Analysis Overview
SHA256
6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0
Threat Level: Known bad
The file 6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0 was found to be: Known bad.
Malicious Activity Summary
xmrig
RMS
Modifies Windows Firewall
UPX packed file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-13 13:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-13 13:21
Reported
2022-02-13 13:23
Platform
win7-en-20211208
Max time kernel
151s
Max time network
157s
Command Line
Signatures
RMS
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\getip.exe | N/A |
Modifies Windows Firewall
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\getip.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\getip.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\RManServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\1.rar | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\1.rar | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\RManServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\getip.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\getip.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe
"C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\exe.js"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\123.bat" "
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\system32\RManServer.exe" "rmss" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\system32\getip.exe" "rmsslocal" ENABLE
C:\Windows\SysWOW64\RManServer.exe
"C:\Windows\System32\RManServer.exe" /silentinstall
C:\Windows\SysWOW64\regedit.exe
regedit /s "123.reg"
C:\Windows\SysWOW64\RManServer.exe
"C:\Windows\System32\RManServer.exe" /start
C:\Windows\SysWOW64\RManServer.exe
C:\Windows\SysWOW64\RManServer.exe
C:\Windows\SysWOW64\RManFUSClient.exe
"C:\Windows\SysWOW64\RManFUSClient.exe"
C:\Windows\SysWOW64\RManFUSClient.exe
C:\Windows\SysWOW64\RManFUSClient.exe /tray
C:\Windows\SysWOW64\getip.exe
"C:\Windows\System32\getip.exe" /start
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.org | udp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
| US | 172.67.150.109:80 | www.whatismyip.org | tcp |
Files
memory/1444-53-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
C:\Windows\exe.js
| MD5 | 609f5808e8f96485a036799cf0c0693e |
| SHA1 | a2d7e0d206328e4e026a06ba43519bd7b39ea6ce |
| SHA256 | a39053edd1b97bb0090ea85644a29e77ecc926bd1a569461d03ae0c1122bada7 |
| SHA512 | 38e1ae4f2d228c78c08fdaf901264ef2cd4f2bcd8df43507458c2795ea6b2335dbb0c4ed8ee9937cb6b0dbcb1c3ee3902c04cc9163bbc11bf590607bd6b4cc4d |
C:\Windows\123.bat
| MD5 | becda9bb961608a782517de7c1664a2c |
| SHA1 | cbbc9fc89240b42b57d04f09fad050f1a09c9ebb |
| SHA256 | 2af23a72380d771db7fcaa2ae41761cab80f815a411b70d79962cf406b062aa9 |
| SHA512 | a61dd46461408b9ee16c9d024ed40a2066ca36fc530fbd39fe820241bf7af9dafc87e77b46810a7e1c30fd07ddfda42431f096220e79a85956da88a52ae6b16a |
C:\Windows\dsfOggMux.dll
| MD5 | 65889701199e41ae2abee652a232af6e |
| SHA1 | 3f76c39fde130b550013a4f13bfea2862b5628cf |
| SHA256 | ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e |
| SHA512 | edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5 |
C:\Windows\dsfTheoraEncoder.dll
| MD5 | 5f2fc8a0d96a1e796a4daae9465f5dd6 |
| SHA1 | 224f13f3cbaa441c0cb6d6300715fda7136408ea |
| SHA256 | f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f |
| SHA512 | da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad |
C:\Windows\dsfVorbisEncoder.dll
| MD5 | 086a9fd9179aad7911561eeff08cf7e2 |
| SHA1 | d390c28376e08769a06a4a8b46609b3a668f728b |
| SHA256 | 2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282 |
| SHA512 | a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193 |
C:\Windows\HookDrv.dll
| MD5 | 895d68b21984db50bfbffc88d289f5da |
| SHA1 | 2cc6625e1fcdeac9dceb6a0f381f52ba574365a8 |
| SHA256 | d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d |
| SHA512 | 7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b |
C:\Windows\Microsoft.VC80.CRT.manifest
| MD5 | d34b3da03c59f38a510eaa8ccc151ec7 |
| SHA1 | 41b978588a9902f5e14b2b693973cb210ed900b2 |
| SHA256 | a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc |
| SHA512 | 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7 |
C:\Windows\msvcp80.dll
| MD5 | 8c53ccd787c381cd535d8dcca12584d8 |
| SHA1 | bc7ce60270a58450596aa3e3e5d0a99f731333d9 |
| SHA256 | 384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528 |
| SHA512 | e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755 |
C:\Windows\msvcr80.dll
| MD5 | 1169436ee42f860c7db37a4692b38f0e |
| SHA1 | 4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3 |
| SHA256 | 9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46 |
