Analysis

  • max time kernel
    190s
  • max time network
    216s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 18:51

General

  • Target

    6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe

  • Size

    4.4MB

  • MD5

    2d964916b664386abe7561039b62231f

  • SHA1

    c72b18c84ffc1cb5a8e9b7a876aa4830bff6e7cc

  • SHA256

    6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1

  • SHA512

    0c18454815efe42302de19d8c1f35b5e54a3ce2f5359f4bcce4f295f88bb823c61fd31edcc95cc1a78a8f08c3460508aaaefeed880fa5f5d06026900ded0f709

Score
10/10

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Executes dropped EXE 9 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies registry class 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe
    "C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
        "C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
          4⤵
            PID:3204
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
            4⤵
              PID:636
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4696
              • C:\Windows\SysWOW64\attrib.exe
                attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
                5⤵
                • Views/modifies file attributes
                PID:3648
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              4⤵
                PID:3460
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                4⤵
                  PID:4836
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c cls
                  4⤵
                    PID:4832
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    4⤵
                      PID:4924
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c cls
                      4⤵
                        PID:376
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c cls
                        4⤵
                          PID:5116
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c cls
                          4⤵
                            PID:1600
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat"
                            4⤵
                              PID:952
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe"
                              4⤵
                                PID:3928
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat "C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1312
                                • C:\Users\Admin\AppData\Roaming\Windows\control\data.exe
                                  data.exe -p4387548329574239857234 -d C:\Log
                                  5⤵
                                  • Executes dropped EXE
                                  • Checks computer location settings
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:1000
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Log\start.vbs"
                                    6⤵
                                    • Checks computer location settings
                                    • Suspicious use of WriteProcessMemory
                                    PID:3640
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Log\install.bat" "
                                      7⤵
                                      • Drops file in Program Files directory
                                      • Suspicious use of WriteProcessMemory
                                      PID:1964
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im rutserv.exe
                                        8⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:392
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im rfusclient.exe
                                        8⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1304
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
                                        8⤵
                                          PID:4984
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib +s +h "C:\Program Files\RMS"
                                          8⤵
                                          • Drops file in Program Files directory
                                          • Views/modifies file attributes
                                          PID:4968
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout 1
                                          8⤵
                                          • Delays execution with timeout.exe
                                          PID:4788
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout 2
                                          8⤵
                                          • Delays execution with timeout.exe
                                          PID:2516
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib +s +h "C:\Program Files\RMS\*.*"
                                          8⤵
                                          • Drops file in Program Files directory
                                          • Views/modifies file attributes
                                          PID:2256
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib -s -h "C:\Program Files\RMS\rfusclient.exe"
                                          8⤵
                                          • Drops file in Program Files directory
                                          • Views/modifies file attributes
                                          PID:3752
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib -s -h "C:\Program Files\RMS\rutserv.exe"
                                          8⤵
                                          • Drops file in Program Files directory
                                          • Views/modifies file attributes
                                          PID:1468
                                        • C:\Windows\SysWOW64\regedit.exe
                                          regedit /s regedit.reg
                                          8⤵
                                          • Runs .reg file with regedit
                                          PID:3448
                                        • C:\Program Files\RMS\rutserv.exe
                                          rutserv.exe /silentinstall
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2804
                                        • C:\Program Files\RMS\rutserv.exe
                                          rutserv.exe /firewall
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of SetWindowsHookEx
                                          PID:4184
                                        • C:\Program Files\RMS\rutserv.exe
                                          rutserv.exe /start
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:5068
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout 3
                                          8⤵
                                          • Delays execution with timeout.exe
                                          PID:4728
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat"
                                  4⤵
                                    PID:1628
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe"
                                    4⤵
                                      PID:648
                              • C:\Program Files\RMS\rutserv.exe
                                "C:\Program Files\RMS\rutserv.exe"
                                1⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:2476
                                • C:\Program Files\RMS\rfusclient.exe
                                  "C:\Program Files\RMS\rfusclient.exe" /tray
                                  2⤵
                                  • Executes dropped EXE
                                  PID:5056
                                • C:\Program Files\RMS\rfusclient.exe
                                  "C:\Program Files\RMS\rfusclient.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:432
                                  • C:\Program Files\RMS\rfusclient.exe
                                    "C:\Program Files\RMS\rfusclient.exe" /tray
                                    3⤵
                                    • Executes dropped EXE
                                    PID:1096

