Malware Analysis Report

2024-11-30 19:36

Sample ID 220213-qlmyhsabh5
Target 6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0
SHA256 6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0
Tags
rms xmrig evasion miner rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0

Threat Level: Known bad

The file 6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0 was found to be: Known bad.

Malicious Activity Summary

rms xmrig evasion miner rat trojan upx

xmrig

RMS

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-13 13:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-13 13:21

Reported

2022-02-13 13:23

Platform

win7-en-20211208

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe"

Signatures

RMS

trojan rat rms

xmrig

miner xmrig

Modifies Windows Firewall

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HookDrv.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\RManFUSClient.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\RManWLN.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\getip.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\msvcp80.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\PushSource.ax C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RManFUSClient.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RManIpcServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\getip.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\dsfVorbisEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\msvcr80.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\PushSource.ax C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RManWLN.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\dsfOggMux.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\dsfTheoraEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\dsfVorbisEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp80.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcr80.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\RManIpcServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\RManWLN.dll C:\Windows\SysWOW64\RManServer.exe N/A
File opened for modification C:\Windows\SysWOW64\HookDrv.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\1.rar C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\1.rar C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RManWLN.dll C:\Windows\SysWOW64\RManServer.exe N/A
File opened for modification C:\Windows\SysWOW64\dsfOggMux.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\dsfTheoraEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\exe.js C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\Microsoft.VC80.CRT.manifest C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\PushSource.ax C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\msvcp80.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\RManServer.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\123.bat C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\123.reg C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\exe.js C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\msvcr80.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\dsfTheoraEncoder.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\getip.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\HookDrv.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\RManFUSClient.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\RManFUSClient.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\Russian.lg C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\dsfOggMux.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\dsfOggMux.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\__tmp_rar_sfx_access_check_259384874 C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\dsfVorbisEncoder.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\dsfVorbisEncoder.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\RManWLN.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\1.rar C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\123.bat C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\getip.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\HookDrv.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\Microsoft.VC80.CRT.manifest C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\RManWLN.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\1.rar C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\dsfTheoraEncoder.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\msvcp80.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\RManIpcServer.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\RManServer.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\Russian.lg C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\msvcr80.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\PushSource.ax C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\RManIpcServer.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\123.reg C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A

Enumerates physical storage devices

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RManServer.exe N/A
N/A N/A C:\Windows\SysWOW64\RManServer.exe N/A
N/A N/A C:\Windows\SysWOW64\RManFUSClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\RManServer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\RManServer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\RManServer.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\RManServer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\getip.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\getip.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe C:\Windows\SysWOW64\WScript.exe
PID 1444 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe C:\Windows\SysWOW64\WScript.exe
PID 1444 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe C:\Windows\SysWOW64\WScript.exe
PID 1444 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe C:\Windows\SysWOW64\WScript.exe
PID 1444 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe C:\Windows\SysWOW64\WScript.exe
PID 1444 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe C:\Windows\SysWOW64\WScript.exe
PID 1444 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe C:\Windows\SysWOW64\WScript.exe
PID 832 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1232 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1232 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1232 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1232 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1232 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1232 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1232 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1232 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1980 wrote to memory of 1748 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1980 wrote to memory of 1748 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1980 wrote to memory of 1748 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1980 wrote to memory of 1748 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1980 wrote to memory of 1384 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1980 wrote to memory of 1384 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1980 wrote to memory of 1384 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1980 wrote to memory of 1384 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe

"C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\exe.js"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\123.bat" "

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\system32\RManServer.exe" "rmss" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\system32\getip.exe" "rmsslocal" ENABLE

C:\Windows\SysWOW64\RManServer.exe

"C:\Windows\System32\RManServer.exe" /silentinstall

C:\Windows\SysWOW64\regedit.exe

regedit /s "123.reg"

C:\Windows\SysWOW64\RManServer.exe

"C:\Windows\System32\RManServer.exe" /start

C:\Windows\SysWOW64\RManServer.exe

C:\Windows\SysWOW64\RManServer.exe

C:\Windows\SysWOW64\RManFUSClient.exe

"C:\Windows\SysWOW64\RManFUSClient.exe"

