Analysis Overview
SHA256
47e976b6d98db8e6c61e01c41741f38396fbf3953d1bcdf8c60c40c77fe8da2a
Threat Level: Known bad
The file 47e976b6d98db8e6c61e01c41741f38396fbf3953d1bcdf8c60c40c77fe8da2a was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
ASPack v2.12-2.42
UPX packed file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Runs .reg file with regedit
Gathers network information
Suspicious use of WriteProcessMemory
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-13 14:12
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-13 14:12
Reported
2022-02-13 14:15
Platform
win10v2004-en-20220112
Max time kernel
162s
Max time network
172s
Command Line
Signatures
RMS
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\wmiaprplreg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\215B.tmp\wmiaprplreg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\wmiaprpl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\47e976b6d98db8e6c61e01c41741f38396fbf3953d1bcdf8c60c40c77fe8da2a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wbem\wmiaprplreg.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a1wmiaprpl = "C:\\Windows\\system32\\wbem\\wmiaprpl.exe" | C:\Users\Admin\AppData\Local\Temp\215B.tmp\wmiaprplreg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wbem\English.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\wmiaprplreg.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\English.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\wmiaprplreg.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\Logs\rom_log_2022.html | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\wmiaprpl.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\wmiaprpl.exe | C:\Users\Admin\AppData\Local\Temp\215B.tmp\wmiaprplreg.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132894116108337646" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.862392" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "10.715520" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4324" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "16.667591" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4160" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\47e976b6d98db8e6c61e01c41741f38396fbf3953d1bcdf8c60c40c77fe8da2a.exe
"C:\Users\Admin\AppData\Local\Temp\47e976b6d98db8e6c61e01c41741f38396fbf3953d1bcdf8c60c40c77fe8da2a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DF32.tmp\Remote Manipulator System - Server.bat" "
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System\v4\Server" /f
C:\Windows\SysWOW64\wbem\RManServer.exe
"C:\Windows\System32\wbem\RManServer.exe" /silentinstall
C:\Windows\SysWOW64\wbem\RManServer.exe
"C:\Windows\System32\wbem\RManServer.exe" /firewall
C:\Windows\SysWOW64\regedit.exe
regedit /s "settings.reg"
C:\Windows\SysWOW64\wbem\RManServer.exe
"C:\Windows\System32\wbem\RManServer.exe" /start
C:\Windows\SysWOW64\wbem\RManServer.exe
C:\Windows\SysWOW64\wbem\RManServer.exe
C:\Windows\SysWOW64\wbem\RManFUSClient.exe
"C:\Windows\SysWOW64\wbem\RManFUSClient.exe"
C:\Windows\SysWOW64\wbem\RManFUSClient.exe
C:\Windows\SysWOW64\wbem\RManFUSClient.exe /tray
C:\Windows\SysWOW64\wbem\wmiaprplreg.exe
"C:\Windows\System32\wbem\wmiaprplreg.exe" /start
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\215B.tmp\wmiaprplreg.bat" "/start" "
C:\Users\Admin\AppData\Local\Temp\215B.tmp\wmiaprplreg.exe
wmiaprplreg.exe /start
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\SysWOW64\wbem\wmiaprpl.exe
"C:\Windows\System32\wbem\wmiaprpl.exe" /firewall
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~6D87.bat "C:\Windows\System32\wbem\wmiaprpl.exe" /firewall
C:\Windows\SysWOW64\PING.EXE
ping -n 9 localhost
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\PING.EXE
