Malware Analysis Report

2024-11-13 16:21

Sample ID 220508-jn9rqsehbp
Target 8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a
SHA256 8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a
Tags
rms discovery evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a

Threat Level: Known bad

The file 8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a was found to be: Known bad.

Malicious Activity Summary

rms discovery evasion rat trojan

RMS

Stops running service(s)

Executes dropped EXE

Sets file to hidden

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Launches sc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: SetClipboardViewer

Runs .reg file with regedit

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-08 07:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-08 07:50

Reported

2022-05-08 10:53

Platform

win7-20220414-en

Max time kernel

189s

Max time network

195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

Stops running service(s)

evasion

Checks installed software on the system

discovery

Launches sc.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\WindowsVolume\volumedisk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
N/A N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
N/A N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
N/A N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 1940 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 1940 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 1940 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 1940 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 1940 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 1940 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 1724 wrote to memory of 1696 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 1724 wrote to memory of 1696 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 1724 wrote to memory of 1696 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 1724 wrote to memory of 1696 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 1724 wrote to memory of 1696 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 1724 wrote to memory of 1696 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 1724 wrote to memory of 1696 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 1696 wrote to memory of 1604 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1696 wrote to memory of 1604 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1696 wrote to memory of 1604 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1696 wrote to memory of 1604 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1696 wrote to memory of 1604 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1696 wrote to memory of 1604 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1696 wrote to memory of 1604 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1696 wrote to memory of 1652 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1696 wrote to memory of 1652 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1696 wrote to memory of 1652 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1696 wrote to memory of 1652 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1696 wrote to memory of 1652 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1696 wrote to memory of 1652 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1696 wrote to memory of 1652 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1696 wrote to memory of 1960 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1696 wrote to memory of 1960 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1696 wrote to memory of 1960 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1696 wrote to memory of 1960 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1696 wrote to memory of 1960 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1696 wrote to memory of 1960 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1696 wrote to memory of 1960 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1696 wrote to memory of 468 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1696 wrote to memory of 468 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1696 wrote to memory of 468 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1696 wrote to memory of 468 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1696 wrote to memory of 468 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1696 wrote to memory of 468 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1696 wrote to memory of 468 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 468 wrote to memory of 1096 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 468 wrote to memory of 1096 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 468 wrote to memory of 1096 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 468 wrote to memory of 1096 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 468 wrote to memory of 1096 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 468 wrote to memory of 1096 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 468 wrote to memory of 1096 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 1096 wrote to memory of 1976 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1976 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1976 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1976 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1976 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1976 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1976 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1976 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1976 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1976 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1976 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1976 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1976 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1976 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe

"C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe"

C:\ProgramData\WindowsVolume\DiskServer.exe

"C:\ProgramData\WindowsVolume\DiskServer.exe" -p834784734789789347892898943789787892

C:\ProgramData\WindowsVolume\OpenDisk.exe

"C:\ProgramData\WindowsVolume\OpenDisk.exe"

C:\ProgramData\WindowsVolume\File.exe

"C:\ProgramData\WindowsVolume\File.exe"

C:\ProgramData\WindowsVolume\DiskUpdate.exe

"C:\ProgramData\WindowsVolume\DiskUpdate.exe" -p78347834893489894237834783478785788989543536

C:\ProgramData\WindowsVolume\File3.exe

"C:\ProgramData\WindowsVolume\File3.exe"

C:\ProgramData\WindowsVolume\File2.exe

"C:\ProgramData\WindowsVolume\File2.exe"

C:\ProgramData\WindowsVolume\DiskUpdate1.exe

"C:\ProgramData\WindowsVolume\DiskUpdate1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\WindowsVolume\DiskInstall.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\ProgramData\WindowsVolume"

C:\Windows\SysWOW64\sc.exe

sc stop RManService

C:\Windows\SysWOW64\sc.exe

sc stop VolumeDisk0

C:\Windows\SysWOW64\sc.exe

sc stop VDeviceCard

C:\Windows\SysWOW64\sc.exe

sc stop NPackStereo

C:\Windows\SysWOW64\sc.exe

sc stop ServiceWork

C:\Windows\SysWOW64\sc.exe

sc stop AMIHardware

C:\Windows\SysWOW64\sc.exe

sc stop IntelDriver

C:\Windows\SysWOW64\sc.exe

sc delete RManService

C:\Windows\SysWOW64\sc.exe

sc delete VolumeDisk0

C:\Windows\SysWOW64\sc.exe

sc delete VDeviceCard

C:\Windows\SysWOW64\sc.exe

sc delete NPackStereo

C:\Windows\SysWOW64\sc.exe

sc delete ServiceWork

C:\Windows\SysWOW64\sc.exe

sc delete AMIHardware

C:\Windows\SysWOW64\sc.exe

sc delete IntelDriver

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rfusclient.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rutserv.exe /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\SystemVolume0\SysHardDisk" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"

