Analysis Overview
SHA256
8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc
Threat Level: Known bad
The file 8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc was found to be: Known bad.
Malicious Activity Summary
RMS
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Executes dropped EXE
UPX packed file
Sets file to hidden
Stops running service(s)
Loads dropped DLL
Checks installed software on the system
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Runs .reg file with regedit
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-24 14:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-24 14:55
Reported
2022-05-24 15:32
Platform
win7-20220414-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
RMS
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskServer.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\OpenDisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File2.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\File3.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskUpdate.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\DiskUpdate1.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
Sets file to hidden
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Checks installed software on the system
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\volumedisk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsVolume\File2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsVolume\sysdisk.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe
"C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe"
C:\ProgramData\WindowsVolume\DiskServer.exe
"C:\ProgramData\WindowsVolume\DiskServer.exe" -p834784734789789347892898943789787892
C:\ProgramData\WindowsVolume\OpenDisk.exe
"C:\ProgramData\WindowsVolume\OpenDisk.exe"
C:\ProgramData\WindowsVolume\File.exe
"C:\ProgramData\WindowsVolume\File.exe"
C:\ProgramData\WindowsVolume\File2.exe
"C:\ProgramData\WindowsVolume\File2.exe"
C:\ProgramData\WindowsVolume\File3.exe
"C:\ProgramData\WindowsVolume\File3.exe"
C:\ProgramData\WindowsVolume\DiskUpdate.exe
"C:\ProgramData\WindowsVolume\DiskUpdate.exe" -p78347834893489894237834783478785788989543536
C:\ProgramData\WindowsVolume\DiskUpdate1.exe
"C:\ProgramData\WindowsVolume\DiskUpdate1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\WindowsVolume\DiskInstall.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\WindowsVolume"
C:\Windows\SysWOW64\sc.exe
sc stop RManService
C:\Windows\SysWOW64\sc.exe
sc stop VolumeDisk0
C:\Windows\SysWOW64\sc.exe
sc stop VDeviceCard
C:\Windows\SysWOW64\sc.exe
sc stop NPackStereo
C:\Windows\SysWOW64\sc.exe
sc stop ServiceWork
C:\Windows\SysWOW64\sc.exe
sc stop IntelDriver
C:\Windows\SysWOW64\sc.exe
sc stop AMIHardware
C:\Windows\SysWOW64\sc.exe
sc delete RManService
C:\Windows\SysWOW64\sc.exe
sc delete VolumeDisk0
C:\Windows\SysWOW64\sc.exe
sc delete VDeviceCard
C:\Windows\SysWOW64\sc.exe
sc delete NPackStereo
C:\Windows\SysWOW64\sc.exe
sc delete ServiceWork
C:\Windows\SysWOW64\sc.exe
sc delete IntelDriver
C:\Windows\SysWOW64\sc.exe
sc delete AMIHardware
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rfusclient.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rutserv.exe /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\SystemVolume0\SysHardDisk" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
C:\ProgramData\WindowsVolume\sysdisk.exe
"C:\ProgramData\WindowsVolume\sysdisk.exe" /silentinstall
C:\ProgramData\WindowsVolume\sysdisk.exe
"C:\ProgramData\WindowsVolume\sysdisk.exe" /firewall
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
C:\Windows\SysWOW64\sc.exe
sc failure VolumeDisk0 reset= 0 actions= restart/500/restart/500/restart/500
C:\Windows\SysWOW64\sc.exe
sc config VolumeDisk0 obj= LocalSystem type= interact type= own
C:\ProgramData\WindowsVolume\sysdisk.exe