| SHA512 | e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0 |
C:\Windows\Russian.lg
| MD5 | 4f4db409d18a2b1dcaff9950b05dbb0d |
| SHA1 | 94e46fdc96864986a2e2ccd28601cf515a26af59 |
| SHA256 | e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e |
| SHA512 | 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22 |
C:\Windows\PushSource.ax
| MD5 | fb755251b8b9ac0f35494854f21ccdbf |
| SHA1 | 32de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb |
| SHA256 | ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5 |
| SHA512 | a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215 |
C:\Windows\RManFUSClient.exe
| MD5 | 2373f5ee5c54e483a8581a5f77efeb83 |
| SHA1 | cb8fe617c1231dbc6abccedfda6687bea73811aa |
| SHA256 | 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6 |
| SHA512 | e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39 |
C:\Windows\RManIpcServer.dll
| MD5 | 7d94872e3bbf6b60aec6bfe03f2423d7 |
| SHA1 | 67dd0a451e5a5247d077ffe347f404a0334b2d10 |
| SHA256 | a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7 |
| SHA512 | 25835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b |
C:\Windows\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
C:\Windows\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
C:\Windows\1.rar
| MD5 | 4297ecd8a5ad9cfea3df2d2251ab9a72 |
| SHA1 | 10e8b6df371667b9a74b850ed174d2c5aa2fbdba |
| SHA256 | edd4061058d876567e5ced90ec00480685afc63fec939a926fa81b893ad6c7ac |
| SHA512 | 1f7c951bd4919c12c807b8411b0bc5b1841f26b259da3c154594d52360ef15fb9a7ea42e0e9b7055b94ce4d8f7c700dece227ff0f013b1c0a6fc6e7b2eef194a |
C:\Windows\getip.exe
| MD5 | d7ca2cf7cabf9a8e32884a96ac34306d |
| SHA1 | 586f6f5716a267f52f34104584247dd68d864a8d |
| SHA256 | 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226 |
| SHA512 | 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46 |
\Windows\SysWOW64\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
memory/1460-79-0x00000000001D0000-0x00000000001D1000-memory.dmp
C:\Windows\SysWOW64\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
C:\Windows\123.reg
| MD5 | c546f14ba36ca8e366b196fef1da8f48 |
| SHA1 | ccf826b01df1aa427e71192d0245e6bcc9cac356 |
| SHA256 | 1b026382cd7a66de19406e2ed368422175475d1d8da3d85490ef6b2a009f37ee |
| SHA512 | 91969a4543eb53ad4e813f0b92322ccb3e2ec96ef398245655a65181d0cad0a8077eb0b95cf0c4be9101e3ae8670ce8f347a3ec5bcbc5be9af8140aee353dc62 |
\Windows\SysWOW64\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
memory/1980-89-0x0000000000230000-0x0000000000231000-memory.dmp
memory/988-88-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Windows\SysWOW64\Russian.lg
| MD5 | 4f4db409d18a2b1dcaff9950b05dbb0d |
| SHA1 | 94e46fdc96864986a2e2ccd28601cf515a26af59 |
| SHA256 | e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e |
| SHA512 | 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22 |
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 2373f5ee5c54e483a8581a5f77efeb83 |
| SHA1 | cb8fe617c1231dbc6abccedfda6687bea73811aa |
| SHA256 | 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6 |
| SHA512 | e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39 |
\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 2373f5ee5c54e483a8581a5f77efeb83 |
| SHA1 | cb8fe617c1231dbc6abccedfda6687bea73811aa |
| SHA256 | 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6 |
| SHA512 | e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39 |
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 2373f5ee5c54e483a8581a5f77efeb83 |
| SHA1 | cb8fe617c1231dbc6abccedfda6687bea73811aa |
| SHA256 | 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6 |
| SHA512 | e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39 |
\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 2373f5ee5c54e483a8581a5f77efeb83 |
| SHA1 | cb8fe617c1231dbc6abccedfda6687bea73811aa |
| SHA256 | 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6 |
| SHA512 | e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39 |
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 2373f5ee5c54e483a8581a5f77efeb83 |
| SHA1 | cb8fe617c1231dbc6abccedfda6687bea73811aa |
| SHA256 | 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6 |
| SHA512 | e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39 |
\Windows\SysWOW64\getip.exe
| MD5 | d7ca2cf7cabf9a8e32884a96ac34306d |
| SHA1 | 586f6f5716a267f52f34104584247dd68d864a8d |
| SHA256 | 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226 |
| SHA512 | 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46 |
\Windows\SysWOW64\getip.exe
| MD5 | d7ca2cf7cabf9a8e32884a96ac34306d |
| SHA1 | 586f6f5716a267f52f34104584247dd68d864a8d |
| SHA256 | 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226 |
