Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-12-2021 11:03

General

  • Target

    tmp/57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe

  • Size

    397KB

  • MD5

    aff57ee1a4f3731c2036046910f78fb4

  • SHA1

    ef9627c0cadff85a3dfaab6aef0b7c885f03b186

  • SHA256

    3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

  • SHA512

    5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Sets file execution options in registry 2 TTPs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 3 IoCs
  • Modifies powershell logging option 1 TTPs
  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp\57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp\57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5yzhjabv.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB70D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB70C.tmp"
        3⤵
          PID:1056
      • C:\Windows\system32\chcp.com
        "C:\Windows\system32\chcp.com" 437
        2⤵
          PID:3200
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" interface portproxy show all
          2⤵
            PID:3336
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1708
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1944
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1956
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" interface portproxy reset
            2⤵
              PID:2384
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" interface portproxy show all
              2⤵
                PID:3044
              • C:\Windows\system32\netsh.exe
                "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
                2⤵
                  PID:3188
                • C:\Windows\system32\netsh.exe
                  "C:\Windows\system32\netsh.exe" interface portproxy show all
                  2⤵
                    PID:1404
                  • C:\Windows\system32\netsh.exe
                    "C:\Windows\system32\netsh.exe" interface portproxy show all
                    2⤵
                      PID:1936
                    • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
                      "C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe"
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:508
                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
                        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
                        3⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:404
                        • C:\Windows\SysWOW64\msiexec.exe
                          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
                          4⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1244
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
                          4⤵
                            PID:3680
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1040
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Blocklisted process makes network request
                      • Enumerates connected drives
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • Modifies data under HKEY_USERS
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3620
                      • C:\Windows\syswow64\MsiExec.exe
                        C:\Windows\syswow64\MsiExec.exe -Embedding 70EB8EAF68D186F751E6E9A4C47A0B00
                        2⤵
                        • Loads dropped DLL
                        PID:1780
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:3952
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:2312
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:3088
                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                      "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
                      1⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:3388
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                        2⤵
                        • Executes dropped EXE
                        PID:3848
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:2008
                        • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                          "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: SetClipboardViewer
                          PID:1516
                    • C:\Windows\system32\compattelrunner.exe
                      C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                      1⤵
                        PID:1720

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

                        MD5

                        bc25377ade68750b834c81fa71c233b8

                        SHA1

                        84dbb465dd2125f47668e2508e18af9bd6db2fd8

                        SHA256

                        9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

                        SHA512

                        205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

                      • C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

                        MD5

                        2ddfa39f5c2fd3f00681ef2970617e4b

                        SHA1

                        8152aa18afbacf398b92168995ec8696d3fe3659

                        SHA256

                        f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

                        SHA512

                        f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

                      • C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

                        MD5

                        3d0b27b3f8aa22575aa0faf0b2d67216

                        SHA1

                        39fc787538849692ed7352418616f467b7a86a1d

                        SHA256

                        d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44

                        SHA512

                        19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8

                      • C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

                        MD5

                        e44e34bc285b709f08f967325d9c8be1

                        SHA1

                        e73f05c6a980ec9d006930c5343955f89579b409

                        SHA256

                        1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

                        SHA512

                        576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                        MD5

                        76ebe5fd077a62161d0ab560208b9f94

                        SHA1

                        614c218d35ba531f0bad791d52e5dcf57df5c742

                        SHA256

                        f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                        SHA512

                        baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                        MD5

                        76ebe5fd077a62161d0ab560208b9f94

                        SHA1

                        614c218d35ba531f0bad791d52e5dcf57df5c742

                        SHA256

                        f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                        SHA512

                        baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                        MD5

                        76ebe5fd077a62161d0ab560208b9f94

                        SHA1

                        614c218d35ba531f0bad791d52e5dcf57df5c742

                        SHA256

                        f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                        SHA512

                        baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                        MD5

                        76ebe5fd077a62161d0ab560208b9f94

                        SHA1

                        614c218d35ba531f0bad791d52e5dcf57df5c742

                        SHA256

                        f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                        SHA512

                        baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

                        MD5

                        292a1748850d1fdc91d4ec23b02d6902

                        SHA1

                        8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d

                        SHA256

                        acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f

                        SHA512

                        cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

                      • C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

                        MD5

                        4570f7a40357016c97afe0dd4faf749b

                        SHA1

                        ebc8a1660f1103c655559caab3a70ec23ca187f1

                        SHA256

                        a5f008bf852d4c73e001f840d6f8b233c7d9bc9570cee639d40c1c8723bf99f8

                        SHA512

                        6b16979d004adc04259f2ce043cde6f7b57f2ddf5f4cea7bb390fd6b9fb273d22355b837f1b5c2eae77ea7df792de8e6db43e31d7246f044935a8187dace493b