C:\Windows\SysWOW64\RManFUSClient.exe

C:\Windows\SysWOW64\RManFUSClient.exe /tray

C:\Windows\SysWOW64\getip.exe

"C:\Windows\System32\getip.exe" /start

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.org udp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp
US 172.67.150.109:80 www.whatismyip.org tcp

Files

memory/1444-53-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

C:\Windows\exe.js

MD5 609f5808e8f96485a036799cf0c0693e
SHA1 a2d7e0d206328e4e026a06ba43519bd7b39ea6ce
SHA256 a39053edd1b97bb0090ea85644a29e77ecc926bd1a569461d03ae0c1122bada7
SHA512 38e1ae4f2d228c78c08fdaf901264ef2cd4f2bcd8df43507458c2795ea6b2335dbb0c4ed8ee9937cb6b0dbcb1c3ee3902c04cc9163bbc11bf590607bd6b4cc4d

C:\Windows\123.bat

MD5 becda9bb961608a782517de7c1664a2c
SHA1 cbbc9fc89240b42b57d04f09fad050f1a09c9ebb
SHA256 2af23a72380d771db7fcaa2ae41761cab80f815a411b70d79962cf406b062aa9
SHA512 a61dd46461408b9ee16c9d024ed40a2066ca36fc530fbd39fe820241bf7af9dafc87e77b46810a7e1c30fd07ddfda42431f096220e79a85956da88a52ae6b16a

C:\Windows\dsfOggMux.dll

MD5 65889701199e41ae2abee652a232af6e
SHA1 3f76c39fde130b550013a4f13bfea2862b5628cf
SHA256 ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e
SHA512 edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5

C:\Windows\dsfTheoraEncoder.dll

MD5 5f2fc8a0d96a1e796a4daae9465f5dd6
SHA1 224f13f3cbaa441c0cb6d6300715fda7136408ea
SHA256 f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f
SHA512 da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad

C:\Windows\dsfVorbisEncoder.dll

MD5 086a9fd9179aad7911561eeff08cf7e2
SHA1 d390c28376e08769a06a4a8b46609b3a668f728b
SHA256 2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282
SHA512 a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193

C:\Windows\HookDrv.dll

MD5 895d68b21984db50bfbffc88d289f5da
SHA1 2cc6625e1fcdeac9dceb6a0f381f52ba574365a8
SHA256 d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d
SHA512 7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b

C:\Windows\Microsoft.VC80.CRT.manifest

MD5 d34b3da03c59f38a510eaa8ccc151ec7
SHA1 41b978588a9902f5e14b2b693973cb210ed900b2
SHA256 a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc
SHA512 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7

C:\Windows\msvcp80.dll

MD5 8c53ccd787c381cd535d8dcca12584d8
SHA1 bc7ce60270a58450596aa3e3e5d0a99f731333d9
SHA256 384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528
SHA512 e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

C:\Windows\msvcr80.dll

MD5 1169436ee42f860c7db37a4692b38f0e
SHA1 4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3
SHA256 9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46
SHA512 e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

C:\Windows\Russian.lg

MD5 4f4db409d18a2b1dcaff9950b05dbb0d
SHA1 94e46fdc96864986a2e2ccd28601cf515a26af59
SHA256 e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e
SHA512 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22

C:\Windows\PushSource.ax

MD5 fb755251b8b9ac0f35494854f21ccdbf
SHA1 32de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb
SHA256 ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5
SHA512 a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215

C:\Windows\RManFUSClient.exe

MD5 2373f5ee5c54e483a8581a5f77efeb83
SHA1 cb8fe617c1231dbc6abccedfda6687bea73811aa
SHA256 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6
SHA512 e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39

C:\Windows\RManIpcServer.dll

MD5 7d94872e3bbf6b60aec6bfe03f2423d7
SHA1 67dd0a451e5a5247d077ffe347f404a0334b2d10
SHA256 a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7
SHA512 25835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b

C:\Windows\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

C:\Windows\RManWLN.dll

MD5 4ed36e9479243d9426b196f306d21d04
SHA1 e102a9b2a8101b1105f6e3996df3ce6af17f31f4
SHA256 f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d
SHA512 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af

