fec46c5c4d1]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\8ec7d997-8b29-4c96-ba88-f97fe8aa731c]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e3554c74-051d-4a05-96e4-a65cb18e4c68]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\34b55a1a-39b0-490f-b4cc-b4fdf826589d]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\0277a470-3bc7-4710-9968-77e68a0a736d]
"Value" = ""

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\caa0d730-c1e0-44b0-8acd-718fc95731c3]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Appx\a9e18c21-ff8f-43cf-b9fc-db40eed693ba]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\294d4334-b7eb-401e-a1fa-14525f4529f5]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e76935c5-aa82-4c03-aaa2-b7a01477209a]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\4209263e-74b7-425b-aced-4ce9ab9f7dd2]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\b7af7102-efde-4369-8a89-7a6a392d1473]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\9428c672-5fc3-47f4-808a-a0011f36dd2c]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\64ad46ff-0d71-4fa0-a30b-3f3d30c5433d]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\234a647f-9798-4be3-bbf5-5ca68eb23bf9]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\82234521-8748-4155-b3b4-86256fbff02a]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\9a0e9268-6fce-4c15-89b0-2cecbeebc4c6]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\b7913165-dc35-407b-8fed-64f43e7c542f]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\f8f322cf-f95e-4b38-a7d5-72850384e84b]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\6f0fbd63-f06d-459f-bc43-184b9667067e]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\ed97d0cb-15ff-430f-b82c-8d7832957725]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\06dce67b-934c-454f-a263-2515c8796a5d]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\d159291a-0467-4268-9c99-ee371b2d86ab]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\551526cd-d040-4420-959d-5da242e1bd8f]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\16c05fbf-bd55-47ff-b0c2-f0f247dd90f8]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e18bcf01-c7fa-41dc-bbc3-bf18f4556735]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\5b290184-345a-4453-b184-45305f6d9a54]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\5b3ae412-6b4d-4dff-a918-b57462e465ba]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\8a1b6c15-aa72-4f6b-bea1-dc95d9ab96f5]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\7e525155-ca22-407f-a462-abe3e1b628d1]
"Value" = ""

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\5b9529d8-d973-4dc7-b07c-84dc338d02f7]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\8a1b6c15-aa72-4f6b-bea1-dc95d9ab96f5]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e18bcf01-c7fa-41dc-bbc3-bf18f4556735]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\86ce8d18-fbbb-4e6e-9025-28d7213f09f8]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\1d644909-5cc5-4bb8-a1ac-628521a5fe04]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\27ec7e0b-277c-413c-9437-26fbc3f1bf2b]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\9428c672-5fc3-47f4-808a-a0011f36dd2c]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\8ec7d997-8b29-4c96-ba88-f97fe8aa731c]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\31d2b427-b101-4874-85be-3990e16defab]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\551526cd-d040-4420-959d-5da242e1bd8f]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Dll]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\2f734359-e07a-492c-b8b4-b63d20faa8df]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\6be7b533-8c93-46f2-94d0-94cd41eca80e]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\4adf32e3-0c3b-4ef6-88bf-e643bd967824]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\f8f322cf-f95e-4b38-a7d5-72850384e84b]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\16c05fbf-bd55-47ff-b0c2-f0f247dd90f8]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\b7913165-dc35-407b-8fed-64f43e7c542f]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\f46a6dc4-2939-4bab-a28c-5ccba9145ecf]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\d159291a-0467-4268-9c99-ee371b2d86ab]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\b7af7102-efde-4369-8a89-7a6a392d1473]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Appx\a9e18c21-ff8f-43cf-b9fc-db40eed693ba]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\caa0d730-c1e0-44b0-8acd-718fc95731c3]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\ed97d0cb-15ff-430f-b82c-8d7832957725]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\5b290184-345a-4453-b184-45305f6d9a54]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e3554c74-051d-4a05-96e4-a65cb18e4c68]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\34b55a1a-39b0-490f-b4cc-b4fdf826589d]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\0277a470-3bc7-4710-9968-77e68a0a736d]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\4209263e-74b7-425b-aced-4ce9ab9f7dd2]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\9a0e9268-6fce-4c15-89b0-2cecbeebc4c6]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e76935c5-aa82-4c03-aaa2-b7a01477209a]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\9afd50a0-1995-49bd-b3d1-6fec46c5c4d1]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\64ad46ff-0d71-4fa0-a30b-3f3d30c5433d]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\234a647f-9798-4be3-bbf5-5ca68eb23bf9]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\6f0fbd63-f06d-459f-bc43-184b9667067e]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\06dce67b-934c-454f-a263-2515c8796a5d]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\c82cebe5-e9da-4974-a0af-d8f3aa486d62]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\294d4334-b7eb-401e-a1fa-14525f4529f5]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\82234521-8748-4155-b3b4-86256fbff02a]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Appx]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\26e0acc9-088a-4218-bec9-cf33216c1aec]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\5b3ae412-6b4d-4dff-a918-b57462e465ba]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\d8665aac-6383-4302-9df3-6acec6b06508]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6CC93AB5-879D-4A92-9D05-828F3AD99877}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\7e525155-ca22-407f-a462-abe3e1b628d1]

