Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-05-2022 14:29

General

  • Target

    3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe

  • Size

    4.4MB

  • MD5

    e9f2ee42a89a766fdf4d2e7a210e4c9d

  • SHA1

    a8129abd67e4f89ddb6abd0ffbf6ff4a6a7dfee5

  • SHA256

    3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c

  • SHA512

    ecbc01684ca05081206f5805ff9894eda21421c7fcd21c8aab0717adb97e4d5d65d5d26d63e056899a5dc62852c4799691000cb6ae4fcf966faa309e71ffa35c

Score
10/10

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Executes dropped EXE 9 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies registry class 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe
    "C:\Users\Admin\AppData\Local\Temp\3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
        "C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3092
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
          4⤵
            PID:2100
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
            4⤵
              PID:1696
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1872
              • C:\Windows\SysWOW64\attrib.exe
                attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
                5⤵
                • Views/modifies file attributes
                PID:1796
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              4⤵
                PID:4832
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                4⤵
                  PID:3288
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c cls
                  4⤵
                    PID:1052
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    4⤵
                      PID:752
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c cls
                      4⤵
                        PID:1624
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c cls
                        4⤵
                          PID:4444
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c cls
                          4⤵
                            PID:1016
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp95297.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp95297.bat"
                            4⤵
                              PID:1372
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp84107.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp84107.exe"
                              4⤵
                                PID:3948
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp95297.bat "C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3264
                                • C:\Users\Admin\AppData\Roaming\Windows\control\data.exe
                                  data.exe -p4387548329574239857234 -d C:\Log
                                  5⤵
                                  • Executes dropped EXE
                                  • Checks computer location settings
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:4060
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Log\start.vbs"
                                    6⤵
                                    • Checks computer location settings
                                    • Suspicious use of WriteProcessMemory
                                    PID:3500
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Log\install.bat" "
                                      7⤵
                                      • Drops file in Program Files directory
                                      • Suspicious use of WriteProcessMemory
                                      PID:3756
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im rutserv.exe
                                        8⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2556
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im rfusclient.exe
                                        8⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1740
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
                                        8⤵
                                          PID:2140
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib +s +h "C:\Program Files\RMS"
                                          8⤵
                                          • Drops file in Program Files directory
                                          • Views/modifies file attributes
                                          PID:4352
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout 1
                                          8⤵
                                          • Delays execution with timeout.exe
                                          PID:1880
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout 2
                                          8⤵
                                          • Delays execution with timeout.exe
                                          PID:4452
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib +s +h "C:\Program Files\RMS\*.*"
                                          8⤵
                                          • Drops file in Program Files directory
                                          • Views/modifies file attributes
                                          PID:2468
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib -s -h "C:\Program Files\RMS\rfusclient.exe"
                                          8⤵
                                          • Drops file in Program Files directory
                                          • Views/modifies file attributes
                                          PID:4880
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib -s -h "C:\Program Files\RMS\rutserv.exe"
                                          8⤵
                                          • Drops file in Program Files directory
                                          • Views/modifies file attributes
                                          PID:5032
                                        • C:\Windows\SysWOW64\regedit.exe
                                          regedit /s regedit.reg
                                          8⤵
                                          • Runs .reg file with regedit
                                          PID:3236
                                        • C:\Program Files\RMS\rutserv.exe
                                          rutserv.exe /silentinstall
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:3136
                                        • C:\Program Files\RMS\rutserv.exe
                                          rutserv.exe /firewall
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of SetWindowsHookEx
                                          PID:3104
                                        • C:\Program Files\RMS\rutserv.exe
                                          rutserv.exe /start
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2760
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout 3
                                          8⤵
                                          • Delays execution with timeout.exe
                                          PID:312
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp95297.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp95297.bat"
                                  4⤵
                                    PID:2012
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp84107.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp84107.exe"
                                    4⤵
                                      PID:4568
                              • C:\Program Files\RMS\rutserv.exe
                                "C:\Program Files\RMS\rutserv.exe"
                                1⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:660
                                • C:\Program Files\RMS\rfusclient.exe
                                  "C:\Program Files\RMS\rfusclient.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:768
                                  • C:\Program Files\RMS\rfusclient.exe
                                    "C:\Program Files\RMS\rfusclient.exe" /tray
                                    3⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: SetClipboardViewer
                                    PID:2340
                                • C:\Program Files\RMS\rfusclient.exe
                                  "C:\Program Files\RMS\rfusclient.exe" /tray
                                  2⤵
                                  • Executes dropped EXE
                                  PID:1312

