Analysis Overview
SHA256
8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a
Threat Level: Known bad
The file 8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a was found to be: Known bad.
Malicious Activity Summary
RMS
Stops running service(s)
Executes dropped EXE
Sets file to hidden
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Launches sc.exe
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: SetClipboardViewer
Runs .reg file with regedit
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-08 07:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-08 07:50
Reported
2022-05-08 10:53
Platform
win7-20220414-en
Max time kernel
189s
Max time network
195s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskServer.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\OpenDisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File2.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File3.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskUpdate.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskUpdate1.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
Sets file to hidden
Stops running service(s)
Loads dropped DLL
Checks installed software on the system
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe
"C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe"
C:\ProgramData\WindowsVolume\DiskServer.exe
"C:\ProgramData\WindowsVolume\DiskServer.exe" -p834784734789789347892898943789787892
C:\ProgramData\WindowsVolume\OpenDisk.exe
"C:\ProgramData\WindowsVolume\OpenDisk.exe"
C:\ProgramData\WindowsVolume\File.exe
"C:\ProgramData\WindowsVolume\File.exe"
C:\ProgramData\WindowsVolume\DiskUpdate.exe
"C:\ProgramData\WindowsVolume\DiskUpdate.exe" -p78347834893489894237834783478785788989543536
C:\ProgramData\WindowsVolume\File3.exe
"C:\ProgramData\WindowsVolume\File3.exe"
C:\ProgramData\WindowsVolume\File2.exe
"C:\ProgramData\WindowsVolume\File2.exe"
C:\ProgramData\WindowsVolume\DiskUpdate1.exe
"C:\ProgramData\WindowsVolume\DiskUpdate1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\WindowsVolume\DiskInstall.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\WindowsVolume"
C:\Windows\SysWOW64\sc.exe
sc stop RManService
C:\Windows\SysWOW64\sc.exe
sc stop VolumeDisk0
C:\Windows\SysWOW64\sc.exe
sc stop VDeviceCard
C:\Windows\SysWOW64\sc.exe
sc stop NPackStereo
C:\Windows\SysWOW64\sc.exe
sc stop ServiceWork
C:\Windows\SysWOW64\sc.exe
sc stop AMIHardware
C:\Windows\SysWOW64\sc.exe
sc stop IntelDriver
C:\Windows\SysWOW64\sc.exe
sc delete RManService
C:\Windows\SysWOW64\sc.exe
sc delete VolumeDisk0
C:\Windows\SysWOW64\sc.exe
sc delete VDeviceCard
C:\Windows\SysWOW64\sc.exe
sc delete NPackStereo
C:\Windows\SysWOW64\sc.exe
sc delete ServiceWork
C:\Windows\SysWOW64\sc.exe
sc delete AMIHardware
C:\Windows\SysWOW64\sc.exe
sc delete IntelDriver
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rfusclient.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rutserv.exe /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\SystemVolume0\SysHardDisk" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
C:\ProgramData\WindowsVolume\sysdisk.exe
"C:\ProgramData\WindowsVolume\sysdisk.exe" /silentinstall
C:\ProgramData\WindowsVolume\sysdisk.exe
"C:\ProgramData\WindowsVolume\sysdisk.exe" /firewall
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
C:\Windows\SysWOW64\sc.exe
sc failure VolumeDisk0 reset= 0 actions= restart/500/restart/500/restart/500
C:\Windows\SysWOW64\sc.exe
sc config VolumeDisk0 obj= LocalSystem type= interact type= own
C:\ProgramData\WindowsVolume\sysdisk.exe
"C:\ProgramData\WindowsVolume\sysdisk.exe" /start
C:\ProgramData\WindowsVolume\sysdisk.exe
C:\ProgramData\WindowsVolume\sysdisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe /tray
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\WindowsVolume\*.*"
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/1940-54-0x0000000075941000-0x0000000075943000-memory.dmp
\ProgramData\WindowsVolume\DiskServer.exe
| MD5 | cd3d8619a4459d3de5478349c9d35920 |
| SHA1 | 6e2845d980365b8e0a9c2285906a5591218c94b7 |
| SHA256 | 91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530 |
| SHA512 | f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4 |
memory/1724-56-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\DiskServer.exe
| MD5 | cd3d8619a4459d3de5478349c9d35920 |
| SHA1 | 6e2845d980365b8e0a9c2285906a5591218c94b7 |