| SHA512 | 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46 |
C:\Windows\SysWOW64\getip.exe
| MD5 | d7ca2cf7cabf9a8e32884a96ac34306d |
| SHA1 | 586f6f5716a267f52f34104584247dd68d864a8d |
| SHA256 | 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226 |
| SHA512 | 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46 |
C:\Windows\SysWOW64\getip.exe
| MD5 | d7ca2cf7cabf9a8e32884a96ac34306d |
| SHA1 | 586f6f5716a267f52f34104584247dd68d864a8d |
| SHA256 | 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226 |
| SHA512 | 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46 |
memory/1384-103-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1748-104-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-13 13:21
Reported
2022-02-13 13:23
Platform
win10v2004-en-20220113
Max time kernel
152s
Max time network
156s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\getip.exe | N/A |
Modifies Windows Firewall
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\getip.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\RManServer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\1.rar | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\1.rar | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\RManServer.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\getip.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe
"C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\exe.js"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\123.bat" "
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\system32\RManServer.exe" "rmss" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\system32\getip.exe" "rmsslocal" ENABLE
C:\Windows\SysWOW64\RManServer.exe
"C:\Windows\System32\RManServer.exe" /silentinstall
C:\Windows\SysWOW64\regedit.exe
regedit /s "123.reg"
C:\Windows\SysWOW64\RManServer.exe
"C:\Windows\System32\RManServer.exe" /start
C:\Windows\SysWOW64\RManServer.exe
C:\Windows\SysWOW64\RManServer.exe
C:\Windows\SysWOW64\RManFUSClient.exe
"C:\Windows\SysWOW64\RManFUSClient.exe"
C:\Windows\SysWOW64\RManFUSClient.exe
C:\Windows\SysWOW64\RManFUSClient.exe /tray
C:\Windows\SysWOW64\getip.exe
"C:\Windows\System32\getip.exe" /start
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.org | udp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
| US | 104.21.30.24:80 | www.whatismyip.org | tcp |
Files
C:\Windows\exe.js
| MD5 | 609f5808e8f96485a036799cf0c0693e |
| SHA1 | a2d7e0d206328e4e026a06ba43519bd7b39ea6ce |
| SHA256 | a39053edd1b97bb0090ea85644a29e77ecc926bd1a569461d03ae0c1122bada7 |
| SHA512 | 38e1ae4f2d228c78c08fdaf901264ef2cd4f2bcd8df43507458c2795ea6b2335dbb0c4ed8ee9937cb6b0dbcb1c3ee3902c04cc9163bbc11bf590607bd6b4cc4d |
C:\Windows\123.bat
| MD5 | becda9bb961608a782517de7c1664a2c |
| SHA1 | cbbc9fc89240b42b57d04f09fad050f1a09c9ebb |
| SHA256 | 2af23a72380d771db7fcaa2ae41761cab80f815a411b70d79962cf406b062aa9 |
| SHA512 | a61dd46461408b9ee16c9d024ed40a2066ca36fc530fbd39fe820241bf7af9dafc87e77b46810a7e1c30fd07ddfda42431f096220e79a85956da88a52ae6b16a |
C:\Windows\dsfTheoraEncoder.dll
| MD5 | 5f2fc8a0d96a1e796a4daae9465f5dd6 |
| SHA1 | 224f13f3cbaa441c0cb6d6300715fda7136408ea |
| SHA256 | f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f |
| SHA512 | da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad |
C:\Windows\dsfOggMux.dll
| MD5 | 65889701199e41ae2abee652a232af6e |
| SHA1 | 3f76c39fde130b550013a4f13bfea2862b5628cf |
| SHA256 | ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e |
| SHA512 | edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5 |
C:\Windows\dsfVorbisEncoder.dll
| MD5 | 086a9fd9179aad7911561eeff08cf7e2 |
| SHA1 | d390c28376e08769a06a4a8b46609b3a668f728b |
| SHA256 | 2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282 |
| SHA512 | a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193 |
C:\Windows\HookDrv.dll
| MD5 | 895d68b21984db50bfbffc88d289f5da |
| SHA1 | 2cc6625e1fcdeac9dceb6a0f381f52ba574365a8 |
| SHA256 | d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d |
| SHA512 | 7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b |
C:\Windows\Microsoft.VC80.CRT.manifest
| MD5 | d34b3da03c59f38a510eaa8ccc151ec7 |
| SHA1 | 41b978588a9902f5e14b2b693973cb210ed900b2 |
| SHA256 | a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc |
| SHA512 | 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7 |
C:\Windows\msvcp80.dll
| MD5 | 8c53ccd787c381cd535d8dcca12584d8 |
| SHA1 | bc7ce60270a58450596aa3e3e5d0a99f731333d9 |
| SHA256 | 384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528 |
| SHA512 | e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755 |
C:\Windows\msvcr80.dll
| MD5 | 1169436ee42f860c7db37a4692b38f0e |