"C:\ProgramData\WindowsVolume\sysdisk.exe" /start
C:\ProgramData\WindowsVolume\sysdisk.exe
C:\ProgramData\WindowsVolume\sysdisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe /tray
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\WindowsVolume\*.*"
C:\ProgramData\WindowsVolume\volumedisk.exe
C:\ProgramData\WindowsVolume\volumedisk.exe /tray
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\ProgramData\WindowsVolume\File2.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | oldbet.ru | udp |
| RU | 31.177.80.70:80 | oldbet.ru | tcp |
Files
memory/548-54-0x0000000075D21000-0x0000000075D23000-memory.dmp
\ProgramData\WindowsVolume\DiskServer.exe
| MD5 | 54836054da86cdf2c6faf9902c999a19 |
| SHA1 | 2e4b2e3807d7db4dfbee403931dd200140ac5538 |
| SHA256 | 3419e24d04e32b7cb750b03f7de1fade3cba8ce93a7ac91597db6a3f43eb7419 |
| SHA512 | 96b4441abb02bd671694d4989785a82ebbdab7c8bba026b30905982f0fe764aca3c0de736132d43c66c1ca9b758873a687d315f69187c775f09971f60d62d5e7 |
memory/916-56-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\DiskServer.exe
| MD5 | 54836054da86cdf2c6faf9902c999a19 |
| SHA1 | 2e4b2e3807d7db4dfbee403931dd200140ac5538 |
| SHA256 | 3419e24d04e32b7cb750b03f7de1fade3cba8ce93a7ac91597db6a3f43eb7419 |
| SHA512 | 96b4441abb02bd671694d4989785a82ebbdab7c8bba026b30905982f0fe764aca3c0de736132d43c66c1ca9b758873a687d315f69187c775f09971f60d62d5e7 |
C:\ProgramData\WindowsVolume\DiskServer.exe
| MD5 | 54836054da86cdf2c6faf9902c999a19 |
| SHA1 | 2e4b2e3807d7db4dfbee403931dd200140ac5538 |
| SHA256 | 3419e24d04e32b7cb750b03f7de1fade3cba8ce93a7ac91597db6a3f43eb7419 |
| SHA512 | 96b4441abb02bd671694d4989785a82ebbdab7c8bba026b30905982f0fe764aca3c0de736132d43c66c1ca9b758873a687d315f69187c775f09971f60d62d5e7 |
\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 229c8ccea94ef0b27d3c183733abdc18 |
| SHA1 | df2da0ba2e2c1a0a8ef9827469268484e5c02a33 |
| SHA256 | 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa |
| SHA512 | a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2 |
\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 229c8ccea94ef0b27d3c183733abdc18 |
| SHA1 | df2da0ba2e2c1a0a8ef9827469268484e5c02a33 |
| SHA256 | 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa |
| SHA512 | a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2 |
\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 229c8ccea94ef0b27d3c183733abdc18 |
| SHA1 | df2da0ba2e2c1a0a8ef9827469268484e5c02a33 |
| SHA256 | 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa |
| SHA512 | a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2 |
memory/1196-63-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 229c8ccea94ef0b27d3c183733abdc18 |
| SHA1 | df2da0ba2e2c1a0a8ef9827469268484e5c02a33 |
| SHA256 | 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa |
| SHA512 | a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2 |
\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 229c8ccea94ef0b27d3c183733abdc18 |
| SHA1 | df2da0ba2e2c1a0a8ef9827469268484e5c02a33 |
| SHA256 | 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa |
| SHA512 | a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2 |
C:\ProgramData\WindowsVolume\OpenDisk.exe
| MD5 | 229c8ccea94ef0b27d3c183733abdc18 |
| SHA1 | df2da0ba2e2c1a0a8ef9827469268484e5c02a33 |
| SHA256 | 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa |
| SHA512 | a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2 |
\ProgramData\WindowsVolume\File.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
C:\ProgramData\WindowsVolume\File.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
\ProgramData\WindowsVolume\File.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
memory/576-71-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\File.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