| SHA256 | 91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530 |
| SHA512 | f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4 |
C:\ProgramData\WindowsVolume\DiskServer.exe
| MD5 | cd3d8619a4459d3de5478349c9d35920 |
| SHA1 | 6e2845d980365b8e0a9c2285906a5591218c94b7 |
| SHA256 | 91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530 |
| SHA512 | f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4 |
\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 33fe1f9da3970f862da541a2547e8a57 |
| SHA1 | 17f09e35174d44cdb8c38833f497d4f51368ac01 |
| SHA256 | 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06 |
| SHA512 | 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a |
\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 33fe1f9da3970f862da541a2547e8a57 |
| SHA1 | 17f09e35174d44cdb8c38833f497d4f51368ac01 |
| SHA256 | 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06 |
| SHA512 | 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a |
\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 33fe1f9da3970f862da541a2547e8a57 |
| SHA1 | 17f09e35174d44cdb8c38833f497d4f51368ac01 |
| SHA256 | 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06 |
| SHA512 | 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a |
memory/1696-63-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 33fe1f9da3970f862da541a2547e8a57 |
| SHA1 | 17f09e35174d44cdb8c38833f497d4f51368ac01 |
| SHA256 | 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06 |
| SHA512 | 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a |
C:\ProgramData\WindowsVolume\File.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
C:\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 33fe1f9da3970f862da541a2547e8a57 |
| SHA1 | 17f09e35174d44cdb8c38833f497d4f51368ac01 |
| SHA256 | 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06 |
| SHA512 | 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a |
\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 33fe1f9da3970f862da541a2547e8a57 |
| SHA1 | 17f09e35174d44cdb8c38833f497d4f51368ac01 |
| SHA256 | 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06 |
| SHA512 | 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a |
\ProgramData\WindowsVolume\File.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
\ProgramData\WindowsVolume\File.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
C:\ProgramData\WindowsVolume\File.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
memory/1604-71-0x0000000000000000-mapping.dmp
memory/1652-77-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\DiskUpdate.exe
| MD5 | 8dc6ab416cb22c454630a92a3782b147 |
| SHA1 | 104fee8238f185ab289f89b14978f4e59b2ffed1 |
| SHA256 | 1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e |
| SHA512 | a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0 |
\ProgramData\WindowsVolume\DiskUpdate.exe
| MD5 | 8dc6ab416cb22c454630a92a3782b147 |
| SHA1 | 104fee8238f185ab289f89b14978f4e59b2ffed1 |
| SHA256 | 1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e |
| SHA512 | a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0 |
memory/468-88-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\DiskUpdate.exe
| MD5 | 8dc6ab416cb22c454630a92a3782b147 |
| SHA1 | 104fee8238f185ab289f89b14978f4e59b2ffed1 |
| SHA256 | 1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e |
| SHA512 | a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0 |
C:\ProgramData\WindowsVolume\File3.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
memory/1960-83-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\File3.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
C:\ProgramData\WindowsVolume\File2.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
\ProgramData\WindowsVolume\File3.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
\ProgramData\WindowsVolume\File3.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
\ProgramData\WindowsVolume\File2.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
\ProgramData\WindowsVolume\File2.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
C:\ProgramData\WindowsVolume\File2.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
C:\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 01fce99ef71f219c297b99252ea31abb |
| SHA1 | 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6 |
| SHA256 | 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64 |
| SHA512 | 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71 |