The process powershell.exe:1872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\f46a6dc4-2939-4bab-a28c-5ccba9145ecf]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\82234521-8748-4155-b3b4-86256fbff02a]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\2f734359-e07a-492c-b8b4-b63d20faa8df]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\16c05fbf-bd55-47ff-b0c2-f0f247dd90f8]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Appx\a9e18c21-ff8f-43cf-b9fc-db40eed693ba]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\caa0d730-c1e0-44b0-8acd-718fc95731c3]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\31d2b427-b101-4874-85be-3990e16defab]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\8a1b6c15-aa72-4f6b-bea1-dc95d9ab96f5]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\294d4334-b7eb-401e-a1fa-14525f4529f5]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\d159291a-0467-4268-9c99-ee371b2d86ab]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\5b9529d8-d973-4dc7-b07c-84dc338d02f7]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\4adf32e3-0c3b-4ef6-88bf-e643bd967824]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\6f0fbd63-f06d-459f-bc43-184b9667067e]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\7e525155-ca22-407f-a462-abe3e1b628d1]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\8ec7d997-8b29-4c96-ba88-f97fe8aa731c]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\d8665aac-6383-4302-9df3-6acec6b06508]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\4209263e-74b7-425b-aced-4ce9ab9f7dd2]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\9428c672-5fc3-47f4-808a-a0011f36dd2c]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\64ad46ff-0d71-4fa0-a30b-3f3d30c5433d]
"Value" = ""

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\f8f322cf-f95e-4b38-a7d5-72850384e84b]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\1d644909-5cc5-4bb8-a1ac-628521a5fe04]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\86ce8d18-fbbb-4e6e-9025-28d7213f09f8]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\b7913165-dc35-407b-8fed-64f43e7c542f]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e3554c74-051d-4a05-96e4-a65cb18e4c68]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\ed97d0cb-15ff-430f-b82c-8d7832957725]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\27ec7e0b-277c-413c-9437-26fbc3f1bf2b]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\c82cebe5-e9da-4974-a0af-d8f3aa486d62]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\b7af7102-efde-4369-8a89-7a6a392d1473]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\26e0acc9-088a-4218-bec9-cf33216c1aec]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\551526cd-d040-4420-959d-5da242e1bd8f]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e18bcf01-c7fa-41dc-bbc3-bf18f4556735]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\5b3ae412-6b4d-4dff-a918-b57462e465ba]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e76935c5-aa82-4c03-aaa2-b7a01477209a]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\34b55a1a-39b0-490f-b4cc-b4fdf826589d]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\5b290184-345a-4453-b184-45305f6d9a54]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\9afd50a0-1995-49bd-b3d1-6fec46c5c4d1]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\6be7b533-8c93-46f2-94d0-94cd41eca80e]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\234a647f-9798-4be3-bbf5-5ca68eb23bf9]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\9a0e9268-6fce-4c15-89b0-2cecbeebc4c6]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\06dce67b-934c-454f-a263-2515c8796a5d]
"Value" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\0277a470-3bc7-4710-9968-77e68a0a736d]
"Value" = ""