memory/1940-76-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\File3.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
memory/1944-81-0x0000000000000000-mapping.dmp
\ProgramData\WindowsVolume\File3.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
C:\ProgramData\WindowsVolume\DiskUpdate.exe
| MD5 | b8d1cbe50014041985bf44c08c0482bb |
| SHA1 | 87dea8cac12c16f2ed17126560611ba1a0dfe7fe |
| SHA256 | 3be527e7c6ef1ee1f42320b713743b697de8492af356f49bd69946a1fd14ea66 |
| SHA512 | 495c7914b20abe50f7b72a1a5e64c86ff3a7d22831141ca8b12507e2937f279e29b27a25b88b7fbcf1d6d78b5b200e102523fa9c685d5d80ca2c806b629d89e9 |
C:\ProgramData\WindowsVolume\File2.exe
| MD5 | e4c489dba5c6a05ec636053388ff70c1 |
| SHA1 | ad2268260bc7370b39efc4a080b7a55c4d467942 |
| SHA256 | 86abf05a8baf4a901b76070a2380c0e429953c88e8c3a5edb9659ba10556087f |
| SHA512 | e188274f004dd2215d33b68e45e4a889f85f09ebc4be67fde489b87744daf434559f82375f432c23f25bc8316af189b85d90085a2fd58446e5c6e846f2170185 |
C:\ProgramData\WindowsVolume\File3.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
\ProgramData\WindowsVolume\File3.exe
| MD5 | 114f5bfb83d3c1a44dbf04aed9c458b5 |
| SHA1 | dc1fee3135992a572cd46896ffe68f9f9f4a4e86 |
| SHA256 | 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e |
| SHA512 | e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289 |
C:\ProgramData\WindowsVolume\File2.exe
| MD5 | e4c489dba5c6a05ec636053388ff70c1 |
| SHA1 | ad2268260bc7370b39efc4a080b7a55c4d467942 |
| SHA256 | 86abf05a8baf4a901b76070a2380c0e429953c88e8c3a5edb9659ba10556087f |
| SHA512 | e188274f004dd2215d33b68e45e4a889f85f09ebc4be67fde489b87744daf434559f82375f432c23f25bc8316af189b85d90085a2fd58446e5c6e846f2170185 |
\ProgramData\WindowsVolume\File2.exe
| MD5 | e4c489dba5c6a05ec636053388ff70c1 |
| SHA1 | ad2268260bc7370b39efc4a080b7a55c4d467942 |
| SHA256 | 86abf05a8baf4a901b76070a2380c0e429953c88e8c3a5edb9659ba10556087f |
| SHA512 | e188274f004dd2215d33b68e45e4a889f85f09ebc4be67fde489b87744daf434559f82375f432c23f25bc8316af189b85d90085a2fd58446e5c6e846f2170185 |
memory/852-87-0x0000000000000000-mapping.dmp
\ProgramData\WindowsVolume\DiskUpdate.exe
| MD5 | b8d1cbe50014041985bf44c08c0482bb |
| SHA1 | 87dea8cac12c16f2ed17126560611ba1a0dfe7fe |
| SHA256 | 3be527e7c6ef1ee1f42320b713743b697de8492af356f49bd69946a1fd14ea66 |
| SHA512 | 495c7914b20abe50f7b72a1a5e64c86ff3a7d22831141ca8b12507e2937f279e29b27a25b88b7fbcf1d6d78b5b200e102523fa9c685d5d80ca2c806b629d89e9 |
C:\ProgramData\WindowsVolume\DiskUpdate.exe
| MD5 | b8d1cbe50014041985bf44c08c0482bb |
| SHA1 | 87dea8cac12c16f2ed17126560611ba1a0dfe7fe |
| SHA256 | 3be527e7c6ef1ee1f42320b713743b697de8492af356f49bd69946a1fd14ea66 |
| SHA512 | 495c7914b20abe50f7b72a1a5e64c86ff3a7d22831141ca8b12507e2937f279e29b27a25b88b7fbcf1d6d78b5b200e102523fa9c685d5d80ca2c806b629d89e9 |
memory/1940-90-0x0000000000EF0000-0x0000000000EFA000-memory.dmp
\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 6b1d852d23d46bae7b63a9407b24d78b |
| SHA1 | 3ddb8cfea4ace01bf9aabed72c8653247455ec60 |
| SHA256 | 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d |
| SHA512 | b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d |
\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 6b1d852d23d46bae7b63a9407b24d78b |
| SHA1 | 3ddb8cfea4ace01bf9aabed72c8653247455ec60 |
| SHA256 | 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d |
| SHA512 | b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d |
\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 6b1d852d23d46bae7b63a9407b24d78b |
| SHA1 | 3ddb8cfea4ace01bf9aabed72c8653247455ec60 |
| SHA256 | 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d |
| SHA512 | b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d |
memory/1840-94-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 6b1d852d23d46bae7b63a9407b24d78b |
| SHA1 | 3ddb8cfea4ace01bf9aabed72c8653247455ec60 |