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Log\install.bat

                                Filesize

                                959B

                                MD5

                                f02f205c3aa7e6344e02d9ae24e0c1d8

                                SHA1

                                922a9ac42cfe6cf4a8c92b1c8f0966aa06bd16db

                                SHA256

                                e7a8b3a79a24e96abdbc31fa6e5888d9a7486f161fd99aa0211d39856bcd8f99

                                SHA512

                                8af98e7d161eb0bb90d8eee6f5ec424c029a62ae04fa6787de926044008db09f4a62eea2cf69c889cec219114d45fd15f0a729a27a688c5275b545f4280cfa9a

                              • C:\Log\regedit.reg

                                Filesize

                                12KB

                                MD5

                                3591fbf25f928d5725be8472f49bcf31

                                SHA1

                                c0e3fa698fdbbdcd9a5f87d9c2119376ae4b91eb

                                SHA256

                                1ee3d52956d8fee25a83003b9cc05d959c823dc13d538a9e6f4e8c78b96d305e

                                SHA512

                                52f6c91c1cdd7dea78c4699b04496745f31b37c37938f23b554c19e9c9b9b6a77991a7829bc7612daaa9246aa0e23d382aeb48d2f81f6e90e4242a4796b96b60

                              • C:\Log\rfusclient.exe

                                Filesize

                                5.1MB

                                MD5

                                e3c15e4d44c2b546d640b5808a9a2818

                                SHA1

                                090f6f75558614f19b970df39ebe1a87185f5a0c

                                SHA256

                                b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

                                SHA512

                                c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

                              • C:\Log\russian.lg

                                Filesize

                                48KB

                                MD5

                                37b80cc200e62cdb350f7c86ee61264c

                                SHA1

                                35885999a4dc527dfc6d67079c5f82dd4759d78d

                                SHA256

                                5c394e7f7e6571ea2de8ebf23d087d452ccfda4b7468db793ce11cafac3e92a1

                                SHA512

                                7c1831fdf6584eab78d63245295014ab9361fbfe30c4304c11b4d8ce3eca784d2528c3a3d5183bc05118ab4054ae90cfcfe6a7b1f666839dc45acf5bc4ac2481

                              • C:\Log\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Log\start.vbs

                                Filesize

                                117B

                                MD5

                                65fc32766a238ff3e95984e325357dbb

                                SHA1

                                3ac16a2648410be8aa75f3e2817fbf69bb0e8922

                                SHA256

                                a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

                                SHA512

                                621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

                              • C:\Log\vp8decoder.dll

                                Filesize

                                378KB

                                MD5

                                d43fa82fab5337ce20ad14650085c5d9

                                SHA1

                                678aa092075ff65b6815ffc2d8fdc23af8425981

                                SHA256

                                c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

                                SHA512

                                103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

                              • C:\Log\vp8encoder.dll

                                Filesize

                                1.6MB

                                MD5

                                dab4646806dfca6d0e0b4d80fa9209d6

                                SHA1

                                8244dfe22ec2090eee89dad103e6b2002059d16a

                                SHA256

                                cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

                                SHA512

                                aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

                              • C:\Program Files\RMS\regedit.reg

                                Filesize

                                12KB

                                MD5

                                3591fbf25f928d5725be8472f49bcf31

                                SHA1

                                c0e3fa698fdbbdcd9a5f87d9c2119376ae4b91eb

                                SHA256

                                1ee3d52956d8fee25a83003b9cc05d959c823dc13d538a9e6f4e8c78b96d305e

                                SHA512

                                52f6c91c1cdd7dea78c4699b04496745f31b37c37938f23b554c19e9c9b9b6a77991a7829bc7612daaa9246aa0e23d382aeb48d2f81f6e90e4242a4796b96b60