C:\ProgramData\WindowsVolume\sysdisk.exe

"C:\ProgramData\WindowsVolume\sysdisk.exe" /silentinstall

C:\ProgramData\WindowsVolume\sysdisk.exe

"C:\ProgramData\WindowsVolume\sysdisk.exe" /firewall

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"

C:\Windows\SysWOW64\sc.exe

sc failure VolumeDisk0 reset= 0 actions= restart/500/restart/500/restart/500

C:\Windows\SysWOW64\sc.exe

sc config VolumeDisk0 obj= LocalSystem type= interact type= own

C:\ProgramData\WindowsVolume\sysdisk.exe

"C:\ProgramData\WindowsVolume\sysdisk.exe" /start

C:\ProgramData\WindowsVolume\sysdisk.exe

C:\ProgramData\WindowsVolume\sysdisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe /tray

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\ProgramData\WindowsVolume\*.*"

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1940-54-0x0000000075941000-0x0000000075943000-memory.dmp

\ProgramData\WindowsVolume\DiskServer.exe

MD5 cd3d8619a4459d3de5478349c9d35920
SHA1 6e2845d980365b8e0a9c2285906a5591218c94b7
SHA256 91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530
SHA512 f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4

memory/1724-56-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\DiskServer.exe

MD5 cd3d8619a4459d3de5478349c9d35920
SHA1 6e2845d980365b8e0a9c2285906a5591218c94b7
SHA256 91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530
SHA512 f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4

C:\ProgramData\WindowsVolume\DiskServer.exe

MD5 cd3d8619a4459d3de5478349c9d35920
SHA1 6e2845d980365b8e0a9c2285906a5591218c94b7
SHA256 91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530
SHA512 f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4

\ProgramData\WindowsVolume\OpenDisk.exe

MD5 33fe1f9da3970f862da541a2547e8a57
SHA1 17f09e35174d44cdb8c38833f497d4f51368ac01
SHA256 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06
SHA512 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

\ProgramData\WindowsVolume\OpenDisk.exe

MD5 33fe1f9da3970f862da541a2547e8a57
SHA1 17f09e35174d44cdb8c38833f497d4f51368ac01
SHA256 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06
SHA512 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

\ProgramData\WindowsVolume\OpenDisk.exe

MD5 33fe1f9da3970f862da541a2547e8a57
SHA1 17f09e35174d44cdb8c38833f497d4f51368ac01
SHA256 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06
SHA512 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

memory/1696-63-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\OpenDisk.exe

MD5 33fe1f9da3970f862da541a2547e8a57
SHA1 17f09e35174d44cdb8c38833f497d4f51368ac01
SHA256 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06
SHA512 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

C:\ProgramData\WindowsVolume\File.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

C:\ProgramData\WindowsVolume\OpenDisk.exe

MD5 33fe1f9da3970f862da541a2547e8a57
SHA1 17f09e35174d44cdb8c38833f497d4f51368ac01
SHA256 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06
SHA512 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

\ProgramData\WindowsVolume\OpenDisk.exe

MD5 33fe1f9da3970f862da541a2547e8a57
SHA1 17f09e35174d44cdb8c38833f497d4f51368ac01
SHA256 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06
SHA512 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

\ProgramData\WindowsVolume\File.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

\ProgramData\WindowsVolume\File.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

C:\ProgramData\WindowsVolume\File.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

memory/1604-71-0x0000000000000000-mapping.dmp

memory/1652-77-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\DiskUpdate.exe

MD5 8dc6ab416cb22c454630a92a3782b147
SHA1 104fee8238f185ab289f89b14978f4e59b2ffed1
SHA256 1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e
SHA512 a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0

\ProgramData\WindowsVolume\DiskUpdate.exe

MD5 8dc6ab416cb22c454630a92a3782b147
SHA1 104fee8238f185ab289f89b14978f4e59b2ffed1
SHA256 1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e
SHA512 a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0

memory/468-88-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\DiskUpdate.exe