ping -n 9 localhost
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\PING.EXE
ping -n 2000 localhost
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| NL | 92.123.77.56:80 | tcp | |
| NL | 92.123.77.56:80 | tcp | |
| NL | 104.80.224.57:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| IE | 20.54.24.231:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\Remote Manipulator System - Server.bat
| MD5 | 80d5a2a1d9fc20d2da9a5fe46ee17c35 |
| SHA1 | eb631fb31355e96b19eac1e08c47614794f4a2a0 |
| SHA256 | 486e6729c0bd630c62bbb5cba1066a23f543983368b253c991f83039738b0b78 |
| SHA512 | feaa8599ae3d408c034a19eb83406c2738fa809ee33fa6d9a8cb0ebe32fce78339c0c5c71de925628efc13ddb90d821a07557b557f71f0df386bc0e3b219d50b |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\dsfOggMux.dll
| MD5 | 65889701199e41ae2abee652a232af6e |
| SHA1 | 3f76c39fde130b550013a4f13bfea2862b5628cf |
| SHA256 | ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e |
| SHA512 | edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\dsfVorbisEncoder.dll
| MD5 | 086a9fd9179aad7911561eeff08cf7e2 |
| SHA1 | d390c28376e08769a06a4a8b46609b3a668f728b |
| SHA256 | 2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282 |
| SHA512 | a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\dsfTheoraEncoder.dll
| MD5 | 5f2fc8a0d96a1e796a4daae9465f5dd6 |
| SHA1 | 224f13f3cbaa441c0cb6d6300715fda7136408ea |
| SHA256 | f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f |
| SHA512 | da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\Russian.lg
| MD5 | 4f4db409d18a2b1dcaff9950b05dbb0d |
| SHA1 | 94e46fdc96864986a2e2ccd28601cf515a26af59 |
| SHA256 | e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e |
| SHA512 | 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\HookDrv.dll
| MD5 | 895d68b21984db50bfbffc88d289f5da |
| SHA1 | 2cc6625e1fcdeac9dceb6a0f381f52ba574365a8 |
| SHA256 | d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d |
| SHA512 | 7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\English.lg
| MD5 | 2be21177d718a15864654289f0af055d |
| SHA1 | 8e342cc491e2357e505e5e9a913d897d244ef43c |
| SHA256 | e7d8c3cbe405c2827a8f1e5a1ba83db64c28a1f3ed3e921549bbf3a5d9cb009b |
| SHA512 | 830560a25b53c9b376fc3064cf85e1f19d8bb470daf0f566bcbd649fa0b41a0c15a4ecb8ea9986df31f170ec607fa7f8e6cd0e4b18033d029f894da0d3a22144 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\wmiaprplreg.exe
| MD5 | c4f64f1b9c449efecaf2602b682ad4f5 |
| SHA1 | caca5e3b75107d47112bf7c6933892b6c5f6a369 |
| SHA256 | a41f73c715138f77653a2538f0bcb78e74c19961b145fa5bb7bf1d756fe5b504 |
| SHA512 | f9df3ba58514ddc5e6ef208082f8e0e35adea345d9f8c3629e1b02c7886a7e8ea0515c4d48aeea86c0a656c3c096e85ad8a291fcad62a72081c03bc60122eef5 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\Microsoft.VC80.CRT.manifest
| MD5 | d34b3da03c59f38a510eaa8ccc151ec7 |
| SHA1 | 41b978588a9902f5e14b2b693973cb210ed900b2 |
| SHA256 | a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc |
| SHA512 | 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\msvcp80.dll
| MD5 | 8c53ccd787c381cd535d8dcca12584d8 |
| SHA1 | bc7ce60270a58450596aa3e3e5d0a99f731333d9 |
| SHA256 | 384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528 |
| SHA512 | e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\PushSource.ax
| MD5 | fb755251b8b9ac0f35494854f21ccdbf |
| SHA1 | 32de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb |
| SHA256 | ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5 |
| SHA512 | a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\msvcr80.dll
| MD5 | 1169436ee42f860c7db37a4692b38f0e |
| SHA1 | 4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3 |
| SHA256 | 9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46 |