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Log\install.bat

                                Filesize

                                959B

                                MD5

                                f02f205c3aa7e6344e02d9ae24e0c1d8

                                SHA1

                                922a9ac42cfe6cf4a8c92b1c8f0966aa06bd16db

                                SHA256

                                e7a8b3a79a24e96abdbc31fa6e5888d9a7486f161fd99aa0211d39856bcd8f99

                                SHA512

                                8af98e7d161eb0bb90d8eee6f5ec424c029a62ae04fa6787de926044008db09f4a62eea2cf69c889cec219114d45fd15f0a729a27a688c5275b545f4280cfa9a

                              • C:\Log\regedit.reg

                                Filesize

                                12KB

                                MD5

                                4c8a6b9bfbfb9af122a791330e33dbc5

                                SHA1

                                77583460b3cbe89c77569cc6d8f701903069072e

                                SHA256

                                245ce8372b8a88ccad7e79600d9fe737f53f0a61b1951aa849b2a0bb7971eda0

                                SHA512

                                a37731d92e7ae803ce84dbf32806642df0895673e57dad131c799a6626fbc504eb1843dac9236eb61e17da381d853c20e1cc023b3db023adc4dc85667433f4c4

                              • C:\Log\rfusclient.exe

                                Filesize

                                5.1MB

                                MD5

                                e3c15e4d44c2b546d640b5808a9a2818

                                SHA1

                                090f6f75558614f19b970df39ebe1a87185f5a0c

                                SHA256

                                b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

                                SHA512

                                c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

                              • C:\Log\russian.lg

                                Filesize

                                48KB

                                MD5

                                37b80cc200e62cdb350f7c86ee61264c

                                SHA1

                                35885999a4dc527dfc6d67079c5f82dd4759d78d

                                SHA256

                                5c394e7f7e6571ea2de8ebf23d087d452ccfda4b7468db793ce11cafac3e92a1

                                SHA512

                                7c1831fdf6584eab78d63245295014ab9361fbfe30c4304c11b4d8ce3eca784d2528c3a3d5183bc05118ab4054ae90cfcfe6a7b1f666839dc45acf5bc4ac2481

                              • C:\Log\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Log\start.vbs

                                Filesize

                                117B

                                MD5

                                65fc32766a238ff3e95984e325357dbb

                                SHA1

                                3ac16a2648410be8aa75f3e2817fbf69bb0e8922

                                SHA256

                                a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

                                SHA512

                                621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

                              • C:\Log\vp8decoder.dll

                                Filesize

                                378KB

                                MD5

                                d43fa82fab5337ce20ad14650085c5d9

                                SHA1

                                678aa092075ff65b6815ffc2d8fdc23af8425981

                                SHA256

                                c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

                                SHA512

                                103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

                              • C:\Log\vp8encoder.dll

                                Filesize

                                1.6MB

                                MD5

                                dab4646806dfca6d0e0b4d80fa9209d6

                                SHA1

                                8244dfe22ec2090eee89dad103e6b2002059d16a

                                SHA256

                                cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

                                SHA512

                                aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

                              • C:\Program Files\RMS\regedit.reg

                                Filesize

                                12KB

                                MD5

                                4c8a6b9bfbfb9af122a791330e33dbc5

                                SHA1

                                77583460b3cbe89c77569cc6d8f701903069072e

                                SHA256

                                245ce8372b8a88ccad7e79600d9fe737f53f0a61b1951aa849b2a0bb7971eda0

                                SHA512

                                a37731d92e7ae803ce84dbf32806642df0895673e57dad131c799a6626fbc504eb1843dac9236eb61e17da381d853c20e1cc023b3db023adc4dc85667433f4c4