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\82234521-8748-4155-b3b4-86256fbff02a]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\b7af7102-efde-4369-8a89-7a6a392d1473]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\f8f322cf-f95e-4b38-a7d5-72850384e84b]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\34b55a1a-39b0-490f-b4cc-b4fdf826589d]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\9afd50a0-1995-49bd-b3d1-6fec46c5c4d1]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\caa0d730-c1e0-44b0-8acd-718fc95731c3]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\5b3ae412-6b4d-4dff-a918-b57462e465ba]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\ed97d0cb-15ff-430f-b82c-8d7832957725]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\234a647f-9798-4be3-bbf5-5ca68eb23bf9]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\d159291a-0467-4268-9c99-ee371b2d86ab]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Dll]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\5b290184-345a-4453-b184-45305f6d9a54]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\5b9529d8-d973-4dc7-b07c-84dc338d02f7]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\2f734359-e07a-492c-b8b4-b63d20faa8df]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\7e525155-ca22-407f-a462-abe3e1b628d1]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\06dce67b-934c-454f-a263-2515c8796a5d]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e18bcf01-c7fa-41dc-bbc3-bf18f4556735]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\16c05fbf-bd55-47ff-b0c2-f0f247dd90f8]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\8ec7d997-8b29-4c96-ba88-f97fe8aa731c]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e76935c5-aa82-4c03-aaa2-b7a01477209a]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\294d4334-b7eb-401e-a1fa-14525f4529f5]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\4209263e-74b7-425b-aced-4ce9ab9f7dd2]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\f46a6dc4-2939-4bab-a28c-5ccba9145ecf]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\9a0e9268-6fce-4c15-89b0-2cecbeebc4c6]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Appx\a9e18c21-ff8f-43cf-b9fc-db40eed693ba]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\551526cd-d040-4420-959d-5da242e1bd8f]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\8a1b6c15-aa72-4f6b-bea1-dc95d9ab96f5]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\6f0fbd63-f06d-459f-bc43-184b9667067e]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Msi\64ad46ff-0d71-4fa0-a30b-3f3d30c5433d]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\e3554c74-051d-4a05-96e4-a65cb18e4c68]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\6be7b533-8c93-46f2-94d0-94cd41eca80e]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\26e0acc9-088a-4218-bec9-cf33216c1aec]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Script\9428c672-5fc3-47f4-808a-a0011f36dd2c]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\0277a470-3bc7-4710-9968-77e68a0a736d]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\86ce8d18-fbbb-4e6e-9025-28d7213f09f8]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\4adf32e3-0c3b-4ef6-88bf-e643bd967824]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\d8665aac-6383-4302-9df3-6acec6b06508]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Appx]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\c82cebe5-e9da-4974-a0af-d8f3aa486d62]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\b7913165-dc35-407b-8fed-64f43e7c542f]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\31d2b427-b101-4874-85be-3990e16defab]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\27ec7e0b-277c-413c-9437-26fbc3f1bf2b]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{883C5B3A-1EE6-4929-A410-265FE77CCF91}Machine\Software\Policies\Microsoft\Windows\SrpV2\Exe\1d644909-5cc5-4bb8-a1ac-628521a5fe04]

The process RDPWInst.exe:3448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\RDPWInst_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\System\CurrentControlSet\Control\Terminal Server\Licensing Core]
"EnableConcurrentSessions" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\RDPWInst_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\RDPWInst_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RDPWInst_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AllowMultipleTSSessions" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\RDPWInst_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\RDPWInst_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RDPWInst_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Services\TermService\Parameters]
"ServiceDll" = "%ProgramFiles%\RDP Wrapper\rdpwrap.dll"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process RDPWInst.exe:3652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process Cheat.exe:3200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process Vegas.sfx.exe:2076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process taskhosst.exe:1928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\taskhosst_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhosst_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhosst_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhosst_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhosst_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhosst_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhosst_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhosst_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhosst_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\taskhosst_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process Logs.exe:2088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process Vegas.exe:3712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process MOS.exe:3004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process winit.exe:2516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process R8.exe:512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process P.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process regedit.exe:2940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters]
"Password" = "44 00 43 00 31 00 39 00 39 00 43 00 32 00 30 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"John" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"ServiceKeepAlive" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"AllowFastServiceStartup" = "0"

[HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters]
"CalendarRecordSettings" = "FF FE 3C 00 3F 00 78 00 6D 00 6C 00 20 00 76 00"

[HKCU\Software\Policies\Microsoft\Windows\Explorer]
"DisableNotificationCenter" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
"DisableEnhancedNotifications" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell]
"UseActionCenterExperience" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration]
"Notification_Suppress" = "1"

[HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters]
"FUSClientPath" = "%Program Files%\Remote Manipulator System - Host\rfusclient.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"PromptOnSecureDesktop" = "0"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting]
"Disable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"EnableBalloonTips" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"LocalSettingOverrideSpynetRepting" = "0"

[HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters]
"Notification" = "3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:]
"ProgramData" = "System"

[HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters]
"InternetId" = "3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SumbitSamplesConsent" = "2"

[HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters]
"UserAccess" = "Type: REG_BINARY, Length: 0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"DisableBlockAltFirstSeen" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableOAProtection" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications]
"ToastEnabled" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions]
"Exclusions_Paths" = "1"

[HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters]
"Options" = "54 50 46 30 11 54 52 4F 4D 53 65 72 76 65 72 4F"

The process winlog.exe:776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
9c6a68742ea7abf802940e7f1502e20f	c:\Program Files\RDP Wrapper\rdpwrap.dll
8a3a1be0dab9362e09661c1765b012dc	c:\ProgramData\Microsoft\Intel\taskhosst.exe
e0c82a869a5c7dfc0f01b32a3f7238f0	c:\ProgramData\Microsoft\TaskList\System.exe
25702f078bc17b50ea260291c2201ac7	c:\ProgramData\RealtekHD\taskhostw.exe
0bd6e68f3ea0dd62cd86283d86895381	c:\ProgramData\System Idle.exe
3b165ad5503faed84b469d48e0dc0dba	c:\ProgramData\WindowsTask\MicrosoftHost.exe
b8667a1e84567fcf7821bcefb6a444af	c:\ProgramData\Windows\rfusclient.exe
37a8802017a212bb7f5255abc7857969	c:\ProgramData\Windows\rutserv.exe
88318158527985702f61d169434a4940	c:\ProgramData\Windows\vp8decoder.dll
6298c0af3d1d563834a218a9cc9f54bd	c:\ProgramData\Windows\vp8encoder.dll
8a3a1be0dab9362e09661c1765b012dc	c:\Users\All Users\Microsoft\Intel\taskhosst.exe
e0c82a869a5c7dfc0f01b32a3f7238f0	c:\Users\All Users\Microsoft\TaskList\System.exe
25702f078bc17b50ea260291c2201ac7	c:\Users\All Users\RealtekHD\taskhostw.exe
0bd6e68f3ea0dd62cd86283d86895381	c:\Users\All Users\System Idle.exe
3b165ad5503faed84b469d48e0dc0dba	c:\Users\All Users\WindowsTask\MicrosoftHost.exe
b8667a1e84567fcf7821bcefb6a444af	c:\Users\All Users\Windows\rfusclient.exe
37a8802017a212bb7f5255abc7857969	c:\Users\All Users\Windows\rutserv.exe
88318158527985702f61d169434a4940	c:\Users\All Users\Windows\vp8decoder.dll
6298c0af3d1d563834a218a9cc9f54bd	c:\Users\All Users\Windows\vp8encoder.dll
3288c284561055044c489567fd630ac2	c:\rdp\RDPWInst.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 4884 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	validation.sls.microsoft.com
127.0.0.1	codeload.github.com
127.0.0.1	eset.ua
127.0.0.1	www.esetnod32.ru
127.0.0.1	www.comss.ru