C:\Windows\1.rar

MD5 4297ecd8a5ad9cfea3df2d2251ab9a72
SHA1 10e8b6df371667b9a74b850ed174d2c5aa2fbdba
SHA256 edd4061058d876567e5ced90ec00480685afc63fec939a926fa81b893ad6c7ac
SHA512 1f7c951bd4919c12c807b8411b0bc5b1841f26b259da3c154594d52360ef15fb9a7ea42e0e9b7055b94ce4d8f7c700dece227ff0f013b1c0a6fc6e7b2eef194a

C:\Windows\getip.exe

MD5 d7ca2cf7cabf9a8e32884a96ac34306d
SHA1 586f6f5716a267f52f34104584247dd68d864a8d
SHA256 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226
SHA512 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46

\Windows\SysWOW64\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

C:\Windows\SysWOW64\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

memory/1460-79-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Windows\SysWOW64\RManWLN.dll

MD5 4ed36e9479243d9426b196f306d21d04
SHA1 e102a9b2a8101b1105f6e3996df3ce6af17f31f4
SHA256 f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d
SHA512 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af

C:\Windows\123.reg

MD5 c546f14ba36ca8e366b196fef1da8f48
SHA1 ccf826b01df1aa427e71192d0245e6bcc9cac356
SHA256 1b026382cd7a66de19406e2ed368422175475d1d8da3d85490ef6b2a009f37ee
SHA512 91969a4543eb53ad4e813f0b92322ccb3e2ec96ef398245655a65181d0cad0a8077eb0b95cf0c4be9101e3ae8670ce8f347a3ec5bcbc5be9af8140aee353dc62

\Windows\SysWOW64\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

C:\Windows\SysWOW64\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

C:\Windows\SysWOW64\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

memory/1980-89-0x0000000000230000-0x0000000000231000-memory.dmp

memory/988-88-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Windows\SysWOW64\Russian.lg

MD5 4f4db409d18a2b1dcaff9950b05dbb0d
SHA1 94e46fdc96864986a2e2ccd28601cf515a26af59
SHA256 e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e
SHA512 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22

C:\Windows\SysWOW64\RManFUSClient.exe

MD5 2373f5ee5c54e483a8581a5f77efeb83
SHA1 cb8fe617c1231dbc6abccedfda6687bea73811aa
SHA256 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6
SHA512 e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39

\Windows\SysWOW64\RManFUSClient.exe

MD5 2373f5ee5c54e483a8581a5f77efeb83
SHA1 cb8fe617c1231dbc6abccedfda6687bea73811aa
SHA256 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6
SHA512 e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39

C:\Windows\SysWOW64\RManFUSClient.exe

MD5 2373f5ee5c54e483a8581a5f77efeb83
SHA1 cb8fe617c1231dbc6abccedfda6687bea73811aa
SHA256 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6
SHA512 e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39

\Windows\SysWOW64\RManFUSClient.exe

MD5 2373f5ee5c54e483a8581a5f77efeb83
SHA1 cb8fe617c1231dbc6abccedfda6687bea73811aa
SHA256 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6
SHA512 e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39

C:\Windows\SysWOW64\RManFUSClient.exe

MD5 2373f5ee5c54e483a8581a5f77efeb83
SHA1 cb8fe617c1231dbc6abccedfda6687bea73811aa
SHA256 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6
SHA512 e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39

\Windows\SysWOW64\getip.exe

MD5 d7ca2cf7cabf9a8e32884a96ac34306d
SHA1 586f6f5716a267f52f34104584247dd68d864a8d
SHA256 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226
SHA512 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46

\Windows\SysWOW64\getip.exe

MD5 d7ca2cf7cabf9a8e32884a96ac34306d
SHA1 586f6f5716a267f52f34104584247dd68d864a8d
SHA256 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226
SHA512 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46

C:\Windows\SysWOW64\getip.exe

MD5 d7ca2cf7cabf9a8e32884a96ac34306d
SHA1 586f6f5716a267f52f34104584247dd68d864a8d
SHA256 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226
SHA512 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46

C:\Windows\SysWOW64\getip.exe

MD5 d7ca2cf7cabf9a8e32884a96ac34306d
SHA1 586f6f5716a267f52f34104584247dd68d864a8d
SHA256 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226
SHA512 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46

memory/1384-103-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1748-104-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-13 13:21

Reported

2022-02-13 13:23

Platform

win10v2004-en-20220113

Max time kernel

152s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe"