MD5 8dc6ab416cb22c454630a92a3782b147
SHA1 104fee8238f185ab289f89b14978f4e59b2ffed1
SHA256 1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e
SHA512 a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0

C:\ProgramData\WindowsVolume\File3.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

memory/1960-83-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\File3.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

C:\ProgramData\WindowsVolume\File2.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

\ProgramData\WindowsVolume\File3.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

\ProgramData\WindowsVolume\File3.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

\ProgramData\WindowsVolume\File2.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

\ProgramData\WindowsVolume\File2.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

C:\ProgramData\WindowsVolume\File2.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

C:\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 01fce99ef71f219c297b99252ea31abb
SHA1 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6
SHA256 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64
SHA512 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

memory/1096-94-0x0000000000000000-mapping.dmp

\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 01fce99ef71f219c297b99252ea31abb
SHA1 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6
SHA256 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64
SHA512 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 01fce99ef71f219c297b99252ea31abb
SHA1 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6
SHA256 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64
SHA512 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 01fce99ef71f219c297b99252ea31abb
SHA1 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6
SHA256 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64
SHA512 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 01fce99ef71f219c297b99252ea31abb
SHA1 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6
SHA256 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64
SHA512 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

C:\ProgramData\WindowsVolume\DiskInstall.bat

MD5 a46bdedc1e6587433dc98119f338d175
SHA1 01334536e159f71bc5bc1e7b7a0e75490c169c36
SHA256 604b240dd5e0ae92578c785bf46888b93307588f00af62cf6296b2f1c86eeb50
SHA512 e8010ea23bb01e707342fab42fb3b73fc6f82d0abfdd0354f01ed68e7e05aafaed3991f7deb9bc368de3c36deec7dbc7e4fa4e1178134d9e941f0c77cb52a394

C:\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 01fce99ef71f219c297b99252ea31abb
SHA1 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6
SHA256 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64
SHA512 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

memory/1976-100-0x0000000000000000-mapping.dmp

memory/872-102-0x0000000000000000-mapping.dmp

memory/2040-104-0x0000000000000000-mapping.dmp

memory/1460-108-0x0000000000000000-mapping.dmp

memory/1336-110-0x0000000000000000-mapping.dmp

memory/2004-112-0x0000000000000000-mapping.dmp

memory/1552-116-0x0000000000000000-mapping.dmp

memory/1632-114-0x0000000000000000-mapping.dmp

memory/740-106-0x0000000000000000-mapping.dmp

memory/940-118-0x0000000000000000-mapping.dmp

memory/1712-120-0x0000000000000000-mapping.dmp

memory/932-122-0x0000000000000000-mapping.dmp

memory/2028-124-0x0000000000000000-mapping.dmp

memory/1484-126-0x0000000000000000-mapping.dmp

memory/520-130-0x0000000000000000-mapping.dmp

memory/1048-128-0x0000000000000000-mapping.dmp

memory/1500-132-0x0000000000000000-mapping.dmp

memory/1084-134-0x0000000000000000-mapping.dmp

memory/1696-136-0x0000000000000000-mapping.dmp

memory/1548-138-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\config_set.reg

MD5 7b6fccac74add3d64ebe50a809ee6ae8
SHA1 15468dc1ca0b54fa9b0db13fcbaa02702389b0c9
SHA256 9f8d92e21eb41be9d2467c2b56e3c4f215d0c51ac8632014685321d70345d3a6
SHA512 3e383f0d0ecd661857b01dc8e0aedcbf2f6fd8fdeb834653255e5c2d6637a6a53bb511d71178830589a425a5a6defe430457649ac75f19514f64809602bf16f1

\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

memory/1488-143-0x0000000000000000-mapping.dmp

\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

memory/736-147-0x0000000000000000-mapping.dmp

memory/560-150-0x0000000000000000-mapping.dmp

memory/1408-152-0x0000000000000000-mapping.dmp

memory/1944-154-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

memory/872-157-0x0000000000000000-mapping.dmp

\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 8969782b82398387c46fb9887bf9850d
SHA1 9f927e2acfb6282f24f7221ce5451055f930b47f
SHA256 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051
SHA512 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

C:\ProgramData\WindowsVolume\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\ProgramData\WindowsVolume\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\ProgramData\WindowsVolume\russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

\ProgramData\WindowsVolume\volumedisk.exe

MD5 8969782b82398387c46fb9887bf9850d
SHA1 9f927e2acfb6282f24f7221ce5451055f930b47f
SHA256 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051
SHA512 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