memory/1096-94-0x0000000000000000-mapping.dmp
\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 01fce99ef71f219c297b99252ea31abb |
| SHA1 | 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6 |
| SHA256 | 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64 |
| SHA512 | 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71 |
\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 01fce99ef71f219c297b99252ea31abb |
| SHA1 | 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6 |
| SHA256 | 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64 |
| SHA512 | 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71 |
\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 01fce99ef71f219c297b99252ea31abb |
| SHA1 | 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6 |
| SHA256 | 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64 |
| SHA512 | 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71 |
\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 01fce99ef71f219c297b99252ea31abb |
| SHA1 | 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6 |
| SHA256 | 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64 |
| SHA512 | 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71 |
C:\ProgramData\WindowsVolume\DiskInstall.bat
| MD5 | a46bdedc1e6587433dc98119f338d175 |
| SHA1 | 01334536e159f71bc5bc1e7b7a0e75490c169c36 |
| SHA256 | 604b240dd5e0ae92578c785bf46888b93307588f00af62cf6296b2f1c86eeb50 |
| SHA512 | e8010ea23bb01e707342fab42fb3b73fc6f82d0abfdd0354f01ed68e7e05aafaed3991f7deb9bc368de3c36deec7dbc7e4fa4e1178134d9e941f0c77cb52a394 |
C:\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 01fce99ef71f219c297b99252ea31abb |
| SHA1 | 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6 |
| SHA256 | 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64 |
| SHA512 | 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71 |
memory/1976-100-0x0000000000000000-mapping.dmp
memory/872-102-0x0000000000000000-mapping.dmp
memory/2040-104-0x0000000000000000-mapping.dmp
memory/1460-108-0x0000000000000000-mapping.dmp
memory/1336-110-0x0000000000000000-mapping.dmp
memory/2004-112-0x0000000000000000-mapping.dmp
memory/1552-116-0x0000000000000000-mapping.dmp
memory/1632-114-0x0000000000000000-mapping.dmp
memory/740-106-0x0000000000000000-mapping.dmp
memory/940-118-0x0000000000000000-mapping.dmp
memory/1712-120-0x0000000000000000-mapping.dmp
memory/932-122-0x0000000000000000-mapping.dmp
memory/2028-124-0x0000000000000000-mapping.dmp
memory/1484-126-0x0000000000000000-mapping.dmp
memory/520-130-0x0000000000000000-mapping.dmp
memory/1048-128-0x0000000000000000-mapping.dmp
memory/1500-132-0x0000000000000000-mapping.dmp
memory/1084-134-0x0000000000000000-mapping.dmp
memory/1696-136-0x0000000000000000-mapping.dmp
memory/1548-138-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\config_set.reg
| MD5 | 7b6fccac74add3d64ebe50a809ee6ae8 |
| SHA1 | 15468dc1ca0b54fa9b0db13fcbaa02702389b0c9 |
| SHA256 | 9f8d92e21eb41be9d2467c2b56e3c4f215d0c51ac8632014685321d70345d3a6 |
| SHA512 | 3e383f0d0ecd661857b01dc8e0aedcbf2f6fd8fdeb834653255e5c2d6637a6a53bb511d71178830589a425a5a6defe430457649ac75f19514f64809602bf16f1 |
\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
memory/1488-143-0x0000000000000000-mapping.dmp
\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
memory/736-147-0x0000000000000000-mapping.dmp
memory/560-150-0x0000000000000000-mapping.dmp
memory/1408-152-0x0000000000000000-mapping.dmp
memory/1944-154-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
memory/872-157-0x0000000000000000-mapping.dmp
\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | 8969782b82398387c46fb9887bf9850d |
| SHA1 | 9f927e2acfb6282f24f7221ce5451055f930b47f |
| SHA256 | 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051 |
| SHA512 | 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21 |
C:\ProgramData\WindowsVolume\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
C:\ProgramData\WindowsVolume\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\ProgramData\WindowsVolume\russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | 8969782b82398387c46fb9887bf9850d |
| SHA1 | 9f927e2acfb6282f24f7221ce5451055f930b47f |
| SHA256 | 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051 |
| SHA512 | 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21 |
\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | 8969782b82398387c46fb9887bf9850d |
