Analysis Overview
SHA256
8e1b6fa3030261c2a9e9b689675a72aed2faa2e24bcc0f64fe8cd99f251d58d0
Threat Level: Known bad
The file 8e1b6fa3030261c2a9e9b689675a72aed2faa2e24bcc0f64fe8cd99f251d58d0 was found to be: Known bad.
Malicious Activity Summary
RMS
UPX packed file
Executes dropped EXE
Sets DLL path for service in the registry
Modifies Windows Firewall
Loads dropped DLL
Allows Network login with blank passwords
Modifies WinLogon
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: SetClipboardViewer
Runs .reg file with regedit
Suspicious behavior: LoadsDriver
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-13 12:24
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-13 12:24
Reported
2022-02-13 12:27
Platform
win10v2004-en-20220113
Max time kernel
99s
Max time network
168s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\8e1b6fa3030261c2a9e9b689675a72aed2faa2e24bcc0f64fe8cd99f251d58d0.exe
"C:\Users\Admin\AppData\Local\Temp\8e1b6fa3030261c2a9e9b689675a72aed2faa2e24bcc0f64fe8cd99f251d58d0.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| BE | 67.27.153.254:80 | tcp | |
| BE | 67.27.153.254:80 | tcp |
Files
memory/4932-130-0x000001D81CF80000-0x000001D81CF90000-memory.dmp
memory/4932-131-0x000001D81D620000-0x000001D81D630000-memory.dmp
memory/4932-132-0x000001D81FD00000-0x000001D81FD04000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-13 12:24
Reported
2022-02-13 12:27
Platform
win7-en-20211208
Max time kernel
149s
Max time network
175s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSClien.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSClien.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\sys.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSClien.exe | N/A |
| N/A | N/A | C:\Windows\RDPWInst.exe | N/A |
| N/A | N/A | C:\Windows\RDPWInst.exe | N/A |
Modifies Windows Firewall
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Allows Network login with blank passwords
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\limitblankpassworduse = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e1b6fa3030261c2a9e9b689675a72aed2faa2e24bcc0f64fe8cd99f251d58d0.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e1b6fa3030261c2a9e9b689675a72aed2faa2e24bcc0f64fe8cd99f251d58d0.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\Windows\RDPWInst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\Windows\RDPWInst.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\Windows\RDPWInst.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\RDPWInst.exe | C:\Java\CurrentVersion\sys.exe | N/A |
| File created | C:\Windows\run.bat | C:\Java\CurrentVersion\sys.exe | N/A |
| File created | C:\Windows\run.exe | C:\Java\CurrentVersion\sys.exe | N/A |
| File created | C:\Windows\RDPCheck.exe | C:\Java\CurrentVersion\sys.exe | N/A |
| File created | C:\Windows\RDPConf.exe | C:\Java\CurrentVersion\sys.exe | N/A |
| File created | C:\Windows\RDPSetup.exe | C:\Java\CurrentVersion\sys.exe | N/A |
Launches sc.exe