                              • C:\Program Files\RMS\rfusclient.exe

                                Filesize

                                5.1MB

                                MD5

                                e3c15e4d44c2b546d640b5808a9a2818

                                SHA1

                                090f6f75558614f19b970df39ebe1a87185f5a0c

                                SHA256

                                b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

                                SHA512

                                c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

                              • C:\Program Files\RMS\rfusclient.exe

                                Filesize

                                5.1MB

                                MD5

                                e3c15e4d44c2b546d640b5808a9a2818

                                SHA1

                                090f6f75558614f19b970df39ebe1a87185f5a0c

                                SHA256

                                b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

                                SHA512

                                c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

                              • C:\Program Files\RMS\rfusclient.exe

                                Filesize

                                5.1MB

                                MD5

                                e3c15e4d44c2b546d640b5808a9a2818

                                SHA1

                                090f6f75558614f19b970df39ebe1a87185f5a0c

                                SHA256

                                b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

                                SHA512

                                c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

                              • C:\Program Files\RMS\rfusclient.exe

                                Filesize

                                5.1MB

                                MD5

                                e3c15e4d44c2b546d640b5808a9a2818

                                SHA1

                                090f6f75558614f19b970df39ebe1a87185f5a0c

                                SHA256

                                b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

                                SHA512

                                c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

                              • C:\Program Files\RMS\russian.lg

                                Filesize

                                48KB

                                MD5

                                37b80cc200e62cdb350f7c86ee61264c

                                SHA1

                                35885999a4dc527dfc6d67079c5f82dd4759d78d

                                SHA256

                                5c394e7f7e6571ea2de8ebf23d087d452ccfda4b7468db793ce11cafac3e92a1

                                SHA512

                                7c1831fdf6584eab78d63245295014ab9361fbfe30c4304c11b4d8ce3eca784d2528c3a3d5183bc05118ab4054ae90cfcfe6a7b1f666839dc45acf5bc4ac2481

                              • C:\Program Files\RMS\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Program Files\RMS\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Program Files\RMS\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Program Files\RMS\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Program Files\RMS\rutserv.exe

                                Filesize

                                6.0MB

                                MD5

                                8f6e38cc55206473121c8bf63fcbcf2d

                                SHA1

                                35504ce4bc1cea9e737a3be108cd428ab2251e1d

                                SHA256

                                fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

                                SHA512

                                083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

                              • C:\Program Files\RMS\vp8decoder.dll

                                Filesize

                                378KB

                                MD5

                                d43fa82fab5337ce20ad14650085c5d9

                                SHA1

                                678aa092075ff65b6815ffc2d8fdc23af8425981

                                SHA256

                                c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

                                SHA512

                                103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

                              • C:\Program Files\RMS\vp8encoder.dll

                                Filesize

                                1.6MB

                                MD5

                                dab4646806dfca6d0e0b4d80fa9209d6

                                SHA1

                                8244dfe22ec2090eee89dad103e6b2002059d16a

                                SHA256

                                cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

                                SHA512

                                aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

                              • C:\Users\Admin\AppData\Local\Temp\ytmp\tmp84107.exe

                                Filesize

                                15B

                                MD5

                                3c52638971ead82b5929d605c1314ee0

                                SHA1

                                7318148a40faca203ac402dff51bbb04e638545c

                                SHA256

                                5614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab

                                SHA512

                                46f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b

                              • C:\Users\Admin\AppData\Local\Temp\ytmp\tmp95297.bat

                                Filesize

                                231B

                                MD5

                                caf7610cfd469cdbb59237fdf31d8e02

                                SHA1

                                927e261261340f1677a6852d77a2c5cec71be5d6

                                SHA256

                                882b10b5718f1d5fa8e496fc16838c9f3e48e14a093122ec20c4ecdc94cd765c

                                SHA512

                                2579c7dde9fc90642490ccbf4e81a1293da1c7eddc81125f66b662fb252c2a188c63776712ee063a365f581483a2520b47a41600542bbb3334c54a37eb6a9f26

                              • C:\Users\Admin\AppData\Roaming\Windows\control\data.exe

                                Filesize

                                4.2MB

                                MD5

                                fe67f3e0cd5756ed00ab17769f2223a5

                                SHA1

                                78ac681f434170e022679972c135138b2ebd53ad

                                SHA256

                                461d28c0e30a9d517ccec017eb70e127696d7d088b551b4dc6961b1055c35975

                                SHA512

                                30fa4d9206698377d969d04eba1c846a5dcad1911a54b371a63084e0b96a96300910723146ca4bf7bae1ce44b911baea6abc5799918bb0aa7f8be7ffab443fbf