| SHA1 | 9f927e2acfb6282f24f7221ce5451055f930b47f |
| SHA256 | 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051 |
| SHA512 | 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21 |
memory/1552-169-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | 8969782b82398387c46fb9887bf9850d |
| SHA1 | 9f927e2acfb6282f24f7221ce5451055f930b47f |
| SHA256 | 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051 |
| SHA512 | 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21 |
memory/1996-167-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | 8969782b82398387c46fb9887bf9850d |
| SHA1 | 9f927e2acfb6282f24f7221ce5451055f930b47f |
| SHA256 | 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051 |
| SHA512 | 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21 |
C:\ProgramData\WindowsVolume\DiskInstall2.bat
| MD5 | 52d57e611e45ceae3107a9606c798df8 |
| SHA1 | a559ee95833113e022c4e5116508641847e31dd3 |
| SHA256 | 1511fc19a2f4a670f7ced8ff7980bb0f8eb5ef840c0c116fc96ec3b241a588e7 |
| SHA512 | 1c86c712988c97fab61461dfd6cc67912d11e1816af8e96f7a2432a591097e1182b179be0555c80cfbedb9441beeac526398b54fac4f49af1fed7dde75030306 |
memory/1952-175-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\Diskpart.dat
| MD5 | 1a18270fb3fd76df0d01087e99dddcc6 |
| SHA1 | 26732b781736ed80654e3a41839b50e3d2e36db5 |
| SHA256 | fb9b9ae62c41448d117cbc468b2bf4eebb0665605cb864f28822f2b71f78dbda |
| SHA512 | 63d260f4972c6a403af97c3c6e371f516a5d3fbc1090bfe2b41b4dd88ff900b98217fb2225b53948fc480c33d1b9753bbf1e4a4df1613069f0f211a556a95f19 |
memory/1392-178-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | 8969782b82398387c46fb9887bf9850d |
| SHA1 | 9f927e2acfb6282f24f7221ce5451055f930b47f |
| SHA256 | 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051 |
| SHA512 | 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-08 07:50
Reported
2022-05-08 10:53
Platform
win10v2004-20220414-en
Max time kernel
189s
Max time network
200s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskServer.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\OpenDisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File2.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File3.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskUpdate.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskUpdate1.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
Sets file to hidden
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\ProgramData\WindowsVolume\DiskServer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\ProgramData\WindowsVolume\OpenDisk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\ProgramData\WindowsVolume\DiskUpdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\ProgramData\WindowsVolume\DiskUpdate1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe | N/A |
Checks installed software on the system
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\OpenDisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File2.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File3.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskUpdate.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskUpdate1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe
"C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe"
C:\ProgramData\WindowsVolume\DiskServer.exe
"C:\ProgramData\WindowsVolume\DiskServer.exe" -p834784734789789347892898943789787892
C:\ProgramData\WindowsVolume\OpenDisk.exe
"C:\ProgramData\WindowsVolume\OpenDisk.exe"
C:\ProgramData\WindowsVolume\File.exe
"C:\ProgramData\WindowsVolume\File.exe"
C:\ProgramData\WindowsVolume\File2.exe
"C:\ProgramData\WindowsVolume\File2.exe"
C:\ProgramData\WindowsVolume\File3.exe
"C:\ProgramData\WindowsVolume\File3.exe"
C:\ProgramData\WindowsVolume\DiskUpdate.exe
"C:\ProgramData\WindowsVolume\DiskUpdate.exe" -p78347834893489894237834783478785788989543536
C:\ProgramData\WindowsVolume\DiskUpdate1.exe
"C:\ProgramData\WindowsVolume\DiskUpdate1.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\WindowsVolume\DiskInstall.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\WindowsVolume"
C:\Windows\SysWOW64\sc.exe
sc stop RManService
C:\Windows\SysWOW64\sc.exe
sc stop VolumeDisk0
C:\Windows\SysWOW64\sc.exe
sc stop VDeviceCard
C:\Windows\SysWOW64\sc.exe
sc stop NPackStereo
C:\Windows\SysWOW64\sc.exe
sc stop ServiceWork
C:\Windows\SysWOW64\sc.exe
sc stop IntelDriver
C:\Windows\SysWOW64\sc.exe
sc stop AMIHardware
C:\Windows\SysWOW64\sc.exe