127.0.0.1	blog-pc.ru
127.0.0.1	www.securrity.ru
127.0.0.1	vellisa.ru
127.0.0.1	download-software.ru
127.0.0.1	drweb-cureit.ru
127.0.0.1	softpacket.ru
127.0.0.1	www.kaspersky.com
127.0.0.1	kaspersky.ru
127.0.0.1	www.avast.ua
127.0.0.1	www.avast.ru
127.0.0.1	zillya.ua
127.0.0.1	safezone.ua
127.0.0.1	vms.drweb.ru
127.0.0.1	www.drweb.ua
127.0.0.1	free.drweb.ru
127.0.0.1	biblprog.org.ua
127.0.0.1	free-software.com.ua
127.0.0.1	free.dataprotection.com.ua
127.0.0.1	www.drweb.com
127.0.0.1	www.softportal.com
127.0.0.1	www.nashnet.ua
127.0.0.1	softlist.com.ua
127.0.0.1	it-doc.info
127.0.0.1	esetnod32.ru
127.0.0.1	blog-bridge.ru
127.0.0.1	remontka.pro
127.0.0.1	securos.org.ua
127.0.0.1	pc-helpp.com
127.0.0.1	softdroid.net
127.0.0.1	malwarebytes.com
127.0.0.1	ru.vessoft.com
127.0.0.1	AlpineFile.ru
127.0.0.1	malwarebytes-anti-malware.ru.uptodown.com
127.0.0.1	ProgramDownloadFree.com
127.0.0.1	download.cnet.com
127.0.0.1	soft.mydiv.net
127.0.0.1	spyware-ru.com
127.0.0.1	remontcompa.ru
127.0.0.1	www.hitmanpro.com
127.0.0.1	hitman-pro.ru.uptodown.com
127.0.0.1	www.bleepingcomputer.com
127.0.0.1	soft.oszone.net
127.0.0.1	krutor.org
127.0.0.1	rutracker.org
127.0.0.1	www.greatis.com
127.0.0.1	unhackme.ru.uptodown.com
127.0.0.1	programy.com.ua
127.0.0.1	rsload.net
127.0.0.1	softobase.com
127.0.0.1	www.besplatnoprogrammy.ru
127.0.0.1	unhackme.en.softonic.com
127.0.0.1	unhackme.com
127.0.0.1	unhackme.ru
127.0.0.1	nnm-club.name
127.0.0.1	vgrom.com
127.0.0.1	moneropool.com
127.0.0.1	mine.moneropool.com
127.0.0.1	xmr.cryptopool.org
127.0.0.1	pool.monero.org
127.0.0.1	minexmr.com
127.0.0.1	monero.crypto-pool.fr
127.0.0.1	dwarfpool.com
127.0.0.1	disk-space.ru
127.0.0.1	file7.ru
127.0.0.1	ufille.ru
127.0.0.1	rgho.st
127.0.0.1	yadi.su
127.0.0.1	catcut.net
127.0.0.1	fsdisk.ru
127.0.0.1	rpfile.ru
127.0.0.1	cheats.file-a.ru
127.0.0.1	file-space.org
127.0.0.1	sfailo.ru
127.0.0.1	sendspace.com
127.0.0.1	www.sendspace.com
127.0.0.1	fille-7.ru
127.0.0.1	loufile.ru
127.0.0.1	file-seven.com
127.0.0.1	file-a.ru
127.0.0.1	fail-7.ru
127.0.0.1	1-kk.ru
127.0.0.1	rufile.net
127.0.0.1	filexpwx.space
127.0.0.1	sfile.net
127.0.0.1	mdiskfile.com
127.0.0.1	mega.nz
127.0.0.1	dfile.su
127.0.0.1	rgfail.ru
127.0.0.1	rudwnl.ru
127.0.0.1	dfile.info
127.0.0.1	flles.ru
127.0.0.1	pool.minexmr.to
127.0.0.1	ska4ay.pl
127.0.0.1	ska4ay.ru
127.0.0.1	ska4ay.club
127.0.0.1	ska4ay.net
127.0.0.1	ska4ay.org
127.0.0.1	ska4ay.com
127.0.0.1	ska4ay.pro
127.0.0.1	ska4ay.pw
127.0.0.1	ska4ay.online
127.0.0.1	skachaty.pl
127.0.0.1	skachaty.ru
127.0.0.1	skachaty.club
127.0.0.1	skachaty.net
127.0.0.1	skachaty.org
127.0.0.1	skachaty.com
127.0.0.1	skachaty.pro
127.0.0.1	skachaty.pw
127.0.0.1	skachaty.online
127.0.0.1	skachay.pl
127.0.0.1	skachay.ru
127.0.0.1	skachay.club
127.0.0.1	skachay.net
127.0.0.1	skachay.org
127.0.0.1	skachay.com
127.0.0.1	skachay.pro
127.0.0.1	skachay.pw
127.0.0.1	skachay.website
127.0.0.1	skachay.online
127.0.0.1	ska4aty.pl
127.0.0.1	ska4aty.ru
127.0.0.1	ska4aty.club
127.0.0.1	ska4aty.net
127.0.0.1	ska4aty.org
127.0.0.1	ska4aty.com
127.0.0.1	ska4aty.pro
127.0.0.1	ska4aty.pw
127.0.0.1	ska4aty.online