                              • C:\Users\Admin\AppData\Roaming\Windows\control\data.exe

                                Filesize

                                4.2MB

                                MD5

                                fe67f3e0cd5756ed00ab17769f2223a5

                                SHA1

                                78ac681f434170e022679972c135138b2ebd53ad

                                SHA256

                                461d28c0e30a9d517ccec017eb70e127696d7d088b551b4dc6961b1055c35975

                                SHA512

                                30fa4d9206698377d969d04eba1c846a5dcad1911a54b371a63084e0b96a96300910723146ca4bf7bae1ce44b911baea6abc5799918bb0aa7f8be7ffab443fbf

                              • C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

                                Filesize

                                96KB

                                MD5

                                5f56f53c24ea5f9bda096511228c9e40

                                SHA1

                                1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

                                SHA256

                                4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

                                SHA512

                                a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

                              • C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

                                Filesize

                                96KB

                                MD5

                                5f56f53c24ea5f9bda096511228c9e40

                                SHA1

                                1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

                                SHA256

                                4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

                                SHA512

                                a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

                              • C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs

                                Filesize

                                113B

                                MD5

                                7c274b85448ea218e5c6d5521876f698

                                SHA1

                                bdd771453446e1e8654985f5c4b7ebb0bb9ada4d

                                SHA256

                                427b7d229ae6a8717edb0e5cc156c2025d0d737400d6a22d5de9d4504b7b3185

                                SHA512

                                3c0a482e3f5b628cccae9730fb7fbf2f9e8c6fb7d8c52d39beffe8b3a3de184d2df6d5fa412801eca6cf80a7ee8109394e4918c467af88dac767462f01051df6

                              • memory/312-189-0x0000000000000000-mapping.dmp

                              • memory/752-142-0x0000000000000000-mapping.dmp

                              • memory/768-192-0x0000000000000000-mapping.dmp

                              • memory/1016-145-0x0000000000000000-mapping.dmp

                              • memory/1052-141-0x0000000000000000-mapping.dmp

                              • memory/1312-190-0x0000000000000000-mapping.dmp

                              • memory/1372-146-0x0000000000000000-mapping.dmp

                              • memory/1624-143-0x0000000000000000-mapping.dmp

                              • memory/1696-136-0x0000000000000000-mapping.dmp

                              • memory/1740-161-0x0000000000000000-mapping.dmp

                              • memory/1796-138-0x0000000000000000-mapping.dmp

                              • memory/1872-137-0x0000000000000000-mapping.dmp

                              • memory/1880-165-0x0000000000000000-mapping.dmp

                              • memory/2012-157-0x0000000000000000-mapping.dmp

                              • memory/2100-135-0x0000000000000000-mapping.dmp

                              • memory/2140-162-0x0000000000000000-mapping.dmp

                              • memory/2340-194-0x0000000000000000-mapping.dmp

                              • memory/2468-172-0x0000000000000000-mapping.dmp

                              • memory/2556-160-0x0000000000000000-mapping.dmp

                              • memory/2760-186-0x0000000000000000-mapping.dmp

                              • memory/3092-133-0x0000000000000000-mapping.dmp

                              • memory/3104-184-0x0000000000000000-mapping.dmp

                              • memory/3136-182-0x0000000000000000-mapping.dmp

                              • memory/3236-181-0x0000000000000000-mapping.dmp

                              • memory/3264-148-0x0000000000000000-mapping.dmp

                              • memory/3288-140-0x0000000000000000-mapping.dmp

                              • memory/3500-153-0x0000000000000000-mapping.dmp

                              • memory/3756-156-0x0000000000000000-mapping.dmp

                              • memory/3948-147-0x0000000000000000-mapping.dmp

                              • memory/4060-150-0x0000000000000000-mapping.dmp

                              • memory/4352-163-0x0000000000000000-mapping.dmp

                              • memory/4444-144-0x0000000000000000-mapping.dmp

                              • memory/4452-166-0x0000000000000000-mapping.dmp

                              • memory/4568-158-0x0000000000000000-mapping.dmp

                              • memory/4588-130-0x0000000000000000-mapping.dmp

                              • memory/4832-139-0x0000000000000000-mapping.dmp

                              • memory/4880-179-0x0000000000000000-mapping.dmp

                              • memory/5032-180-0x0000000000000000-mapping.dmp