sc delete RManService
C:\Windows\SysWOW64\sc.exe
sc delete VolumeDisk0
C:\Windows\SysWOW64\sc.exe
sc delete VDeviceCard
C:\Windows\SysWOW64\sc.exe
sc delete NPackStereo
C:\Windows\SysWOW64\sc.exe
sc delete ServiceWork
C:\Windows\SysWOW64\sc.exe
sc delete IntelDriver
C:\Windows\SysWOW64\sc.exe
sc delete AMIHardware
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rfusclient.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rutserv.exe /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\SystemVolume0\SysHardDisk" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
C:\ProgramData\WindowsVolume\sysdisk.exe
"C:\ProgramData\WindowsVolume\sysdisk.exe" /silentinstall
C:\ProgramData\WindowsVolume\sysdisk.exe
"C:\ProgramData\WindowsVolume\sysdisk.exe" /firewall
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
C:\ProgramData\WindowsVolume\sysdisk.exe
"C:\ProgramData\WindowsVolume\sysdisk.exe" /start
C:\Windows\SysWOW64\sc.exe
sc config VolumeDisk0 obj= LocalSystem type= interact type= own
C:\ProgramData\WindowsVolume\sysdisk.exe
C:\ProgramData\WindowsVolume\sysdisk.exe
C:\Windows\SysWOW64\sc.exe
sc failure VolumeDisk0 reset= 0 actions= restart/500/restart/500/restart/500
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\WindowsVolume\*.*"
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe /tray
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/2272-130-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\DiskServer.exe
| MD5 | cd3d8619a4459d3de5478349c9d35920 |
| SHA1 | 6e2845d980365b8e0a9c2285906a5591218c94b7 |
| SHA256 | 91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530 |
| SHA512 | f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4 |
C:\ProgramData\WindowsVolume\DiskServer.exe
| MD5 | cd3d8619a4459d3de5478349c9d35920 |
| SHA1 | 6e2845d980365b8e0a9c2285906a5591218c94b7 |
| SHA256 | 91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530 |
| SHA512 | f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4 |
memory/1628-133-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 33fe1f9da3970f862da541a2547e8a57 |
| SHA1 | 17f09e35174d44cdb8c38833f497d4f51368ac01 |
| SHA256 | 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06 |
| SHA512 | 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a |
C:\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 33fe1f9da3970f862da541a2547e8a57 |
| SHA1 | 17f09e35174d44cdb8c38833f497d4f51368ac01 |
| SHA256 | 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06 |
| SHA512 | 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a |
C:\ProgramData\WindowsVolume\File.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
memory/3260-137-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\File.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
C:\ProgramData\WindowsVolume\File2.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
memory/1800-140-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\File2.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
C:\ProgramData\WindowsVolume\File3.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
memory/1308-143-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\DiskUpdate.exe
| MD5 | 8dc6ab416cb22c454630a92a3782b147 |
| SHA1 | 104fee8238f185ab289f89b14978f4e59b2ffed1 |
| SHA256 | 1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e |
| SHA512 | a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0 |
C:\ProgramData\WindowsVolume\File3.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
memory/260-146-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\DiskUpdate.exe
| MD5 | 8dc6ab416cb22c454630a92a3782b147 |
| SHA1 | 104fee8238f185ab289f89b14978f4e59b2ffed1 |
| SHA256 | 1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e |
| SHA512 | a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0 |
memory/3752-148-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 01fce99ef71f219c297b99252ea31abb |
| SHA1 | 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6 |
| SHA256 | 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64 |
| SHA512 | 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71 |
C:\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 01fce99ef71f219c297b99252ea31abb |
| SHA1 | 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6 |
| SHA256 | 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64 |
| SHA512 | 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71 |