                      • C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

                        MD5

                        038bf9f3a58560ad1130eeb85cdc1a87

                        SHA1

                        3571eb7293a2a3a5bf6eb21e1569cd151d995d1a

                        SHA256

                        d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d

                        SHA512

                        8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

                      • C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

                        MD5

                        eeb2c52abbc7eb1c029b7fec45a7f22e

                        SHA1

                        8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61

                        SHA256

                        c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c

                        SHA512

                        0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

                      • C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

                        MD5

                        e38372f576d927f525ef8e1a34b54664

                        SHA1

                        26af9d1db0a3f91d7fe13147e55f06c302d59389

                        SHA256

                        4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b

                        SHA512

                        78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7

                      • C:\Users\Admin\AppData\Local\Temp\5yzhjabv.dll

                        MD5

                        274151d24c7834233edfaacfb15d20f0

                        SHA1

                        99ab56a8033e19fed297de43ddeec2dcfbe535b7

                        SHA256

                        7a343e9037629760811e8b0402db4be0be4411abfb16087f5e51b642305bde00

                        SHA512

                        17aba59d8d369f0de527f584c0dd6e1fe5d930ea5b5f690001c723f53ab1b29dc65cc1c1ce7f125d24de130a40405e506ee293c7d024756495e70290d0feecb9

                      • C:\Users\Admin\AppData\Local\Temp\5yzhjabv.pdb

                        MD5

                        6581e8c784411398410892ae47623c66

                        SHA1

                        4d0ca7a498f98c8cf97c392ab676826ccdbae557

                        SHA256

                        9bd6a04f939dba1fed1e768020f65e2e26ee6ea56dc8a2df0482c52afd93694c

                        SHA512

                        4a022a14d0d8db3041f28b18ccec97c01b4945b332b7e1580ba1598a636aed5d0efe95ba1c2017380525dcbae83dcf219524ecc65cc4141a8d10034429bb99c6

                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

                        MD5

                        73e578a44265558d3ace212869d43cbb

                        SHA1

                        d2c15578def8996ed0ae4a44754055b774b095a7

                        SHA256

                        8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

                        SHA512

                        fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

                      • C:\Users\Admin\AppData\Local\Temp\RESB70D.tmp

                        MD5

                        6058c89c1d7c46547d458fe55615cd18

                        SHA1

                        a138d5d1e24e37c3ba939be22e8db88bef4efc6f

                        SHA256

                        190f441c219a779ba5bdf05e96a187f0020c2d4a78bde7162c8ce4c89eeea31e

                        SHA512

                        0b393b31a05ba0a88264c06ec702b995804b7248ab23fca33cded19603615981ad9d46e7aa835c69d90eb020cf95f998c3c4fb13dadfb3690108808fab5efd63

                      • C:\Users\Admin\AppData\Local\Temp\killself.bat

                        MD5

                        c2ac85b000427a4a00f19da237aaaf86

                        SHA1

                        459ecb5e64576348e6c654724e87825772c06ea8

                        SHA256

                        b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352

                        SHA512

                        e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b

                      • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe

                        MD5

                        73f351beae5c881fafe36f42cde9a47c

                        SHA1

                        dc1425cfd5569bd59f5d56432df875b59da9300b

                        SHA256

                        a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

                        SHA512

                        f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

                      • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe

                        MD5

                        73f351beae5c881fafe36f42cde9a47c

                        SHA1

                        dc1425cfd5569bd59f5d56432df875b59da9300b

                        SHA256

                        a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

                        SHA512

                        f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

                      • C:\Windows\Installer\MSIBDCE.tmp

                        MD5

                        b0bcc622f1fff0eec99e487fa1a4ddd9

                        SHA1

                        49aa392454bd5869fa23794196aedc38e8eea6f5

                        SHA256

                        b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

                        SHA512

                        1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

                      • \??\c:\Users\Admin\AppData\Local\Temp\5yzhjabv.0.cs

                        MD5

                        1640a04633fee0dfdc7e22c4f4063bf6

                        SHA1

                        3cb525c47b5dd37f8ee45b034c9452265fba5476

                        SHA256

                        55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

                        SHA512

                        85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

                      • \??\c:\Users\Admin\AppData\Local\Temp\5yzhjabv.cmdline

                        MD5

                        2ecacd9fc16c54a5ef5642aa06bb1edd

                        SHA1

                        c5aa2e7233f4b7a0e12fbf9f14f732f8157f2700

                        SHA256

                        44e0c5dc1903fc19f618fe7a61b05eb34c4cf84ff6f710d608c1ee8dcdeba7fc

                        SHA512

                        71a8d3e577619a167285e8e0aaaad02a182cdddb056f2f45b8f845c01a6796b525ccf0723647f687d40c6632190fddbc1aa8ffb5bd5a8eaf8322c7d24de536ed