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	581597	581632	4.62693	310e36668512d53489c005622bb1b4a9
.rdata	585728	195982	196096	3.99478	748cf1ab2605ce1fd72d53d912abb68f
.data	782336	36724	20992	0.829269	aae9601d920f07080bdfadf43dfeff12
.rsrc	819200	14888960	14885376	5.54453	d5cf16a91c83a5c88abbffd4bc567a3d
.reloc	15708160	28980	29184	4.70228	f04128ad0f87f42830e4a6cdbc38c719

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://rmansys.ru/utils/inet_id_notify.php?test=1	194.85.95.48
hxxp://rmansys.ru/utils/inet_id_notify.php	194.85.95.48
hxxp://progaming-cheats.ru/V3/Login.html	185.13.5.48
hxxp://apps.digsigtrust.com/roots/dstrootcax3.p7c
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://a1961.g2.akamai.net/ncsi.txt
hxxp://a1961.g2.akamai.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf/EFWCFiRACEAoBQUIAAAFThXNqC4Xspwg=
hxxp://progaming-cheats.ru/V3/Password.html	185.13.5.48
hxxp://a771.dscq.akamai.net/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgOGXyM9Kk6CmmGAcblEcMWEKw==
hxxp://progaming-cheats.ru/V3/Server.html	185.13.5.48
hxxp://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf/EFWCFiRACEAoBQUIAAAFThXNqC4Xspwg=	77.222.148.105
hxxp://www.msftncsi.com/ncsi.txt	77.222.148.106
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=	93.184.220.29
hxxp://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgOGXyM9Kk6CmmGAcblEcMWEKw==	77.222.148.121
hxxp://apps.identrust.com/roots/dstrootcax3.p7c	192.35.177.64
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	77.222.148.83
checkip.dyndns.org	131.186.113.136
rms-server.tektonit.ru	109.234.156.181
raw.githubusercontent.com	151.101.0.133