| SHA256 | 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d |
| SHA512 | b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d |
C:\ProgramData\WindowsVolume\DiskInstall.bat
| MD5 | a46bdedc1e6587433dc98119f338d175 |
| SHA1 | 01334536e159f71bc5bc1e7b7a0e75490c169c36 |
| SHA256 | 604b240dd5e0ae92578c785bf46888b93307588f00af62cf6296b2f1c86eeb50 |
| SHA512 | e8010ea23bb01e707342fab42fb3b73fc6f82d0abfdd0354f01ed68e7e05aafaed3991f7deb9bc368de3c36deec7dbc7e4fa4e1178134d9e941f0c77cb52a394 |
C:\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 6b1d852d23d46bae7b63a9407b24d78b |
| SHA1 | 3ddb8cfea4ace01bf9aabed72c8653247455ec60 |
| SHA256 | 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d |
| SHA512 | b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d |
\ProgramData\WindowsVolume\DiskUpdate1.exe
| MD5 | 6b1d852d23d46bae7b63a9407b24d78b |
| SHA1 | 3ddb8cfea4ace01bf9aabed72c8653247455ec60 |
| SHA256 | 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d |
| SHA512 | b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d |
memory/1452-100-0x0000000000000000-mapping.dmp
memory/808-102-0x0000000000000000-mapping.dmp
memory/1548-104-0x0000000000000000-mapping.dmp
memory/1164-106-0x0000000000000000-mapping.dmp
memory/1680-108-0x0000000000000000-mapping.dmp
memory/672-110-0x0000000000000000-mapping.dmp
memory/1768-112-0x0000000000000000-mapping.dmp
memory/1532-114-0x0000000000000000-mapping.dmp
memory/1844-116-0x0000000000000000-mapping.dmp
memory/1484-118-0x0000000000000000-mapping.dmp
memory/876-120-0x0000000000000000-mapping.dmp
memory/1676-122-0x0000000000000000-mapping.dmp
memory/2028-124-0x0000000000000000-mapping.dmp
memory/1772-126-0x0000000000000000-mapping.dmp
memory/596-128-0x0000000000000000-mapping.dmp
memory/1712-130-0x0000000000000000-mapping.dmp
memory/1192-132-0x0000000000000000-mapping.dmp
memory/1196-134-0x0000000000000000-mapping.dmp
memory/1836-136-0x0000000000000000-mapping.dmp
memory/2016-138-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\config_set.reg
| MD5 | 414c6b489ecaf832f3e457d8cb916cf2 |
| SHA1 | ece8a342cfb3912cfc823e1866f73fc56bbe542d |
| SHA256 | 9b0ec9a5173c9835629d497478d29f9bea792b7a5da55c343faa8347c55d6034 |
| SHA512 | d858b2a1e8fb42298e9dab6287a7c6c7418adfcc19961d70c0dd07b5f65d6c5d9a3472699aaea7021c957afd181b114ff02d9a52f1373d9c12413ce5f0b6eacd |
\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | 4e5d6b099b69fb935da7e0e7a4df8b26 |
| SHA1 | 5643d2dbde01664012a6022725982f59973e12fb |
| SHA256 | 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b |
| SHA512 | 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550 |
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | 4e5d6b099b69fb935da7e0e7a4df8b26 |
| SHA1 | 5643d2dbde01664012a6022725982f59973e12fb |
| SHA256 | 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b |
| SHA512 | 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550 |
memory/1936-143-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | 4e5d6b099b69fb935da7e0e7a4df8b26 |
| SHA1 | 5643d2dbde01664012a6022725982f59973e12fb |
| SHA256 | 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b |
| SHA512 | 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550 |
\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | 4e5d6b099b69fb935da7e0e7a4df8b26 |
| SHA1 | 5643d2dbde01664012a6022725982f59973e12fb |
| SHA256 | 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b |
| SHA512 | 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550 |
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | 4e5d6b099b69fb935da7e0e7a4df8b26 |
| SHA1 | 5643d2dbde01664012a6022725982f59973e12fb |
| SHA256 | 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b |
| SHA512 | 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550 |
memory/1472-147-0x0000000000000000-mapping.dmp