\ProgramData\WindowsVolume\volumedisk.exe

MD5 8969782b82398387c46fb9887bf9850d
SHA1 9f927e2acfb6282f24f7221ce5451055f930b47f
SHA256 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051
SHA512 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

memory/1552-169-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 8969782b82398387c46fb9887bf9850d
SHA1 9f927e2acfb6282f24f7221ce5451055f930b47f
SHA256 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051
SHA512 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

memory/1996-167-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 8969782b82398387c46fb9887bf9850d
SHA1 9f927e2acfb6282f24f7221ce5451055f930b47f
SHA256 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051
SHA512 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

C:\ProgramData\WindowsVolume\DiskInstall2.bat

MD5 52d57e611e45ceae3107a9606c798df8
SHA1 a559ee95833113e022c4e5116508641847e31dd3
SHA256 1511fc19a2f4a670f7ced8ff7980bb0f8eb5ef840c0c116fc96ec3b241a588e7
SHA512 1c86c712988c97fab61461dfd6cc67912d11e1816af8e96f7a2432a591097e1182b179be0555c80cfbedb9441beeac526398b54fac4f49af1fed7dde75030306

memory/1952-175-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\Diskpart.dat

MD5 1a18270fb3fd76df0d01087e99dddcc6
SHA1 26732b781736ed80654e3a41839b50e3d2e36db5
SHA256 fb9b9ae62c41448d117cbc468b2bf4eebb0665605cb864f28822f2b71f78dbda
SHA512 63d260f4972c6a403af97c3c6e371f516a5d3fbc1090bfe2b41b4dd88ff900b98217fb2225b53948fc480c33d1b9753bbf1e4a4df1613069f0f211a556a95f19

memory/1392-178-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 8969782b82398387c46fb9887bf9850d
SHA1 9f927e2acfb6282f24f7221ce5451055f930b47f
SHA256 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051
SHA512 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-08 07:50

Reported

2022-05-08 10:53

Platform

win10v2004-20220414-en

Max time kernel

189s

Max time network

200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\ProgramData\WindowsVolume\DiskServer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\ProgramData\WindowsVolume\OpenDisk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\ProgramData\WindowsVolume\DiskUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\ProgramData\WindowsVolume\DiskUpdate1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe N/A

Checks installed software on the system

discovery

Launches sc.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\WindowsVolume\volumedisk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 4788 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 4788 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 2272 wrote to memory of 1628 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 2272 wrote to memory of 1628 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 2272 wrote to memory of 1628 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 1628 wrote to memory of 3260 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1628 wrote to memory of 3260 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1628 wrote to memory of 3260 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1628 wrote to memory of 1800 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1628 wrote to memory of 1800 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1628 wrote to memory of 1800 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1628 wrote to memory of 1308 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1628 wrote to memory of 1308 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1628 wrote to memory of 1308 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1628 wrote to memory of 260 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1628 wrote to memory of 260 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1628 wrote to memory of 260 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 260 wrote to memory of 3752 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 260 wrote to memory of 3752 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 260 wrote to memory of 3752 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 3752 wrote to memory of 4000 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 4000 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 4000 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 4000 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4000 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4000 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4000 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4000 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe

"C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe"

C:\ProgramData\WindowsVolume\DiskServer.exe

"C:\ProgramData\WindowsVolume\DiskServer.exe" -p834784734789789347892898943789787892

C:\ProgramData\WindowsVolume\OpenDisk.exe

"C:\ProgramData\WindowsVolume\OpenDisk.exe"

C:\ProgramData\WindowsVolume\File.exe

"C:\ProgramData\WindowsVolume\File.exe"

C:\ProgramData\WindowsVolume\File2.exe

"C:\ProgramData\WindowsVolume\File2.exe"

C:\ProgramData\WindowsVolume\File3.exe

"C:\ProgramData\WindowsVolume\File3.exe"

C:\ProgramData\WindowsVolume\DiskUpdate.exe

"C:\ProgramData\WindowsVolume\DiskUpdate.exe" -p78347834893489894237834783478785788989543536

C:\ProgramData\WindowsVolume\DiskUpdate1.exe

"C:\ProgramData\WindowsVolume\DiskUpdate1.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\WindowsVolume\DiskInstall.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\ProgramData\WindowsVolume"