| SHA512 | e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\RManFUSClient.exe
| MD5 | 862035e253f8775c2e6713bcda90d1a5 |
| SHA1 | a799849789427c527b97be67b4e394d7db02a5a2 |
| SHA256 | 50bed7c1dd0141f2ed1cb5f78574d060d004eecb0ac71606e3a68ae36caa3c39 |
| SHA512 | 86de46aa69c36712cb01f3e27948491906a1dd065066629d2b5c9bf25aeaf2053b87c0f8144a8308e0130a2f0385fd507611e61b8540728684b3367a4e06f602 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\RManIpcServer.dll
| MD5 | 7d94872e3bbf6b60aec6bfe03f2423d7 |
| SHA1 | 67dd0a451e5a5247d077ffe347f404a0334b2d10 |
| SHA256 | a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7 |
| SHA512 | 25835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
C:\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
C:\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
C:\Windows\SysWOW64\wbem\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
C:\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
memory/3616-150-0x00000000022F0000-0x00000000022F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\settings.reg
| MD5 | 83d486604197f7fb32fe3c789a6876ee |
| SHA1 | 44c0c1d53547e3a2125ed697c3a34c1474b0ae8b |
| SHA256 | 219e8555b859ecf3740b49dc5f4d99774ecc0d73a6b4702ee4865e7ba4a19c0c |
| SHA512 | 01c33e13cf00a20caba3c1d7eeda1132621f0c64b63b774418f6268caac159d12a2eb1042b18fe6095f1ecdb16826b6d668d96cf35100173d946c43fa9aa5750 |
C:\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
C:\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
memory/3352-154-0x00000000023F0000-0x00000000023F1000-memory.dmp
memory/2128-155-0x0000000000920000-0x0000000000921000-memory.dmp
C:\Windows\SysWOW64\wbem\English.lg
| MD5 | 2be21177d718a15864654289f0af055d |
| SHA1 | 8e342cc491e2357e505e5e9a913d897d244ef43c |
| SHA256 | e7d8c3cbe405c2827a8f1e5a1ba83db64c28a1f3ed3e921549bbf3a5d9cb009b |
| SHA512 | 830560a25b53c9b376fc3064cf85e1f19d8bb470daf0f566bcbd649fa0b41a0c15a4ecb8ea9986df31f170ec607fa7f8e6cd0e4b18033d029f894da0d3a22144 |
C:\Windows\SysWOW64\wbem\Russian.lg
| MD5 | 4f4db409d18a2b1dcaff9950b05dbb0d |
| SHA1 | 94e46fdc96864986a2e2ccd28601cf515a26af59 |
| SHA256 | e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e |
| SHA512 | 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22 |
C:\Windows\SysWOW64\wbem\RManFUSClient.exe
| MD5 | 862035e253f8775c2e6713bcda90d1a5 |
| SHA1 | a799849789427c527b97be67b4e394d7db02a5a2 |
| SHA256 | 50bed7c1dd0141f2ed1cb5f78574d060d004eecb0ac71606e3a68ae36caa3c39 |
| SHA512 | 86de46aa69c36712cb01f3e27948491906a1dd065066629d2b5c9bf25aeaf2053b87c0f8144a8308e0130a2f0385fd507611e61b8540728684b3367a4e06f602 |
C:\Windows\SysWOW64\wbem\RManFUSClient.exe
| MD5 | 862035e253f8775c2e6713bcda90d1a5 |
| SHA1 | a799849789427c527b97be67b4e394d7db02a5a2 |
| SHA256 | 50bed7c1dd0141f2ed1cb5f78574d060d004eecb0ac71606e3a68ae36caa3c39 |
| SHA512 | 86de46aa69c36712cb01f3e27948491906a1dd065066629d2b5c9bf25aeaf2053b87c0f8144a8308e0130a2f0385fd507611e61b8540728684b3367a4e06f602 |
C:\Windows\SysWOW64\wbem\RManFUSClient.exe
| MD5 | 862035e253f8775c2e6713bcda90d1a5 |
| SHA1 | a799849789427c527b97be67b4e394d7db02a5a2 |
| SHA256 | 50bed7c1dd0141f2ed1cb5f78574d060d004eecb0ac71606e3a68ae36caa3c39 |
| SHA512 | 86de46aa69c36712cb01f3e27948491906a1dd065066629d2b5c9bf25aeaf2053b87c0f8144a8308e0130a2f0385fd507611e61b8540728684b3367a4e06f602 |
memory/3884-161-0x0000000000910000-0x0000000000911000-memory.dmp
C:\Windows\SysWOW64\wbem\wmiaprplreg.exe
| MD5 | c4f64f1b9c449efecaf2602b682ad4f5 |
| SHA1 | caca5e3b75107d47112bf7c6933892b6c5f6a369 |
| SHA256 | a41f73c715138f77653a2538f0bcb78e74c19961b145fa5bb7bf1d756fe5b504 |
| SHA512 | f9df3ba58514ddc5e6ef208082f8e0e35adea345d9f8c3629e1b02c7886a7e8ea0515c4d48aeea86c0a656c3c096e85ad8a291fcad62a72081c03bc60122eef5 |