Signatures

RMS

trojan rat rms

Modifies Windows Firewall

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\HookDrv.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\getip.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\RManWLN.dll C:\Windows\SysWOW64\RManServer.exe N/A
File created C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcr80.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RManWLN.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\dsfOggMux.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp80.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RManIpcServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\1.rar C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\msvcp80.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\RManFUSClient.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\RManWLN.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\1.rar C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\dsfOggMux.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RManWLN.dll C:\Windows\SysWOW64\RManServer.exe N/A
File created C:\Windows\SysWOW64\dsfTheoraEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\dsfTheoraEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\dsfVorbisEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\dsfVorbisEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\PushSource.ax C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\HookDrv.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RManFUSClient.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\RManIpcServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\msvcr80.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\PushSource.ax C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\getip.exe C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\dsfVorbisEncoder.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\msvcp80.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\1.rar C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File created C:\Windows\Russian.lg C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File created C:\Windows\__tmp_rar_sfx_access_check_30225062 C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\getip.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\PushSource.ax C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\RManWLN.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\1.rar C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\dsfOggMux.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\dsfOggMux.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\dsfTheoraEncoder.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\exe.js C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\getip.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\Microsoft.VC80.CRT.manifest C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\PushSource.ax C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\HookDrv.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\HookDrv.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\RManFUSClient.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\dsfTheoraEncoder.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\RManFUSClient.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\RManServer.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\Russian.lg C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\dsfVorbisEncoder.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\msvcp80.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\msvcr80.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\msvcr80.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File created C:\Windows\123.bat C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\123.reg C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\RManWLN.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\123.bat C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\123.reg C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\exe.js C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\Microsoft.VC80.CRT.manifest C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\RManIpcServer.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File created C:\Windows\RManServer.exe C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A
File opened for modification C:\Windows\RManIpcServer.dll C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\RManServer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\RManServer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\RManServer.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\RManServer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\getip.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\getip.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 612 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe C:\Windows\SysWOW64\WScript.exe
PID 612 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe C:\Windows\SysWOW64\WScript.exe
PID 612 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe C:\Windows\SysWOW64\WScript.exe
PID 1808 wrote to memory of 2732 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2732 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2732 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2732 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2732 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2732 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2732 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2732 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2732 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 2732 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 2732 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 2732 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2732 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2732 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2732 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 2732 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 2732 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\RManServer.exe
PID 1444 wrote to memory of 2800 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1444 wrote to memory of 2800 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1444 wrote to memory of 2800 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1444 wrote to memory of 3192 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1444 wrote to memory of 3192 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 1444 wrote to memory of 3192 N/A C:\Windows\SysWOW64\RManServer.exe C:\Windows\SysWOW64\RManFUSClient.exe
PID 2732 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\getip.exe
PID 2732 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\getip.exe
PID 2732 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\getip.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe

"C:\Users\Admin\AppData\Local\Temp\6dedceeed3e107df1c2e324f80fd5431c8253884fd8aba5df4fc28ec8b6378c0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\exe.js"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\123.bat" "

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\system32\RManServer.exe" "rmss" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\system32\getip.exe" "rmsslocal" ENABLE

C:\Windows\SysWOW64\RManServer.exe

"C:\Windows\System32\RManServer.exe" /silentinstall

C:\Windows\SysWOW64\regedit.exe

regedit /s "123.reg"

C:\Windows\SysWOW64\RManServer.exe

"C:\Windows\System32\RManServer.exe" /start

C:\Windows\SysWOW64\RManServer.exe

C:\Windows\SysWOW64\RManServer.exe

C:\Windows\SysWOW64\RManFUSClient.exe

"C:\Windows\SysWOW64\RManFUSClient.exe"

C:\Windows\SysWOW64\RManFUSClient.exe

C:\Windows\SysWOW64\RManFUSClient.exe /tray

C:\Windows\SysWOW64\getip.exe

"C:\Windows\System32\getip.exe" /start

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.org udp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
NL 67.26.111.254:80 tcp
NL 67.26.111.254:80 tcp
NL 67.26.111.254:80 tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp
US 104.21.30.24:80 www.whatismyip.org tcp