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Windows\RDPWInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Windows\RDPWInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Windows\RDPWInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Windows\RDPWInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Windows\RDPWInst.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSClien.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e1b6fa3030261c2a9e9b689675a72aed2faa2e24bcc0f64fe8cd99f251d58d0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e1b6fa3030261c2a9e9b689675a72aed2faa2e24bcc0f64fe8cd99f251d58d0.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Java\CurrentVersion\JavaSClien.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\RDPWInst.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Java\CurrentVersion\sys.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\sys.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Java\CurrentVersion\sys.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\sys.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
| N/A | N/A | C:\Java\CurrentVersion\JavaSRV.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e1b6fa3030261c2a9e9b689675a72aed2faa2e24bcc0f64fe8cd99f251d58d0.exe
"C:\Users\Admin\AppData\Local\Temp\8e1b6fa3030261c2a9e9b689675a72aed2faa2e24bcc0f64fe8cd99f251d58d0.exe"
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Java\CurrentVersion\regedit.reg"
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Java\CurrentVersion\JavaSRV.exe
C:\Java\CurrentVersion\JavaSRV.exe /silentinstall
C:\Java\CurrentVersion\JavaSRV.exe
C:\Java\CurrentVersion\JavaSRV.exe /firewall
C:\Java\CurrentVersion\JavaSRV.exe
C:\Java\CurrentVersion\JavaSRV.exe /start
C:\Java\CurrentVersion\JavaSRV.exe
C:\Java\CurrentVersion\JavaSRV.exe
C:\Java\CurrentVersion\JavaSClien.exe
C:\Java\CurrentVersion\JavaSClien.exe
C:\Java\CurrentVersion\JavaSClien.exe
C:\Java\CurrentVersion\JavaSClien.exe /tray
C:\Java\CurrentVersion\sys.exe
C:\Java\CurrentVersion\sys.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows/run.bat
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v limitblankpassworduse /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Java\CurrentVersion\JavaSClien.exe
C:\Java\CurrentVersion\JavaSClien.exe /tray
C:\Windows\RDPWInst.exe
"RDPWInst.exe" -i -o
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\Windows\RDPWInst.exe
"RDPWInst.exe" -w
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Java\CurrentVersion\service.bat
C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions=restart/1000/restart/1000/restart/1000
C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Windows_Defender v6.3"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1128-55-0x0000000075421000-0x0000000075423000-memory.dmp
C:\Java\CurrentVersion\regedit.reg
| MD5 | 870c80d60af1b0ccede4823a7c62cbba |
| SHA1 | 58cbc59c7446eca13b6c7f081db7372918e4bd36 |
| SHA256 | deb1024eca4af92c22ba422fd1e733e0a96f838b417191a765ad84473d68c9d9 |
| SHA512 | 1f3e19de8e25008a8bc502ab5e1377df9619057805f15b7d172750b1e6c00f7f95634f35a92bc806039aaded9e1035632f054c49b01bbf4878c14dc8775c07b2 |
\Java\CurrentVersion\JavaSRV.exe
| MD5 | 014dc7122adbe1dcb99dede19e0c8611 |
| SHA1 | f09656b5270796becaeb2076c9553525f3460c45 |
| SHA256 | 74b1499e75e0d83005ac7f7e797449aea5c01f8df491703048539fe567561bd2 |
| SHA512 | 4ba0a1cac003a5f358c56e933eb92f7c70d19719ad2641914c7f8482d1bf56f381f4819e82a0c471f78a24a28bec9562d831868db628ce75f656893957d60b5f |
C:\Java\CurrentVersion\JavaSRV.exe
| MD5 | 014dc7122adbe1dcb99dede19e0c8611 |
| SHA1 | f09656b5270796becaeb2076c9553525f3460c45 |
| SHA256 | 74b1499e75e0d83005ac7f7e797449aea5c01f8df491703048539fe567561bd2 |
| SHA512 | 4ba0a1cac003a5f358c56e933eb92f7c70d19719ad2641914c7f8482d1bf56f381f4819e82a0c471f78a24a28bec9562d831868db628ce75f656893957d60b5f |
C:\Java\CurrentVersion\JavaSRV.exe
| MD5 | 014dc7122adbe1dcb99dede19e0c8611 |
| SHA1 | f09656b5270796becaeb2076c9553525f3460c45 |