                              • C:\Program Files\RMS\rfusclient.exe

                                Filesize

                                5.1MB

                                MD5

                                e3c15e4d44c2b546d640b5808a9a2818

                                SHA1

                                090f6f75558614f19b970df39ebe1a87185f5a0c

                                SHA256

                                b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

                                SHA512

                                c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

                              • C:\Program Files\RMS\rfusclient.exe

                                Filesize

                                5.1MB

                                MD5

                                e3c15e4d44c2b546d640b5808a9a2818

                                SHA1

                                090f6f75558614f19b970df39ebe1a87185f5a0c

                                SHA256

                                b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

                                SHA512

                                c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

                              • C:\Program Files\RMS\rfusclient.exe

                                Filesize

                                5.1MB

                                MD5

                                e3c15e4d44c2b546d640b5808a9a2818

                                SHA1

                                090f6f75558614f19b970df39ebe1a87185f5a0c

                                SHA256

                                b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

                                SHA512

                                c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

                              • C:\Program Files\RMS\rfusclient.exe

                                Filesize

                                5.1MB

                                MD5

                                e3c15e4d44c2b546d640b5808a9a2818

                                SHA1

                                090f6f75558614f19b970df39ebe1a87185f5a0c

                                SHA256

                                b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

                                SHA512

                                c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

                              • C:\Program Files\RMS\russian.lg

                                Filesize

                                48KB

                                MD5

                                37b80cc200e62cdb350f7c86ee61264c

                                SHA1

                                35885999a4dc527dfc6d67079c5f82dd4759d78d

                                SHA256

                                5c394e7f7e6571ea2de8ebf23d087d452ccfda4b7468db793ce11cafac3e92a1

                                SHA512

                                7c1831fdf6584eab78d63245295014ab9361fbfe30c4304c11b4d8ce3eca784d2528c3a3d5183bc05118ab4054ae90cfcfe6a7b1f666839dc45acf5bc4ac2481

                              • C:\Program Files\RMS\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Program Files\RMS\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Program Files\RMS\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Program Files\RMS\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Program Files\RMS\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Program Files\RMS\vp8decoder.dll

                                Filesize

                                378KB

                                MD5

                                d43fa82fab5337ce20ad14650085c5d9

                                SHA1

                                678aa092075ff65b6815ffc2d8fdc23af8425981

                                SHA256

                                c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

                                SHA512

                                103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

                              • C:\Program Files\RMS\vp8encoder.dll

                                Filesize

                                1.6MB

                                MD5

                                dab4646806dfca6d0e0b4d80fa9209d6

                                SHA1

                                8244dfe22ec2090eee89dad103e6b2002059d16a

                                SHA256

                                cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

                                SHA512

                                aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

                              • C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat

                                Filesize

                                231B

                                MD5

                                b4e641b6d4270e78c83ca4b207b80325

                                SHA1

                                47a5202e6b8c8d3577f37a9923bc820d0c7a0864

                                SHA256

                                6d480e4d29dcfd48e33a2bf7d41a1d4a8079e90251913a6780b307f35fd74c02

                                SHA512

                                470e783f0999ecbb43ebe40332cda8ba02b99efc9384cb269fedf986f74d9209278e5e8b83e3793ca3a733c3374a87e7529f30c91c315692d972d2445fbb48b9

                              • C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe

                                Filesize

                                15B

                                MD5

                                3c52638971ead82b5929d605c1314ee0

                                SHA1

                                7318148a40faca203ac402dff51bbb04e638545c

                                SHA256

                                5614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab

                                SHA512

                                46f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b

                              • C:\Users\Admin\AppData\Roaming\Windows\control\data.exe

                                Filesize

                                4.2MB

                                MD5

                                8073902d5731af195706c0737d42337b

                                SHA1

                                ee501e11ecf3d14f59d54750de7f35af663e6bb9

                                SHA256

                                511e239339255dc29b68ee438b7889e0e437d011dda6b5f715c73ceab9a42d2a

                                SHA512

                                ac0ee5a5fb9eb5e52a84683bbbda52d9dc1606e714cded78b18da738db803c61fa197b7c15cbf786c4722af04d42bb1d9e3eade823cf09d6ed069b17124c3241