Files

C:\Windows\exe.js

MD5 609f5808e8f96485a036799cf0c0693e
SHA1 a2d7e0d206328e4e026a06ba43519bd7b39ea6ce
SHA256 a39053edd1b97bb0090ea85644a29e77ecc926bd1a569461d03ae0c1122bada7
SHA512 38e1ae4f2d228c78c08fdaf901264ef2cd4f2bcd8df43507458c2795ea6b2335dbb0c4ed8ee9937cb6b0dbcb1c3ee3902c04cc9163bbc11bf590607bd6b4cc4d

C:\Windows\123.bat

MD5 becda9bb961608a782517de7c1664a2c
SHA1 cbbc9fc89240b42b57d04f09fad050f1a09c9ebb
SHA256 2af23a72380d771db7fcaa2ae41761cab80f815a411b70d79962cf406b062aa9
SHA512 a61dd46461408b9ee16c9d024ed40a2066ca36fc530fbd39fe820241bf7af9dafc87e77b46810a7e1c30fd07ddfda42431f096220e79a85956da88a52ae6b16a

C:\Windows\dsfTheoraEncoder.dll

MD5 5f2fc8a0d96a1e796a4daae9465f5dd6
SHA1 224f13f3cbaa441c0cb6d6300715fda7136408ea
SHA256 f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f
SHA512 da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad

C:\Windows\dsfOggMux.dll

MD5 65889701199e41ae2abee652a232af6e
SHA1 3f76c39fde130b550013a4f13bfea2862b5628cf
SHA256 ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e
SHA512 edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5

C:\Windows\dsfVorbisEncoder.dll

MD5 086a9fd9179aad7911561eeff08cf7e2
SHA1 d390c28376e08769a06a4a8b46609b3a668f728b
SHA256 2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282
SHA512 a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193

C:\Windows\HookDrv.dll

MD5 895d68b21984db50bfbffc88d289f5da
SHA1 2cc6625e1fcdeac9dceb6a0f381f52ba574365a8
SHA256 d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d
SHA512 7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b

C:\Windows\Microsoft.VC80.CRT.manifest

MD5 d34b3da03c59f38a510eaa8ccc151ec7
SHA1 41b978588a9902f5e14b2b693973cb210ed900b2
SHA256 a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc
SHA512 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7

C:\Windows\msvcp80.dll

MD5 8c53ccd787c381cd535d8dcca12584d8
SHA1 bc7ce60270a58450596aa3e3e5d0a99f731333d9
SHA256 384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528
SHA512 e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

C:\Windows\msvcr80.dll

MD5 1169436ee42f860c7db37a4692b38f0e
SHA1 4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3
SHA256 9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46
SHA512 e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

C:\Windows\Russian.lg

MD5 4f4db409d18a2b1dcaff9950b05dbb0d
SHA1 94e46fdc96864986a2e2ccd28601cf515a26af59
SHA256 e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e
SHA512 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22

C:\Windows\PushSource.ax

MD5 fb755251b8b9ac0f35494854f21ccdbf
SHA1 32de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb
SHA256 ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5
SHA512 a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215

C:\Windows\RManFUSClient.exe

MD5 2373f5ee5c54e483a8581a5f77efeb83
SHA1 cb8fe617c1231dbc6abccedfda6687bea73811aa
SHA256 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6
SHA512 e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39

C:\Windows\RManIpcServer.dll

MD5 7d94872e3bbf6b60aec6bfe03f2423d7
SHA1 67dd0a451e5a5247d077ffe347f404a0334b2d10
SHA256 a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7
SHA512 25835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b

C:\Windows\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

C:\Windows\RManWLN.dll

MD5 4ed36e9479243d9426b196f306d21d04
SHA1 e102a9b2a8101b1105f6e3996df3ce6af17f31f4
SHA256 f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d
SHA512 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af

C:\Windows\1.rar

MD5 4297ecd8a5ad9cfea3df2d2251ab9a72
SHA1 10e8b6df371667b9a74b850ed174d2c5aa2fbdba
SHA256 edd4061058d876567e5ced90ec00480685afc63fec939a926fa81b893ad6c7ac
SHA512 1f7c951bd4919c12c807b8411b0bc5b1841f26b259da3c154594d52360ef15fb9a7ea42e0e9b7055b94ce4d8f7c700dece227ff0f013b1c0a6fc6e7b2eef194a