C:\Windows\SysWOW64\wbem\wmiaprplreg.exe
| MD5 | c4f64f1b9c449efecaf2602b682ad4f5 |
| SHA1 | caca5e3b75107d47112bf7c6933892b6c5f6a369 |
| SHA256 | a41f73c715138f77653a2538f0bcb78e74c19961b145fa5bb7bf1d756fe5b504 |
| SHA512 | f9df3ba58514ddc5e6ef208082f8e0e35adea345d9f8c3629e1b02c7886a7e8ea0515c4d48aeea86c0a656c3c096e85ad8a291fcad62a72081c03bc60122eef5 |
C:\Users\Admin\AppData\Local\Temp\215B.tmp\wmiaprplreg.bat
| MD5 | 0b13775a4b63c796d1f09d2ff65be87e |
| SHA1 | 22bb7abe20e16833500b9781b1a80a4ba36b497d |
| SHA256 | 5c1234b1690eb8e5a4aa9c6bd52684e997983db56a975c6713604eab4919cf5a |
| SHA512 | 95c2cedbc6ef1a0960e2d79d0541ce4dd9c26274dce6f6077aaf27dadf3a473efd40f9b61c31ab305281fdd22278d933dd347f6218ba0692975ebac139494359 |
memory/408-165-0x00000000024C0000-0x00000000024C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\215B.tmp\wmiaprplreg.exe
| MD5 | 11a10ad5ab216eef7e41eb8174e96588 |
| SHA1 | 87589c6e2f3fe1f31e4e8bf0fd903278c87aea07 |
| SHA256 | 994d9a56da77236a7e4c5049cd8a16f1a1d5a4b7f36b65d8e5fb2660453f2fc5 |
| SHA512 | 817ddf4e74eaa50cf95248dcd4441ed5a104dfa4142b66049bbc908dc33f6b784ef531059ca3e0bb2ff5c5bd9f33fb5ad9664693edcaa8c47436d2e42b312ff5 |
C:\Users\Admin\AppData\Local\Temp\215B.tmp\wmiaprplreg.exe
| MD5 | 11a10ad5ab216eef7e41eb8174e96588 |
| SHA1 | 87589c6e2f3fe1f31e4e8bf0fd903278c87aea07 |
| SHA256 | 994d9a56da77236a7e4c5049cd8a16f1a1d5a4b7f36b65d8e5fb2660453f2fc5 |
| SHA512 | 817ddf4e74eaa50cf95248dcd4441ed5a104dfa4142b66049bbc908dc33f6b784ef531059ca3e0bb2ff5c5bd9f33fb5ad9664693edcaa8c47436d2e42b312ff5 |
memory/3028-168-0x0000000000660000-0x0000000000661000-memory.dmp
C:\Windows\SysWOW64\wbem\wmiaprpl.exe
| MD5 | a017fe53a6d0ee96592970a9acf59a3d |
| SHA1 | 769a37b2e704cf84357f3c1447eb86c0b8faf274 |
| SHA256 | 66fc13a697462c2e79746ffd80c5ac3e1bfbffb9c97e55593308e10edbcb2f6c |
| SHA512 | c8c60e37779cd799ae310d2512b913718768a5d360c3bec60a8e8f77571d71873acb49697fb230233b6e913da9bb71af8db290773a7992256f13654a6834f61d |
C:\Users\Admin\AppData\Local\Temp\DF32.tmp\wmiaprpl.exe
| MD5 | a017fe53a6d0ee96592970a9acf59a3d |
| SHA1 | 769a37b2e704cf84357f3c1447eb86c0b8faf274 |
| SHA256 | 66fc13a697462c2e79746ffd80c5ac3e1bfbffb9c97e55593308e10edbcb2f6c |
| SHA512 | c8c60e37779cd799ae310d2512b913718768a5d360c3bec60a8e8f77571d71873acb49697fb230233b6e913da9bb71af8db290773a7992256f13654a6834f61d |
C:\Windows\SysWOW64\wbem\wmiaprpl.exe
| MD5 | a017fe53a6d0ee96592970a9acf59a3d |
| SHA1 | 769a37b2e704cf84357f3c1447eb86c0b8faf274 |
| SHA256 | 66fc13a697462c2e79746ffd80c5ac3e1bfbffb9c97e55593308e10edbcb2f6c |
| SHA512 | c8c60e37779cd799ae310d2512b913718768a5d360c3bec60a8e8f77571d71873acb49697fb230233b6e913da9bb71af8db290773a7992256f13654a6834f61d |
C:\Windows\SysWOW64\wbem\wmiaprpl.exe
| MD5 | a017fe53a6d0ee96592970a9acf59a3d |
| SHA1 | 769a37b2e704cf84357f3c1447eb86c0b8faf274 |
| SHA256 | 66fc13a697462c2e79746ffd80c5ac3e1bfbffb9c97e55593308e10edbcb2f6c |
| SHA512 | c8c60e37779cd799ae310d2512b913718768a5d360c3bec60a8e8f77571d71873acb49697fb230233b6e913da9bb71af8db290773a7992256f13654a6834f61d |
C:\Users\Admin\AppData\Local\Temp\~6D87.bat
| MD5 | 5b1771aff999fd1a821960cbc5f962d5 |
| SHA1 | 7b81fda84d297f5c38719a0cd4778c6010b1c070 |
| SHA256 | c18aa3f93deb71df98d11e307d03ce58438464ad6f8f3c51b158b9c722486a95 |
| SHA512 | 59da40b1da511b4f63fa6577187d0d47fa4bc88f6a5526fc1398a69a276612b5e91bc39215e328eed2745932ec82b7a669d280463e63926e05393659c7aff5cc |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-13 14:12
Reported
2022-02-13 14:14
Platform
win7-en-20211208
Max time kernel
153s
Max time network
126s
Command Line
Signatures
RMS