                              • C:\Users\Admin\AppData\Roaming\Windows\control\data.exe

                                Filesize

                                4.2MB

                                MD5

                                8073902d5731af195706c0737d42337b

                                SHA1

                                ee501e11ecf3d14f59d54750de7f35af663e6bb9

                                SHA256

                                511e239339255dc29b68ee438b7889e0e437d011dda6b5f715c73ceab9a42d2a

                                SHA512

                                ac0ee5a5fb9eb5e52a84683bbbda52d9dc1606e714cded78b18da738db803c61fa197b7c15cbf786c4722af04d42bb1d9e3eade823cf09d6ed069b17124c3241

                              • C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

                                Filesize

                                96KB

                                MD5

                                5f56f53c24ea5f9bda096511228c9e40

                                SHA1

                                1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

                                SHA256

                                4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

                                SHA512

                                a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

                              • C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

                                Filesize

                                96KB

                                MD5

                                5f56f53c24ea5f9bda096511228c9e40

                                SHA1

                                1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

                                SHA256

                                4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

                                SHA512

                                a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

                              • C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs

                                Filesize

                                113B

                                MD5

                                7c274b85448ea218e5c6d5521876f698

                                SHA1

                                bdd771453446e1e8654985f5c4b7ebb0bb9ada4d

                                SHA256

                                427b7d229ae6a8717edb0e5cc156c2025d0d737400d6a22d5de9d4504b7b3185

                                SHA512

                                3c0a482e3f5b628cccae9730fb7fbf2f9e8c6fb7d8c52d39beffe8b3a3de184d2df6d5fa412801eca6cf80a7ee8109394e4918c467af88dac767462f01051df6

                              • memory/376-143-0x0000000000000000-mapping.dmp

                              • memory/392-157-0x0000000000000000-mapping.dmp

                              • memory/432-191-0x0000000000000000-mapping.dmp

                              • memory/636-136-0x0000000000000000-mapping.dmp

                              • memory/648-163-0x0000000000000000-mapping.dmp

                              • memory/952-146-0x0000000000000000-mapping.dmp

                              • memory/1000-150-0x0000000000000000-mapping.dmp

                              • memory/1096-194-0x0000000000000000-mapping.dmp

                              • memory/1304-158-0x0000000000000000-mapping.dmp

                              • memory/1312-148-0x0000000000000000-mapping.dmp

                              • memory/1468-180-0x0000000000000000-mapping.dmp

                              • memory/1600-145-0x0000000000000000-mapping.dmp

                              • memory/1628-162-0x0000000000000000-mapping.dmp

                              • memory/1768-130-0x0000000000000000-mapping.dmp

                              • memory/1964-156-0x0000000000000000-mapping.dmp

                              • memory/2256-172-0x0000000000000000-mapping.dmp

                              • memory/2516-166-0x0000000000000000-mapping.dmp

                              • memory/2704-133-0x0000000000000000-mapping.dmp

                              • memory/2804-182-0x0000000000000000-mapping.dmp

                              • memory/3204-135-0x0000000000000000-mapping.dmp

                              • memory/3448-181-0x0000000000000000-mapping.dmp

                              • memory/3460-139-0x0000000000000000-mapping.dmp

                              • memory/3640-153-0x0000000000000000-mapping.dmp

                              • memory/3648-138-0x0000000000000000-mapping.dmp

                              • memory/3752-179-0x0000000000000000-mapping.dmp

                              • memory/3928-147-0x0000000000000000-mapping.dmp

                              • memory/4184-184-0x0000000000000000-mapping.dmp

                              • memory/4696-137-0x0000000000000000-mapping.dmp

                              • memory/4728-189-0x0000000000000000-mapping.dmp

                              • memory/4788-165-0x0000000000000000-mapping.dmp

                              • memory/4832-141-0x0000000000000000-mapping.dmp

                              • memory/4836-140-0x0000000000000000-mapping.dmp

                              • memory/4924-142-0x0000000000000000-mapping.dmp

                              • memory/4968-160-0x0000000000000000-mapping.dmp

                              • memory/4984-159-0x0000000000000000-mapping.dmp

                              • memory/5056-190-0x0000000000000000-mapping.dmp

                              • memory/5068-186-0x0000000000000000-mapping.dmp

                              • memory/5116-144-0x0000000000000000-mapping.dmp