| SHA256 | 74b1499e75e0d83005ac7f7e797449aea5c01f8df491703048539fe567561bd2 |
| SHA512 | 4ba0a1cac003a5f358c56e933eb92f7c70d19719ad2641914c7f8482d1bf56f381f4819e82a0c471f78a24a28bec9562d831868db628ce75f656893957d60b5f |
memory/516-63-0x00000000002B0000-0x00000000002B1000-memory.dmp
C:\Java\CurrentVersion\JavaSRV.exe
| MD5 | 014dc7122adbe1dcb99dede19e0c8611 |
| SHA1 | f09656b5270796becaeb2076c9553525f3460c45 |
| SHA256 | 74b1499e75e0d83005ac7f7e797449aea5c01f8df491703048539fe567561bd2 |
| SHA512 | 4ba0a1cac003a5f358c56e933eb92f7c70d19719ad2641914c7f8482d1bf56f381f4819e82a0c471f78a24a28bec9562d831868db628ce75f656893957d60b5f |
memory/564-66-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Java\CurrentVersion\JavaSRV.exe
| MD5 | 014dc7122adbe1dcb99dede19e0c8611 |
| SHA1 | f09656b5270796becaeb2076c9553525f3460c45 |
| SHA256 | 74b1499e75e0d83005ac7f7e797449aea5c01f8df491703048539fe567561bd2 |
| SHA512 | 4ba0a1cac003a5f358c56e933eb92f7c70d19719ad2641914c7f8482d1bf56f381f4819e82a0c471f78a24a28bec9562d831868db628ce75f656893957d60b5f |
C:\Java\CurrentVersion\JavaSRV.exe
| MD5 | 014dc7122adbe1dcb99dede19e0c8611 |
| SHA1 | f09656b5270796becaeb2076c9553525f3460c45 |
| SHA256 | 74b1499e75e0d83005ac7f7e797449aea5c01f8df491703048539fe567561bd2 |
| SHA512 | 4ba0a1cac003a5f358c56e933eb92f7c70d19719ad2641914c7f8482d1bf56f381f4819e82a0c471f78a24a28bec9562d831868db628ce75f656893957d60b5f |
memory/1832-71-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2036-72-0x00000000002F0000-0x00000000002F1000-memory.dmp
C:\Java\CurrentVersion\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\Java\CurrentVersion\JavaSClien.exe
| MD5 | 6d5862dd527ecb1a2bfff87ff5221746 |
| SHA1 | 5af510a7f6ee33ec177f7ee3e8710c6e1b3c3b5d |
| SHA256 | 457efa6c955749459c89af3389f8dceca88927ec4b9675cfd05d28c9050d5582 |
| SHA512 | 870a328b4e40ca13d829f68c9385f114d1c5c919164ed3ed410890267551e2283af5e818bf11ac2d220cf8b570134fd6ef65d6de0243e8558c12de3888679aed |
C:\Java\CurrentVersion\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
\Java\CurrentVersion\JavaSClien.exe
| MD5 | 6d5862dd527ecb1a2bfff87ff5221746 |
| SHA1 | 5af510a7f6ee33ec177f7ee3e8710c6e1b3c3b5d |
| SHA256 | 457efa6c955749459c89af3389f8dceca88927ec4b9675cfd05d28c9050d5582 |
| SHA512 | 870a328b4e40ca13d829f68c9385f114d1c5c919164ed3ed410890267551e2283af5e818bf11ac2d220cf8b570134fd6ef65d6de0243e8558c12de3888679aed |
C:\Java\CurrentVersion\JavaSClien.exe
| MD5 | 6d5862dd527ecb1a2bfff87ff5221746 |
| SHA1 | 5af510a7f6ee33ec177f7ee3e8710c6e1b3c3b5d |
| SHA256 | 457efa6c955749459c89af3389f8dceca88927ec4b9675cfd05d28c9050d5582 |
| SHA512 | 870a328b4e40ca13d829f68c9385f114d1c5c919164ed3ed410890267551e2283af5e818bf11ac2d220cf8b570134fd6ef65d6de0243e8558c12de3888679aed |
\Java\CurrentVersion\sys.exe
| MD5 | faf1fc3b0b4e42ab038677f1168fbf17 |
| SHA1 | 5e04f80934853f0552079c27b7d2fd6e62dd1b3c |
| SHA256 | a262cec7448e5db073fc858f5f7e6c871460e8853a12a34f96d3cce95eebf109 |
| SHA512 | 74f2dd08e0f3c1d9b44c104abae62b31d1d49c4e1e7e5a15b11154dd1cae10280adb93e202a62e7772d617d5d3154e1a61bb11a9e929fb2610a6ed8a0a7f80e2 |
C:\Java\CurrentVersion\JavaSClien.exe
| MD5 | 6d5862dd527ecb1a2bfff87ff5221746 |
| SHA1 | 5af510a7f6ee33ec177f7ee3e8710c6e1b3c3b5d |
| SHA256 | 457efa6c955749459c89af3389f8dceca88927ec4b9675cfd05d28c9050d5582 |
| SHA512 | 870a328b4e40ca13d829f68c9385f114d1c5c919164ed3ed410890267551e2283af5e818bf11ac2d220cf8b570134fd6ef65d6de0243e8558c12de3888679aed |
C:\Java\CurrentVersion\sys.exe
| MD5 | faf1fc3b0b4e42ab038677f1168fbf17 |