| SHA1 | 4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3 |
| SHA256 | 9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46 |
| SHA512 | e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0 |
C:\Windows\Russian.lg
| MD5 | 4f4db409d18a2b1dcaff9950b05dbb0d |
| SHA1 | 94e46fdc96864986a2e2ccd28601cf515a26af59 |
| SHA256 | e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e |
| SHA512 | 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22 |
C:\Windows\PushSource.ax
| MD5 | fb755251b8b9ac0f35494854f21ccdbf |
| SHA1 | 32de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb |
| SHA256 | ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5 |
| SHA512 | a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215 |
C:\Windows\RManFUSClient.exe
| MD5 | 2373f5ee5c54e483a8581a5f77efeb83 |
| SHA1 | cb8fe617c1231dbc6abccedfda6687bea73811aa |
| SHA256 | 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6 |
| SHA512 | e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39 |
C:\Windows\RManIpcServer.dll
| MD5 | 7d94872e3bbf6b60aec6bfe03f2423d7 |
| SHA1 | 67dd0a451e5a5247d077ffe347f404a0334b2d10 |
| SHA256 | a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7 |
| SHA512 | 25835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b |
C:\Windows\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
C:\Windows\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
C:\Windows\1.rar
| MD5 | 4297ecd8a5ad9cfea3df2d2251ab9a72 |
| SHA1 | 10e8b6df371667b9a74b850ed174d2c5aa2fbdba |
| SHA256 | edd4061058d876567e5ced90ec00480685afc63fec939a926fa81b893ad6c7ac |
| SHA512 | 1f7c951bd4919c12c807b8411b0bc5b1841f26b259da3c154594d52360ef15fb9a7ea42e0e9b7055b94ce4d8f7c700dece227ff0f013b1c0a6fc6e7b2eef194a |
C:\Windows\getip.exe
| MD5 | d7ca2cf7cabf9a8e32884a96ac34306d |
| SHA1 | 586f6f5716a267f52f34104584247dd68d864a8d |
| SHA256 | 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226 |
| SHA512 | 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
C:\Windows\SysWOW64\getip.exe
| MD5 | d7ca2cf7cabf9a8e32884a96ac34306d |
| SHA1 | 586f6f5716a267f52f34104584247dd68d864a8d |
| SHA256 | 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226 |
| SHA512 | 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
C:\Windows\SysWOW64\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
C:\Windows\123.reg
| MD5 | c546f14ba36ca8e366b196fef1da8f48 |
| SHA1 | ccf826b01df1aa427e71192d0245e6bcc9cac356 |
| SHA256 | 1b026382cd7a66de19406e2ed368422175475d1d8da3d85490ef6b2a009f37ee |
| SHA512 | 91969a4543eb53ad4e813f0b92322ccb3e2ec96ef398245655a65181d0cad0a8077eb0b95cf0c4be9101e3ae8670ce8f347a3ec5bcbc5be9af8140aee353dc62 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 3741871591255572c033bd5cf1dbc9f4 |
| SHA1 | 76130a825c5b9c0a662f31fe4afd92914ba4653f |
| SHA256 | 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77 |
| SHA512 | 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92 |
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 2373f5ee5c54e483a8581a5f77efeb83 |
| SHA1 | cb8fe617c1231dbc6abccedfda6687bea73811aa |
| SHA256 | 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6 |
| SHA512 | e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39 |
C:\Windows\SysWOW64\Russian.lg
| MD5 | 4f4db409d18a2b1dcaff9950b05dbb0d |
| SHA1 | 94e46fdc96864986a2e2ccd28601cf515a26af59 |
| SHA256 | e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e |
| SHA512 | 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22 |
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 2373f5ee5c54e483a8581a5f77efeb83 |
| SHA1 | cb8fe617c1231dbc6abccedfda6687bea73811aa |
| SHA256 | 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6 |
| SHA512 | e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39 |
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 2373f5ee5c54e483a8581a5f77efeb83 |
| SHA1 | cb8fe617c1231dbc6abccedfda6687bea73811aa |
| SHA256 | 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6 |
| SHA512 | e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39 |
C:\Windows\SysWOW64\getip.exe
| MD5 | d7ca2cf7cabf9a8e32884a96ac34306d |
| SHA1 | 586f6f5716a267f52f34104584247dd68d864a8d |
| SHA256 | 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226 |
| SHA512 | 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46 |
memory/3192-159-0x0000000002700000-0x0000000002701000-memory.dmp
memory/1444-160-0x0000000001090000-0x0000000001091000-memory.dmp
memory/2800-161-0x00000000026F0000-0x00000000026F1000-memory.dmp
memory/3260-163-0x0000029471F20000-0x0000029471F30000-memory.dmp
memory/3260-162-0x0000029471960000-0x0000029471970000-memory.dmp
memory/3260-164-0x00000294745E0000-0x00000294745E4000-memory.dmp