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\wmiaprplreg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18FD.tmp\wmiaprplreg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\wmiaprpl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a1wmiaprpl = "C:\\Windows\\system32\\wbem\\wmiaprpl.exe" | C:\Users\Admin\AppData\Local\Temp\18FD.tmp\wmiaprplreg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\wbem\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\English.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\wmiaprplreg.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\wmiaprpl.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\Logs\rom_log_2022.html | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\English.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\wmiaprplreg.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\wmiaprpl.exe | C:\Users\Admin\AppData\Local\Temp\18FD.tmp\wmiaprplreg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wbem\RManFUSClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\wbem\RManServer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\47e976b6d98db8e6c61e01c41741f38396fbf3953d1bcdf8c60c40c77fe8da2a.exe
"C:\Users\Admin\AppData\Local\Temp\47e976b6d98db8e6c61e01c41741f38396fbf3953d1bcdf8c60c40c77fe8da2a.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\Remote Manipulator System - Server.bat" "
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System\v4\Server" /f
C:\Windows\SysWOW64\wbem\RManServer.exe
"C:\Windows\System32\wbem\RManServer.exe" /silentinstall
C:\Windows\SysWOW64\wbem\RManServer.exe
"C:\Windows\System32\wbem\RManServer.exe" /firewall
C:\Windows\SysWOW64\regedit.exe
regedit /s "settings.reg"
C:\Windows\SysWOW64\wbem\RManServer.exe
"C:\Windows\System32\wbem\RManServer.exe" /start
C:\Windows\SysWOW64\wbem\RManServer.exe
C:\Windows\SysWOW64\wbem\RManServer.exe
C:\Windows\SysWOW64\wbem\RManFUSClient.exe
"C:\Windows\SysWOW64\wbem\RManFUSClient.exe"
C:\Windows\SysWOW64\wbem\RManFUSClient.exe
C:\Windows\SysWOW64\wbem\RManFUSClient.exe /tray
C:\Windows\SysWOW64\wbem\wmiaprplreg.exe
"C:\Windows\System32\wbem\wmiaprplreg.exe" /start
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\18FD.tmp\wmiaprplreg.bat" "/start" "
C:\Users\Admin\AppData\Local\Temp\18FD.tmp\wmiaprplreg.exe
wmiaprplreg.exe /start
C:\Windows\SysWOW64\wbem\wmiaprpl.exe
"C:\Windows\System32\wbem\wmiaprpl.exe" /firewall
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~1E69.bat "C:\Windows\System32\wbem\wmiaprpl.exe" /firewall
C:\Windows\SysWOW64\PING.EXE
ping -n 9 localhost
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\PING.EXE
ping -n 9 localhost
C:\Windows\SysWOW64\PING.EXE
ping -n 2000 localhost
Network
Files
memory/1212-54-0x0000000075891000-0x0000000075893000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\Remote Manipulator System - Server.bat
| MD5 | 80d5a2a1d9fc20d2da9a5fe46ee17c35 |
| SHA1 | eb631fb31355e96b19eac1e08c47614794f4a2a0 |
| SHA256 | 486e6729c0bd630c62bbb5cba1066a23f543983368b253c991f83039738b0b78 |
| SHA512 | feaa8599ae3d408c034a19eb83406c2738fa809ee33fa6d9a8cb0ebe32fce78339c0c5c71de925628efc13ddb90d821a07557b557f71f0df386bc0e3b219d50b |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\dsfOggMux.dll
| MD5 | 65889701199e41ae2abee652a232af6e |
| SHA1 | 3f76c39fde130b550013a4f13bfea2862b5628cf |
| SHA256 | ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e |
| SHA512 | edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\dsfTheoraEncoder.dll
| MD5 | 5f2fc8a0d96a1e796a4daae9465f5dd6 |
| SHA1 | 224f13f3cbaa441c0cb6d6300715fda7136408ea |
| SHA256 | f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f |
| SHA512 | da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\dsfVorbisEncoder.dll
| MD5 | 086a9fd9179aad7911561eeff08cf7e2 |
| SHA1 | d390c28376e08769a06a4a8b46609b3a668f728b |