C:\Windows\SysWOW64\sc.exe

sc stop RManService

C:\Windows\SysWOW64\sc.exe

sc stop VolumeDisk0

C:\Windows\SysWOW64\sc.exe

sc stop VDeviceCard

C:\Windows\SysWOW64\sc.exe

sc stop NPackStereo

C:\Windows\SysWOW64\sc.exe

sc stop ServiceWork

C:\Windows\SysWOW64\sc.exe

sc stop IntelDriver

C:\Windows\SysWOW64\sc.exe

sc stop AMIHardware

C:\Windows\SysWOW64\sc.exe

sc delete RManService

C:\Windows\SysWOW64\sc.exe

sc delete VolumeDisk0

C:\Windows\SysWOW64\sc.exe

sc delete VDeviceCard

C:\Windows\SysWOW64\sc.exe

sc delete NPackStereo

C:\Windows\SysWOW64\sc.exe

sc delete ServiceWork

C:\Windows\SysWOW64\sc.exe

sc delete IntelDriver

C:\Windows\SysWOW64\sc.exe

sc delete AMIHardware

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rfusclient.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rutserv.exe /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\SystemVolume0\SysHardDisk" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"

C:\ProgramData\WindowsVolume\sysdisk.exe

"C:\ProgramData\WindowsVolume\sysdisk.exe" /silentinstall

C:\ProgramData\WindowsVolume\sysdisk.exe

"C:\ProgramData\WindowsVolume\sysdisk.exe" /firewall

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"

C:\ProgramData\WindowsVolume\sysdisk.exe

"C:\ProgramData\WindowsVolume\sysdisk.exe" /start

C:\Windows\SysWOW64\sc.exe

sc config VolumeDisk0 obj= LocalSystem type= interact type= own

C:\ProgramData\WindowsVolume\sysdisk.exe

C:\ProgramData\WindowsVolume\sysdisk.exe

C:\Windows\SysWOW64\sc.exe

sc failure VolumeDisk0 reset= 0 actions= restart/500/restart/500/restart/500

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\ProgramData\WindowsVolume\*.*"

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe /tray

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/2272-130-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\DiskServer.exe

MD5 cd3d8619a4459d3de5478349c9d35920
SHA1 6e2845d980365b8e0a9c2285906a5591218c94b7
SHA256 91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530
SHA512 f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4

C:\ProgramData\WindowsVolume\DiskServer.exe

MD5 cd3d8619a4459d3de5478349c9d35920
SHA1 6e2845d980365b8e0a9c2285906a5591218c94b7
SHA256 91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530
SHA512 f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4

memory/1628-133-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\OpenDisk.exe

MD5 33fe1f9da3970f862da541a2547e8a57
SHA1 17f09e35174d44cdb8c38833f497d4f51368ac01
SHA256 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06
SHA512 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

C:\ProgramData\WindowsVolume\OpenDisk.exe

MD5 33fe1f9da3970f862da541a2547e8a57
SHA1 17f09e35174d44cdb8c38833f497d4f51368ac01
SHA256 7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06
SHA512 0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

C:\ProgramData\WindowsVolume\File.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

memory/3260-137-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\File.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

C:\ProgramData\WindowsVolume\File2.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

memory/1800-140-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\File2.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

C:\ProgramData\WindowsVolume\File3.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

memory/1308-143-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\DiskUpdate.exe

MD5 8dc6ab416cb22c454630a92a3782b147
SHA1 104fee8238f185ab289f89b14978f4e59b2ffed1
SHA256 1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e
SHA512 a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0

C:\ProgramData\WindowsVolume\File3.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

memory/260-146-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\DiskUpdate.exe

MD5 8dc6ab416cb22c454630a92a3782b147
SHA1 104fee8238f185ab289f89b14978f4e59b2ffed1
SHA256 1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e
SHA512 a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0

memory/3752-148-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 01fce99ef71f219c297b99252ea31abb
SHA1 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6
SHA256 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64
SHA512 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

C:\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 01fce99ef71f219c297b99252ea31abb
SHA1 8f45a949b777f04aa47fc4db77eebdb24a2bcfb6
SHA256 9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64
SHA512 57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