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

System.exe:3832
Vega.exe:2288
netsh.exe:3428
netsh.exe:3100
DrvInst.exe:3056
%original file name%.exe:2932
taskhostw.exe:3820
csrs.exe:1280
WScript.exe:3592
WScript.exe:1872
WScript.exe:3628
WScript.exe:3412
WScript.exe:804
rutserv.exe:3620
rutserv.exe:2788
rutserv.exe:4012
rundll32.exe:1856
powershell.exe:2232
powershell.exe:1872
RDPWInst.exe:3448
RDPWInst.exe:3652
1.exe:2132
Rar.exe:668
Cheat32.exe:3620
Cheat.exe:3200
Vegas.sfx.exe:2076
taskhosst.exe:1928
Logs.exe:2088
Vegas.exe:3712
rfusclient.exe:2252
MOS.exe:3004
M.exe:1592
winit.exe:2516
R8.exe:512
P.exe:1420
P.exe:1016
regedit.exe:2940
winlog.exe:776
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\ProgramData\Microsoft\TaskList\folders.cfg (1 bytes)
C:\ProgramData\Microsoft\TaskList\whitelist.cfg (10 bytes)
C:\ProgramData\Microsoft\TaskList\System.exe (13022 bytes)
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe (3780 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut8F86.tmp (2513 bytes)
C:\Windows\inf\setupapi.dev.log (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut52FA.tmp (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6304.tmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5028.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\winhost.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6363.tmp (784 bytes)
C:\ProgramData\Microsoft\Intel\Cheat.exe (77670 bytes)
C:\ProgramData\Microsoft\temp\Clean.bat (196 bytes)
C:\ProgramData\System Idle.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Bot.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6374.tmp (784 bytes)
C:\ProgramData\Iostream.exe (1372 bytes)
C:\ProgramData\Microsoft\Check\Check.txt (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6411.tmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5006.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5038.tmp (196 bytes)
C:\ProgramData\Microsoft\Intel\winit.exe (30909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut62E3.tmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6373.tmp (784 bytes)
C:\ProgramData\Microsoft\temp\Temp.bat (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut520E.tmp (32962 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5049.tmp (81019 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut6422.tmp (784 bytes)
C:\ProgramData\olly.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Nvidiadriver.exe (1372 bytes)
C:\ProgramData\Microsoft\temp\H.bat (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5017.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Helper.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut52EA.tmp (1209 bytes)
C:\ProgramData\SystemIdle.exe (1372 bytes)
C:\ProgramData\Microsoft\temp\5.xml (980 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut62F3.tmp (784 bytes)
C:\ProgramData\Microsoft\Intel\Logs.exe (2734 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut533C.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F348B123E6C117695082B456C0FB065D (2184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE977.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE98A.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFEFF.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1944 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (2052 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab39ED.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\Server[1].htm (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE978.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE989.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFEFE.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Server[1].htm (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar39FE.tmp (2712 bytes)
C:\ProgramData\WindowsTask\csrs.exe (1942 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\Login[1].htm (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F348B123E6C117695082B456C0FB065D (527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Password[1].htm (185 bytes)
C:\rdp\pause.bat (4 bytes)
C:\rdp\bat.bat (4 bytes)
C:\ProgramData\Microsoft\Intel\OS.bat (4 bytes)
C:\ProgramData\Windows\install.bat (4 bytes)
C:\ProgramData\Windows\rfusclient.exe (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NO7KRI17\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4UK8ANC9\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KJF49513\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TKO9U9U0\desktop.ini (67 bytes)
C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (222288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LWLU52G5WRQSTUU8KZ5B.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EHB702APDQOYLIKJAAIZ.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFA1A.tmp (53 bytes)
%Program Files%\RDP Wrapper\rdpwrap.dll (77 bytes)
%Program Files%\RDP Wrapper\rdpwrap.ini (124 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (1278 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFA1B.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\rdpwrap[1].ini (54865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\rdpwrap[1].ini (54865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1D44.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1D43.tmp (53 bytes)
C:\ProgramData\Microsoft\rootsystem\passwords.txt (2 bytes)
C:\rdp\install.vbs (80 bytes)
C:\rdp\RDPWInst.exe (21986 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut86BF.tmp (8001 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut872D.tmp (5065 bytes)
C:\ProgramData\RealtekHD\taskhostw.exe (11075 bytes)
C:\ProgramData\WindowsTask\MicrosoftHost.exe (9466 bytes)
C:\ProgramData\Microsoft\Intel\MOS.exe (3301 bytes)
C:\ProgramData\Microsoft\Intel\P.exe (2913 bytes)
C:\ProgramData\Microsoft\Intel\svchost.exe (24525 bytes)
C:\ProgramData\Microsoft\Intel\taskhosst.exe (24537 bytes)
C:\ProgramData\Microsoft\Intel\Vega.exe (19021 bytes)
C:\ProgramData\Microsoft\Intel\R8.exe (4393 bytes)
C:\ProgramData\Microsoft\Intel\System.exe (3017 bytes)
C:\ProgramData\Microsoft\Intel\winlog.exe (3017 bytes)
C:\ProgramData\Microsoft\Intel\Vegas.exe (5367 bytes)
C:\ProgramData\Microsoft\Intel\L.bat (599 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\99E2.tmp\99E3.bat (246 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\M.exe (4763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\R.vbs (127 bytes)
C:\ProgramData\Microsoft\Intel\Cheat64.exe (14733 bytes)
C:\ProgramData\Microsoft\Intel\Cheat32.exe (21891 bytes)
C:\ProgramData\Windows\rutserv.exe (4882 bytes)
C:\ProgramData\Windows\regedit.reg (14 bytes)
C:\ProgramData\Windows\vp8decoder.dll (158 bytes)
C:\ProgramData\Windows\vp8encoder.dll (703 bytes)
C:\ProgramData\Windows\install.vbs (140 bytes)
C:\rdp\run.vbs (84 bytes)
C:\rdp\Rar.exe (3224 bytes)
C:\rdp\db.rar (406 bytes)
C:\ProgramData\Microsoft\rootsystem\1.exe (4745 bytes)
C:\ProgramData\Microsoft\rootsystem\P.exe (3306 bytes)
C:\ProgramData\Microsoft\rootsystem\P.vbs (390 bytes)
C:\ProgramData\Microsoft\Intel\winlogon.exe (71 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Realtek HD Audio" = "C:\ProgramData\RealtekHD\taskhostw.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.