| SHA256 | 2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282 |
| SHA512 | a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\Russian.lg
| MD5 | 4f4db409d18a2b1dcaff9950b05dbb0d |
| SHA1 | 94e46fdc96864986a2e2ccd28601cf515a26af59 |
| SHA256 | e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e |
| SHA512 | 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\English.lg
| MD5 | 2be21177d718a15864654289f0af055d |
| SHA1 | 8e342cc491e2357e505e5e9a913d897d244ef43c |
| SHA256 | e7d8c3cbe405c2827a8f1e5a1ba83db64c28a1f3ed3e921549bbf3a5d9cb009b |
| SHA512 | 830560a25b53c9b376fc3064cf85e1f19d8bb470daf0f566bcbd649fa0b41a0c15a4ecb8ea9986df31f170ec607fa7f8e6cd0e4b18033d029f894da0d3a22144 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\HookDrv.dll
| MD5 | 895d68b21984db50bfbffc88d289f5da |
| SHA1 | 2cc6625e1fcdeac9dceb6a0f381f52ba574365a8 |
| SHA256 | d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d |
| SHA512 | 7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\wmiaprplreg.exe
| MD5 | c4f64f1b9c449efecaf2602b682ad4f5 |
| SHA1 | caca5e3b75107d47112bf7c6933892b6c5f6a369 |
| SHA256 | a41f73c715138f77653a2538f0bcb78e74c19961b145fa5bb7bf1d756fe5b504 |
| SHA512 | f9df3ba58514ddc5e6ef208082f8e0e35adea345d9f8c3629e1b02c7886a7e8ea0515c4d48aeea86c0a656c3c096e85ad8a291fcad62a72081c03bc60122eef5 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\Microsoft.VC80.CRT.manifest
| MD5 | d34b3da03c59f38a510eaa8ccc151ec7 |
| SHA1 | 41b978588a9902f5e14b2b693973cb210ed900b2 |
| SHA256 | a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc |
| SHA512 | 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\msvcp80.dll
| MD5 | 8c53ccd787c381cd535d8dcca12584d8 |
| SHA1 | bc7ce60270a58450596aa3e3e5d0a99f731333d9 |
| SHA256 | 384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528 |
| SHA512 | e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\msvcr80.dll
| MD5 | 1169436ee42f860c7db37a4692b38f0e |
| SHA1 | 4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3 |
| SHA256 | 9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46 |
| SHA512 | e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\PushSource.ax
| MD5 | fb755251b8b9ac0f35494854f21ccdbf |
| SHA1 | 32de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb |
| SHA256 | ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5 |
| SHA512 | a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\RManFUSClient.exe
| MD5 | 862035e253f8775c2e6713bcda90d1a5 |
| SHA1 | a799849789427c527b97be67b4e394d7db02a5a2 |
| SHA256 | 50bed7c1dd0141f2ed1cb5f78574d060d004eecb0ac71606e3a68ae36caa3c39 |
| SHA512 | 86de46aa69c36712cb01f3e27948491906a1dd065066629d2b5c9bf25aeaf2053b87c0f8144a8308e0130a2f0385fd507611e61b8540728684b3367a4e06f602 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\RManIpcServer.dll
| MD5 | 7d94872e3bbf6b60aec6bfe03f2423d7 |
| SHA1 | 67dd0a451e5a5247d077ffe347f404a0334b2d10 |
| SHA256 | a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7 |
| SHA512 | 25835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
C:\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
memory/1708-74-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Windows\SysWOW64\wbem\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
C:\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
memory/1308-79-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\settings.reg
| MD5 | 83d486604197f7fb32fe3c789a6876ee |
| SHA1 | 44c0c1d53547e3a2125ed697c3a34c1474b0ae8b |
| SHA256 | 219e8555b859ecf3740b49dc5f4d99774ecc0d73a6b4702ee4865e7ba4a19c0c |
| SHA512 | 01c33e13cf00a20caba3c1d7eeda1132621f0c64b63b774418f6268caac159d12a2eb1042b18fe6095f1ecdb16826b6d668d96cf35100173d946c43fa9aa5750 |
\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