C:\ProgramData\WindowsVolume\DiskInstall.bat

MD5 a46bdedc1e6587433dc98119f338d175
SHA1 01334536e159f71bc5bc1e7b7a0e75490c169c36
SHA256 604b240dd5e0ae92578c785bf46888b93307588f00af62cf6296b2f1c86eeb50
SHA512 e8010ea23bb01e707342fab42fb3b73fc6f82d0abfdd0354f01ed68e7e05aafaed3991f7deb9bc368de3c36deec7dbc7e4fa4e1178134d9e941f0c77cb52a394

memory/4000-152-0x0000000000000000-mapping.dmp

memory/5020-153-0x0000000000000000-mapping.dmp

memory/2296-154-0x0000000000000000-mapping.dmp

memory/4852-155-0x0000000000000000-mapping.dmp

memory/1208-156-0x0000000000000000-mapping.dmp

memory/2676-157-0x0000000000000000-mapping.dmp

memory/4484-158-0x0000000000000000-mapping.dmp

memory/4456-159-0x0000000000000000-mapping.dmp

memory/2704-160-0x0000000000000000-mapping.dmp

memory/4024-161-0x0000000000000000-mapping.dmp

memory/4228-162-0x0000000000000000-mapping.dmp

memory/4980-163-0x0000000000000000-mapping.dmp

memory/2972-164-0x0000000000000000-mapping.dmp

memory/3424-165-0x0000000000000000-mapping.dmp

memory/3924-166-0x0000000000000000-mapping.dmp

memory/4584-167-0x0000000000000000-mapping.dmp

memory/4236-168-0x0000000000000000-mapping.dmp

memory/4140-169-0x0000000000000000-mapping.dmp

memory/2008-170-0x0000000000000000-mapping.dmp

memory/4200-171-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\config_set.reg

MD5 7b6fccac74add3d64ebe50a809ee6ae8
SHA1 15468dc1ca0b54fa9b0db13fcbaa02702389b0c9
SHA256 9f8d92e21eb41be9d2467c2b56e3c4f215d0c51ac8632014685321d70345d3a6
SHA512 3e383f0d0ecd661857b01dc8e0aedcbf2f6fd8fdeb834653255e5c2d6637a6a53bb511d71178830589a425a5a6defe430457649ac75f19514f64809602bf16f1

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

memory/4624-173-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

memory/2752-176-0x0000000000000000-mapping.dmp

memory/3972-178-0x0000000000000000-mapping.dmp

memory/3388-179-0x0000000000000000-mapping.dmp

memory/4908-180-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

memory/4548-181-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 dfc2c02caefa842853b59e6f5fa490f0
SHA1 1e96717a40ee9600bd379085510a2e74a70c46b6
SHA256 56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8
SHA512 068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

C:\ProgramData\WindowsVolume\russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

C:\ProgramData\WindowsVolume\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 8969782b82398387c46fb9887bf9850d
SHA1 9f927e2acfb6282f24f7221ce5451055f930b47f
SHA256 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051
SHA512 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

C:\ProgramData\WindowsVolume\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\ProgramData\WindowsVolume\DiskInstall2.bat

MD5 52d57e611e45ceae3107a9606c798df8
SHA1 a559ee95833113e022c4e5116508641847e31dd3
SHA256 1511fc19a2f4a670f7ced8ff7980bb0f8eb5ef840c0c116fc96ec3b241a588e7
SHA512 1c86c712988c97fab61461dfd6cc67912d11e1816af8e96f7a2432a591097e1182b179be0555c80cfbedb9441beeac526398b54fac4f49af1fed7dde75030306

memory/5092-189-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\Diskpart.dat

MD5 1a18270fb3fd76df0d01087e99dddcc6
SHA1 26732b781736ed80654e3a41839b50e3d2e36db5
SHA256 fb9b9ae62c41448d117cbc468b2bf4eebb0665605cb864f28822f2b71f78dbda
SHA512 63d260f4972c6a403af97c3c6e371f516a5d3fbc1090bfe2b41b4dd88ff900b98217fb2225b53948fc480c33d1b9753bbf1e4a4df1613069f0f211a556a95f19

memory/3156-192-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 8969782b82398387c46fb9887bf9850d
SHA1 9f927e2acfb6282f24f7221ce5451055f930b47f
SHA256 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051
SHA512 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 8969782b82398387c46fb9887bf9850d
SHA1 9f927e2acfb6282f24f7221ce5451055f930b47f
SHA256 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051
SHA512 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

memory/752-191-0x0000000000000000-mapping.dmp

memory/3524-195-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 8969782b82398387c46fb9887bf9850d
SHA1 9f927e2acfb6282f24f7221ce5451055f930b47f
SHA256 32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051
SHA512 1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21