C:\ProgramData\WindowsVolume\DiskInstall.bat
| MD5 | a46bdedc1e6587433dc98119f338d175 |
| SHA1 | 01334536e159f71bc5bc1e7b7a0e75490c169c36 |
| SHA256 | 604b240dd5e0ae92578c785bf46888b93307588f00af62cf6296b2f1c86eeb50 |
| SHA512 | e8010ea23bb01e707342fab42fb3b73fc6f82d0abfdd0354f01ed68e7e05aafaed3991f7deb9bc368de3c36deec7dbc7e4fa4e1178134d9e941f0c77cb52a394 |
memory/4000-152-0x0000000000000000-mapping.dmp
memory/5020-153-0x0000000000000000-mapping.dmp
memory/2296-154-0x0000000000000000-mapping.dmp
memory/4852-155-0x0000000000000000-mapping.dmp
memory/1208-156-0x0000000000000000-mapping.dmp
memory/2676-157-0x0000000000000000-mapping.dmp
memory/4484-158-0x0000000000000000-mapping.dmp
memory/4456-159-0x0000000000000000-mapping.dmp
memory/2704-160-0x0000000000000000-mapping.dmp
memory/4024-161-0x0000000000000000-mapping.dmp
memory/4228-162-0x0000000000000000-mapping.dmp
memory/4980-163-0x0000000000000000-mapping.dmp
memory/2972-164-0x0000000000000000-mapping.dmp
memory/3424-165-0x0000000000000000-mapping.dmp
memory/3924-166-0x0000000000000000-mapping.dmp
memory/4584-167-0x0000000000000000-mapping.dmp
memory/4236-168-0x0000000000000000-mapping.dmp
memory/4140-169-0x0000000000000000-mapping.dmp
memory/2008-170-0x0000000000000000-mapping.dmp
memory/4200-171-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\config_set.reg
| MD5 | 7b6fccac74add3d64ebe50a809ee6ae8 |
| SHA1 | 15468dc1ca0b54fa9b0db13fcbaa02702389b0c9 |
| SHA256 | 9f8d92e21eb41be9d2467c2b56e3c4f215d0c51ac8632014685321d70345d3a6 |
| SHA512 | 3e383f0d0ecd661857b01dc8e0aedcbf2f6fd8fdeb834653255e5c2d6637a6a53bb511d71178830589a425a5a6defe430457649ac75f19514f64809602bf16f1 |
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
memory/4624-173-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
memory/2752-176-0x0000000000000000-mapping.dmp
memory/3972-178-0x0000000000000000-mapping.dmp
memory/3388-179-0x0000000000000000-mapping.dmp
memory/4908-180-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
memory/4548-181-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | dfc2c02caefa842853b59e6f5fa490f0 |
| SHA1 | 1e96717a40ee9600bd379085510a2e74a70c46b6 |
| SHA256 | 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8 |
| SHA512 | 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5 |
C:\ProgramData\WindowsVolume\russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
C:\ProgramData\WindowsVolume\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | 8969782b82398387c46fb9887bf9850d |
| SHA1 | 9f927e2acfb6282f24f7221ce5451055f930b47f |
| SHA256 | 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051 |
| SHA512 | 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21 |
C:\ProgramData\WindowsVolume\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\ProgramData\WindowsVolume\DiskInstall2.bat
| MD5 | 52d57e611e45ceae3107a9606c798df8 |
| SHA1 | a559ee95833113e022c4e5116508641847e31dd3 |
| SHA256 | 1511fc19a2f4a670f7ced8ff7980bb0f8eb5ef840c0c116fc96ec3b241a588e7 |
| SHA512 | 1c86c712988c97fab61461dfd6cc67912d11e1816af8e96f7a2432a591097e1182b179be0555c80cfbedb9441beeac526398b54fac4f49af1fed7dde75030306 |
memory/5092-189-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\Diskpart.dat
| MD5 | 1a18270fb3fd76df0d01087e99dddcc6 |
| SHA1 | 26732b781736ed80654e3a41839b50e3d2e36db5 |
| SHA256 | fb9b9ae62c41448d117cbc468b2bf4eebb0665605cb864f28822f2b71f78dbda |
| SHA512 | 63d260f4972c6a403af97c3c6e371f516a5d3fbc1090bfe2b41b4dd88ff900b98217fb2225b53948fc480c33d1b9753bbf1e4a4df1613069f0f211a556a95f19 |
memory/3156-192-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | 8969782b82398387c46fb9887bf9850d |
| SHA1 | 9f927e2acfb6282f24f7221ce5451055f930b47f |
| SHA256 | 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051 |
| SHA512 | 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21 |
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | 8969782b82398387c46fb9887bf9850d |
| SHA1 | 9f927e2acfb6282f24f7221ce5451055f930b47f |
| SHA256 | 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051 |
| SHA512 | 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21 |
memory/752-191-0x0000000000000000-mapping.dmp
memory/3524-195-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | 8969782b82398387c46fb9887bf9850d |
| SHA1 | 9f927e2acfb6282f24f7221ce5451055f930b47f |
| SHA256 | 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051 |
| SHA512 | 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21 |