C:\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
C:\Windows\SysWOW64\wbem\RManServer.exe
| MD5 | e06b936f7277739fdde705b051a8aab0 |
| SHA1 | 5235c6f00187e048d0691e49127ebadc995f3b12 |
| SHA256 | 07a9cb3d133cd2b8b7daccca1b7bd9e5b40341d97a5490b2001e291fc35ce60f |
| SHA512 | 53c8d5aa09ff87ace1276c0ebe988f38be49dc3abbed377d7843fa983c30c9adb9c550d1ff9e0afc465611836476b1d8335fac6e917ac41c2cab0f34ff6aea87 |
memory/2020-87-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1332-88-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Windows\SysWOW64\wbem\English.lg
| MD5 | 2be21177d718a15864654289f0af055d |
| SHA1 | 8e342cc491e2357e505e5e9a913d897d244ef43c |
| SHA256 | e7d8c3cbe405c2827a8f1e5a1ba83db64c28a1f3ed3e921549bbf3a5d9cb009b |
| SHA512 | 830560a25b53c9b376fc3064cf85e1f19d8bb470daf0f566bcbd649fa0b41a0c15a4ecb8ea9986df31f170ec607fa7f8e6cd0e4b18033d029f894da0d3a22144 |
C:\Windows\SysWOW64\wbem\RManFUSClient.exe
| MD5 | 862035e253f8775c2e6713bcda90d1a5 |
| SHA1 | a799849789427c527b97be67b4e394d7db02a5a2 |
| SHA256 | 50bed7c1dd0141f2ed1cb5f78574d060d004eecb0ac71606e3a68ae36caa3c39 |
| SHA512 | 86de46aa69c36712cb01f3e27948491906a1dd065066629d2b5c9bf25aeaf2053b87c0f8144a8308e0130a2f0385fd507611e61b8540728684b3367a4e06f602 |
C:\Windows\SysWOW64\wbem\Russian.lg
| MD5 | 4f4db409d18a2b1dcaff9950b05dbb0d |
| SHA1 | 94e46fdc96864986a2e2ccd28601cf515a26af59 |
| SHA256 | e9856da8ab65fb68541c4799afb74d04bd11a83ca85ec94fdda3ef9845a87d5e |
| SHA512 | 7fa97d7844fd308247fe644e5dbcac8c23601a490a265b56d794a64ac35c197b26c0caf2f28574bd3cf16a6941a4ad13bf4a59e8d5f0ea675e7936ea2e5b3d22 |
\Windows\SysWOW64\wbem\RManFUSClient.exe
| MD5 | 862035e253f8775c2e6713bcda90d1a5 |
| SHA1 | a799849789427c527b97be67b4e394d7db02a5a2 |
| SHA256 | 50bed7c1dd0141f2ed1cb5f78574d060d004eecb0ac71606e3a68ae36caa3c39 |
| SHA512 | 86de46aa69c36712cb01f3e27948491906a1dd065066629d2b5c9bf25aeaf2053b87c0f8144a8308e0130a2f0385fd507611e61b8540728684b3367a4e06f602 |
C:\Windows\SysWOW64\wbem\RManFUSClient.exe
| MD5 | 862035e253f8775c2e6713bcda90d1a5 |
| SHA1 | a799849789427c527b97be67b4e394d7db02a5a2 |
| SHA256 | 50bed7c1dd0141f2ed1cb5f78574d060d004eecb0ac71606e3a68ae36caa3c39 |
| SHA512 | 86de46aa69c36712cb01f3e27948491906a1dd065066629d2b5c9bf25aeaf2053b87c0f8144a8308e0130a2f0385fd507611e61b8540728684b3367a4e06f602 |
C:\Windows\SysWOW64\wbem\RManFUSClient.exe
| MD5 | 862035e253f8775c2e6713bcda90d1a5 |
| SHA1 | a799849789427c527b97be67b4e394d7db02a5a2 |
| SHA256 | 50bed7c1dd0141f2ed1cb5f78574d060d004eecb0ac71606e3a68ae36caa3c39 |
| SHA512 | 86de46aa69c36712cb01f3e27948491906a1dd065066629d2b5c9bf25aeaf2053b87c0f8144a8308e0130a2f0385fd507611e61b8540728684b3367a4e06f602 |
\Windows\SysWOW64\wbem\wmiaprplreg.exe
| MD5 | c4f64f1b9c449efecaf2602b682ad4f5 |
| SHA1 | caca5e3b75107d47112bf7c6933892b6c5f6a369 |
| SHA256 | a41f73c715138f77653a2538f0bcb78e74c19961b145fa5bb7bf1d756fe5b504 |
| SHA512 | f9df3ba58514ddc5e6ef208082f8e0e35adea345d9f8c3629e1b02c7886a7e8ea0515c4d48aeea86c0a656c3c096e85ad8a291fcad62a72081c03bc60122eef5 |
C:\Windows\SysWOW64\wbem\wmiaprplreg.exe
| MD5 | c4f64f1b9c449efecaf2602b682ad4f5 |
| SHA1 | caca5e3b75107d47112bf7c6933892b6c5f6a369 |
| SHA256 | a41f73c715138f77653a2538f0bcb78e74c19961b145fa5bb7bf1d756fe5b504 |
| SHA512 | f9df3ba58514ddc5e6ef208082f8e0e35adea345d9f8c3629e1b02c7886a7e8ea0515c4d48aeea86c0a656c3c096e85ad8a291fcad62a72081c03bc60122eef5 |
C:\Users\Admin\AppData\Local\Temp\18FD.tmp\wmiaprplreg.bat
| MD5 | 0b13775a4b63c796d1f09d2ff65be87e |
| SHA1 | 22bb7abe20e16833500b9781b1a80a4ba36b497d |
| SHA256 | 5c1234b1690eb8e5a4aa9c6bd52684e997983db56a975c6713604eab4919cf5a |
| SHA512 | 95c2cedbc6ef1a0960e2d79d0541ce4dd9c26274dce6f6077aaf27dadf3a473efd40f9b61c31ab305281fdd22278d933dd347f6218ba0692975ebac139494359 |