                      • \??\c:\Users\Admin\AppData\Local\Temp\CSCB70C.tmp

                        MD5

                        ac63aae20883707f37215f5df2a8b763

                        SHA1

                        8a1b569ecf2f8c9b051ced62ae6c4e0f9bf60d3d

                        SHA256

                        9db49ef86871b920ccff8965d972a8648103a5dbe1b4cc4da382bbd7d85e617d

                        SHA512

                        ce45e3791c972bc7e37c2129dccb349b90588686c1bb5c50d6b1be8807168523ab69b7b852a208d0071eefe6067dc58ee6846624e3700d768216d01250421828

                      • \Windows\Installer\MSIBDCE.tmp

                        MD5

                        b0bcc622f1fff0eec99e487fa1a4ddd9

                        SHA1

                        49aa392454bd5869fa23794196aedc38e8eea6f5

                        SHA256

                        b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

                        SHA512

                        1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

                      • memory/404-148-0x0000000000C40000-0x0000000000C63000-memory.dmp

                        Filesize

                        140KB

                      • memory/404-142-0x0000000000000000-mapping.dmp

                      • memory/508-139-0x0000000000000000-mapping.dmp

                      • memory/656-117-0x0000000000000000-mapping.dmp

                      • memory/656-126-0x00000000008E0000-0x00000000008E2000-memory.dmp

                        Filesize

                        8KB

                      • memory/1040-128-0x000001AA3CFA0000-0x000001AA3CFA2000-memory.dmp

                        Filesize

                        8KB

                      • memory/1040-127-0x000001AA3CFA0000-0x000001AA3CFA2000-memory.dmp

                        Filesize

                        8KB

                      • memory/1056-120-0x0000000000000000-mapping.dmp

                      • memory/1244-146-0x0000000000A50000-0x0000000000A51000-memory.dmp

                        Filesize

                        4KB

                      • memory/1244-147-0x0000000000A50000-0x0000000000A51000-memory.dmp

                        Filesize

                        4KB

                      • memory/1244-145-0x0000000000000000-mapping.dmp

                      • memory/1404-136-0x0000000000000000-mapping.dmp

                      • memory/1516-189-0x0000000002700000-0x0000000002701000-memory.dmp

                        Filesize

                        4KB

                      • memory/1516-187-0x0000000000000000-mapping.dmp

                      • memory/1708-130-0x0000000000000000-mapping.dmp

                      • memory/1780-153-0x0000000000830000-0x0000000000831000-memory.dmp

                        Filesize

                        4KB

                      • memory/1780-154-0x0000000000830000-0x0000000000831000-memory.dmp

                        Filesize

                        4KB

                      • memory/1780-152-0x0000000000000000-mapping.dmp

                      • memory/1936-137-0x0000000000000000-mapping.dmp

                      • memory/1944-131-0x0000000000000000-mapping.dmp

                      • memory/1956-132-0x0000000000000000-mapping.dmp

                      • memory/2008-181-0x0000000000000000-mapping.dmp

                      • memory/2008-186-0x0000000000A90000-0x0000000000A91000-memory.dmp

                        Filesize

                        4KB

                      • memory/2312-163-0x0000000000B00000-0x0000000000B01000-memory.dmp

                        Filesize

                        4KB

                      • memory/2312-160-0x0000000000000000-mapping.dmp

                      • memory/2384-133-0x0000000000000000-mapping.dmp

                      • memory/2936-138-0x0000000002426000-0x0000000002428000-memory.dmp

                        Filesize

                        8KB

                      • memory/2936-115-0x00007FF806070000-0x00007FF806BCD000-memory.dmp

                        Filesize

                        11.4MB

                      • memory/2936-116-0x0000000002420000-0x0000000002422000-memory.dmp

                        Filesize

                        8KB

                      • memory/3044-134-0x0000000000000000-mapping.dmp

                      • memory/3088-164-0x0000000000000000-mapping.dmp

                      • memory/3088-178-0x0000000000B40000-0x0000000000BEE000-memory.dmp

                        Filesize

                        696KB

                      • memory/3188-135-0x0000000000000000-mapping.dmp

                      • memory/3200-125-0x0000000000000000-mapping.dmp

                      • memory/3336-129-0x0000000000000000-mapping.dmp

                      • memory/3388-180-0x00000000001E0000-0x00000000001E1000-memory.dmp

                        Filesize

                        4KB

                      • memory/3620-150-0x000001CC6DB10000-0x000001CC6DB12000-memory.dmp

                        Filesize

                        8KB

                      • memory/3620-151-0x000001CC6DB10000-0x000001CC6DB12000-memory.dmp

                        Filesize

                        8KB

                      • memory/3680-167-0x0000000000000000-mapping.dmp

                      • memory/3848-182-0x0000000000000000-mapping.dmp

                      • memory/3848-185-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                        Filesize

                        4KB

                      • memory/3952-157-0x0000000000000000-mapping.dmp

                      • memory/3952-162-0x0000000000B90000-0x0000000000B91000-memory.dmp

                        Filesize

                        4KB