C:\Windows\getip.exe

MD5 d7ca2cf7cabf9a8e32884a96ac34306d
SHA1 586f6f5716a267f52f34104584247dd68d864a8d
SHA256 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226
SHA512 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46

C:\Windows\SysWOW64\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

C:\Windows\SysWOW64\getip.exe

MD5 d7ca2cf7cabf9a8e32884a96ac34306d
SHA1 586f6f5716a267f52f34104584247dd68d864a8d
SHA256 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226
SHA512 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46

C:\Windows\SysWOW64\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

C:\Windows\SysWOW64\RManWLN.dll

MD5 4ed36e9479243d9426b196f306d21d04
SHA1 e102a9b2a8101b1105f6e3996df3ce6af17f31f4
SHA256 f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d
SHA512 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af

C:\Windows\123.reg

MD5 c546f14ba36ca8e366b196fef1da8f48
SHA1 ccf826b01df1aa427e71192d0245e6bcc9cac356
SHA256 1b026382cd7a66de19406e2ed368422175475d1d8da3d85490ef6b2a009f37ee
SHA512 91969a4543eb53ad4e813f0b92322ccb3e2ec96ef398245655a65181d0cad0a8077eb0b95cf0c4be9101e3ae8670ce8f347a3ec5bcbc5be9af8140aee353dc62

C:\Windows\SysWOW64\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

C:\Windows\SysWOW64\RManServer.exe

MD5 3741871591255572c033bd5cf1dbc9f4
SHA1 76130a825c5b9c0a662f31fe4afd92914ba4653f
SHA256 5951f01b5f515a12da71ca61f4d2da4718201de53523a093b910701287454c77
SHA512 30fff32979a4366bead3cbd6a8f610019d1af9ce6324e0cf4785cf9b19562a6bdb18d71bd1fcb7b0922eae090c3a5cbd0725ef5d5dce3fec091b7620a448ae92

C:\Windows\SysWOW64\RManFUSClient.exe

MD5 2373f5ee5c54e483a8581a5f77efeb83
SHA1 cb8fe617c1231dbc6abccedfda6687bea73811aa
SHA256 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6
SHA512 e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39

C:\Windows\SysWOW64\Russian.lg

MD5 4f4db409d18a2b1dcaff9950b05dbb0d
SHA1 94e46fdc96864986a2e2ccd28601cf515a26af59
SHA256 e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e
SHA512 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22

C:\Windows\SysWOW64\RManFUSClient.exe

MD5 2373f5ee5c54e483a8581a5f77efeb83
SHA1 cb8fe617c1231dbc6abccedfda6687bea73811aa
SHA256 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6
SHA512 e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39

C:\Windows\SysWOW64\RManFUSClient.exe

MD5 2373f5ee5c54e483a8581a5f77efeb83
SHA1 cb8fe617c1231dbc6abccedfda6687bea73811aa
SHA256 3fd95a561fee6bdd5729a6e200db491fe4814e281df80c9666e7ec10c6b78ed6
SHA512 e07fdd9bab0eaf9f6b7f42d0b2c72e99ea294f5239ff12b74feff7e5491b93f1435fc277bb6fc6328501c3b4e7631acfec1e8cf62e8b172eafa49f9fd5bd6e39

C:\Windows\SysWOW64\getip.exe

MD5 d7ca2cf7cabf9a8e32884a96ac34306d
SHA1 586f6f5716a267f52f34104584247dd68d864a8d
SHA256 2b4fb384269201a8e3d8012e7b0ae4f8d07a65359dec1cae27d6604c38f69226
SHA512 84990d86fe3783fe7ffde55420120e1a822085dcd17c5bbee98308a787f1b95581ce587a6fa726fd0b9fafe44275f20eef9616f5de3d0af67baeba7eef564e46

memory/3192-159-0x0000000002700000-0x0000000002701000-memory.dmp

memory/1444-160-0x0000000001090000-0x0000000001091000-memory.dmp

memory/2800-161-0x00000000026F0000-0x00000000026F1000-memory.dmp

memory/3260-163-0x0000029471F20000-0x0000029471F30000-memory.dmp

memory/3260-162-0x0000029471960000-0x0000029471970000-memory.dmp

memory/3260-164-0x00000294745E0000-0x00000294745E4000-memory.dmp