| SHA1 | 5e04f80934853f0552079c27b7d2fd6e62dd1b3c |
| SHA256 | a262cec7448e5db073fc858f5f7e6c871460e8853a12a34f96d3cce95eebf109 |
| SHA512 | 74f2dd08e0f3c1d9b44c104abae62b31d1d49c4e1e7e5a15b11154dd1cae10280adb93e202a62e7772d617d5d3154e1a61bb11a9e929fb2610a6ed8a0a7f80e2 |
memory/1160-84-0x0000000000400000-0x00000000009B7003-memory.dmp
memory/1160-92-0x00000000003F0000-0x00000000003F6000-memory.dmp
memory/1160-91-0x0000000000AB0000-0x0000000000AB3000-memory.dmp
memory/1692-90-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2044-89-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1160-88-0x0000000000401000-0x0000000000797000-memory.dmp
memory/1160-94-0x000000007EFA0000-0x000000007EFA1000-memory.dmp
memory/1160-93-0x00000000003A0000-0x00000000003EB000-memory.dmp
C:\Windows\run.bat
| MD5 | 93a098e3701bf40042a0e51d3a125b31 |
| SHA1 | 2dcbf75b8d8bba7830aa363c1e56560e552c726a |
| SHA256 | 8a0c16ab6f2b5af74b62fe041b8bc1ddf8dc03fb713c5bb30beceba307bb1269 |
| SHA512 | 06d97a68fc971bc5c739f5da10a172c2279b9158b994d78b7eb60fff6e484c118b70631df788557a213f26baae00cde9ed7e176b1495c5d2ec74099a7fa3fa12 |
C:\Java\CurrentVersion\JavaSClien.exe
| MD5 | 6d5862dd527ecb1a2bfff87ff5221746 |
| SHA1 | 5af510a7f6ee33ec177f7ee3e8710c6e1b3c3b5d |
| SHA256 | 457efa6c955749459c89af3389f8dceca88927ec4b9675cfd05d28c9050d5582 |
| SHA512 | 870a328b4e40ca13d829f68c9385f114d1c5c919164ed3ed410890267551e2283af5e818bf11ac2d220cf8b570134fd6ef65d6de0243e8558c12de3888679aed |
memory/1748-98-0x00000000002B0000-0x00000000002B1000-memory.dmp
C:\Windows\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\Windows\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
\Program Files\RDP Wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
memory/1284-104-0x000007FEFB781000-0x000007FEFB783000-memory.dmp
C:\Windows\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\Program Files\RDP Wrapper\rdpwrap.ini
| MD5 | dddd741ab677bdac8dcd4fa0dda05da2 |
| SHA1 | 69d328c70046029a1866fd440c3e4a63563200f9 |
| SHA256 | 7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668 |
| SHA512 | 6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
| MD5 | a8cece8975329aad2549d1f73ab385e8 |
| SHA1 | 02f2247f70d2765756df2d084508e0a96e567cfa |
| SHA256 | 7d9b6778d972fbb7a92bd5e0f65eea87182d2a74aa66fa234a4063441c05e395 |
| SHA512 | c55fed606f1788c8ac7c5389ea3bd0bf3a3b5ffed0c0e8ceb6dff3c251c1438106dbd7abaa7417c54a1b33efd2fb12155facd7d289af9a8b3995e7918efc811e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
| MD5 | 08579a987c85dc998f5312109278703d |
| SHA1 | 35a42f2826cbdfa2c19d15192dd14d8dbff32dc1 |
| SHA256 | 78e6d40c3682b3417cf742ec0c4ceaac3678fc0cde32c07577f71a8b43fc0530 |
| SHA512 | bd6d8d5beed16e570a6bfeeddcadd4eeb233060160f952f23cf1b18af06864270aa41a5f31c156a9bb070f0eedc9a3b8d4ffdf2bed03780b43cbe1806f2a3dd5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3895612ec25653081bf7afb11efbf0a5 |
| SHA1 | 8c12f8045af582258b905bc1020c74d665a4335a |
| SHA256 | 2431bcf59b64fbc3a013ed26f72eea9bda15517f45254f676ebdcf9b44349630 |
| SHA512 | d74b1e548f222dd2a2d94c935aaf68a4161c2a6a14f66a6deb615155b84b9078889d3de6a2d0d9b5733fae1c3b89e16da1e47ba089184f2940501bc6008d0a66 |
C:\Java\CurrentVersion\service.bat
| MD5 | d464405315d8b051c5f101a7035eff0c |
| SHA1 | f9fefd04bb0f04d2b7fbac73efac8130a264fc6b |
| SHA256 | e54649f33d7b149073e457e5c4b78767433b05f8220245f8ee2c7ad44685ed10 |
| SHA512 | 6e0daab678a3ace2c437702241daee277d4b2bed86bf953fa33089ce3654402415d2401d15740b6ae2077289c87550f50750c0d33e415999e3df27b5fc40350a |