\Users\Admin\AppData\Local\Temp\18FD.tmp\wmiaprplreg.exe
| MD5 | 11a10ad5ab216eef7e41eb8174e96588 |
| SHA1 | 87589c6e2f3fe1f31e4e8bf0fd903278c87aea07 |
| SHA256 | 994d9a56da77236a7e4c5049cd8a16f1a1d5a4b7f36b65d8e5fb2660453f2fc5 |
| SHA512 | 817ddf4e74eaa50cf95248dcd4441ed5a104dfa4142b66049bbc908dc33f6b784ef531059ca3e0bb2ff5c5bd9f33fb5ad9664693edcaa8c47436d2e42b312ff5 |
C:\Users\Admin\AppData\Local\Temp\18FD.tmp\wmiaprplreg.exe
| MD5 | 11a10ad5ab216eef7e41eb8174e96588 |
| SHA1 | 87589c6e2f3fe1f31e4e8bf0fd903278c87aea07 |
| SHA256 | 994d9a56da77236a7e4c5049cd8a16f1a1d5a4b7f36b65d8e5fb2660453f2fc5 |
| SHA512 | 817ddf4e74eaa50cf95248dcd4441ed5a104dfa4142b66049bbc908dc33f6b784ef531059ca3e0bb2ff5c5bd9f33fb5ad9664693edcaa8c47436d2e42b312ff5 |
\Users\Admin\AppData\Local\Temp\18FD.tmp\wmiaprplreg.exe
| MD5 | 11a10ad5ab216eef7e41eb8174e96588 |
| SHA1 | 87589c6e2f3fe1f31e4e8bf0fd903278c87aea07 |
| SHA256 | 994d9a56da77236a7e4c5049cd8a16f1a1d5a4b7f36b65d8e5fb2660453f2fc5 |
| SHA512 | 817ddf4e74eaa50cf95248dcd4441ed5a104dfa4142b66049bbc908dc33f6b784ef531059ca3e0bb2ff5c5bd9f33fb5ad9664693edcaa8c47436d2e42b312ff5 |
C:\Users\Admin\AppData\Local\Temp\18FD.tmp\wmiaprplreg.exe
| MD5 | 11a10ad5ab216eef7e41eb8174e96588 |
| SHA1 | 87589c6e2f3fe1f31e4e8bf0fd903278c87aea07 |
| SHA256 | 994d9a56da77236a7e4c5049cd8a16f1a1d5a4b7f36b65d8e5fb2660453f2fc5 |
| SHA512 | 817ddf4e74eaa50cf95248dcd4441ed5a104dfa4142b66049bbc908dc33f6b784ef531059ca3e0bb2ff5c5bd9f33fb5ad9664693edcaa8c47436d2e42b312ff5 |
memory/992-107-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1196-106-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E4B4.tmp\wmiaprpl.exe
| MD5 | a017fe53a6d0ee96592970a9acf59a3d |
| SHA1 | 769a37b2e704cf84357f3c1447eb86c0b8faf274 |
| SHA256 | 66fc13a697462c2e79746ffd80c5ac3e1bfbffb9c97e55593308e10edbcb2f6c |
| SHA512 | c8c60e37779cd799ae310d2512b913718768a5d360c3bec60a8e8f77571d71873acb49697fb230233b6e913da9bb71af8db290773a7992256f13654a6834f61d |
C:\Windows\SysWOW64\wbem\wmiaprpl.exe
| MD5 | aef754b69e6d8bdfc0ca167f8197431c |
| SHA1 | 0ede36c8fa892bae3d7d1fd8d08dc22c15d54923 |
| SHA256 | f99280b5e3cd988d7bd34ae35512e4076d41a0a27493590c9636af2f14eb7383 |
| SHA512 | 4a0260359e3f10a21cb4831d316e89ea08f0be21fc8333cf22e489ffb43f3b1ed4934c24f2643c9fe035fa942f2c4dc53ab259e723d4c8b1c4e59b106fe925bd |
\Windows\SysWOW64\wbem\wmiaprpl.exe
| MD5 | a017fe53a6d0ee96592970a9acf59a3d |
| SHA1 | 769a37b2e704cf84357f3c1447eb86c0b8faf274 |
| SHA256 | 66fc13a697462c2e79746ffd80c5ac3e1bfbffb9c97e55593308e10edbcb2f6c |
| SHA512 | c8c60e37779cd799ae310d2512b913718768a5d360c3bec60a8e8f77571d71873acb49697fb230233b6e913da9bb71af8db290773a7992256f13654a6834f61d |
\Windows\SysWOW64\wbem\wmiaprpl.exe
| MD5 | a017fe53a6d0ee96592970a9acf59a3d |
| SHA1 | 769a37b2e704cf84357f3c1447eb86c0b8faf274 |
| SHA256 | 66fc13a697462c2e79746ffd80c5ac3e1bfbffb9c97e55593308e10edbcb2f6c |
| SHA512 | c8c60e37779cd799ae310d2512b913718768a5d360c3bec60a8e8f77571d71873acb49697fb230233b6e913da9bb71af8db290773a7992256f13654a6834f61d |
C:\Windows\SysWOW64\wbem\wmiaprpl.exe
| MD5 | a017fe53a6d0ee96592970a9acf59a3d |
| SHA1 | 769a37b2e704cf84357f3c1447eb86c0b8faf274 |
| SHA256 | 66fc13a697462c2e79746ffd80c5ac3e1bfbffb9c97e55593308e10edbcb2f6c |
| SHA512 | c8c60e37779cd799ae310d2512b913718768a5d360c3bec60a8e8f77571d71873acb49697fb230233b6e913da9bb71af8db290773a7992256f13654a6834f61d |
C:\Users\Admin\AppData\Local\Temp\~1E69.bat
| MD5 | 5b1771aff999fd1a821960cbc5f962d5 |
| SHA1 | 7b81fda84d297f5c38719a0cd4778c6010b1c070 |
| SHA256 | c18aa3f93deb71df98d11e307d03ce58438464ad6f8f3c51b158b9c722486a95 |
| SHA512 | 59da40b1da511b4f63fa6577187d0d47fa4bc88f6a5526fc1398a69a276612b5e91bc39215e328eed2745932ec82b7a669d280463e63926e05393659c7aff5cc |