memory/840-150-0x0000000000000000-mapping.dmp
memory/1992-152-0x0000000000000000-mapping.dmp
memory/1568-154-0x0000000000000000-mapping.dmp
\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | 4e5d6b099b69fb935da7e0e7a4df8b26 |
| SHA1 | 5643d2dbde01664012a6022725982f59973e12fb |
| SHA256 | 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b |
| SHA512 | 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550 |
memory/360-157-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | 4e5d6b099b69fb935da7e0e7a4df8b26 |
| SHA1 | 5643d2dbde01664012a6022725982f59973e12fb |
| SHA256 | 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b |
| SHA512 | 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550 |
C:\ProgramData\WindowsVolume\sysdisk.exe
| MD5 | 4e5d6b099b69fb935da7e0e7a4df8b26 |
| SHA1 | 5643d2dbde01664012a6022725982f59973e12fb |
| SHA256 | 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b |
| SHA512 | 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550 |
C:\ProgramData\WindowsVolume\russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | c51216743d2fddc2e8c67f092b7f862d |
| SHA1 | 04fd9048253180784459592f5ebe6442f46898f1 |
| SHA256 | 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94 |
| SHA512 | b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4 |
C:\ProgramData\WindowsVolume\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
C:\ProgramData\WindowsVolume\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | c51216743d2fddc2e8c67f092b7f862d |
| SHA1 | 04fd9048253180784459592f5ebe6442f46898f1 |
| SHA256 | 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94 |
| SHA512 | b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4 |
\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | c51216743d2fddc2e8c67f092b7f862d |
| SHA1 | 04fd9048253180784459592f5ebe6442f46898f1 |
| SHA256 | 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94 |
| SHA512 | b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4 |
memory/876-168-0x0000000000000000-mapping.dmp
memory/1716-169-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | c51216743d2fddc2e8c67f092b7f862d |
| SHA1 | 04fd9048253180784459592f5ebe6442f46898f1 |
| SHA256 | 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94 |
| SHA512 | b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4 |
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | c51216743d2fddc2e8c67f092b7f862d |
| SHA1 | 04fd9048253180784459592f5ebe6442f46898f1 |
| SHA256 | 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94 |
| SHA512 | b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4 |
C:\ProgramData\WindowsVolume\DiskInstall2.bat
| MD5 | 52d57e611e45ceae3107a9606c798df8 |
| SHA1 | a559ee95833113e022c4e5116508641847e31dd3 |
| SHA256 | 1511fc19a2f4a670f7ced8ff7980bb0f8eb5ef840c0c116fc96ec3b241a588e7 |
| SHA512 | 1c86c712988c97fab61461dfd6cc67912d11e1816af8e96f7a2432a591097e1182b179be0555c80cfbedb9441beeac526398b54fac4f49af1fed7dde75030306 |
memory/1920-175-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\Diskpart.dat
| MD5 | 1a18270fb3fd76df0d01087e99dddcc6 |
| SHA1 | 26732b781736ed80654e3a41839b50e3d2e36db5 |
| SHA256 | fb9b9ae62c41448d117cbc468b2bf4eebb0665605cb864f28822f2b71f78dbda |
| SHA512 | 63d260f4972c6a403af97c3c6e371f516a5d3fbc1090bfe2b41b4dd88ff900b98217fb2225b53948fc480c33d1b9753bbf1e4a4df1613069f0f211a556a95f19 |
memory/1984-178-0x0000000000000000-mapping.dmp
C:\ProgramData\WindowsVolume\volumedisk.exe
| MD5 | c51216743d2fddc2e8c67f092b7f862d |
| SHA1 | 04fd9048253180784459592f5ebe6442f46898f1 |
| SHA256 | 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94 |
| SHA512 | b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4 |
memory/800-181-0x0000000000000000-mapping.dmp
memory/1840-183-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-24 14:55
Reported
2022-05-24 15:32
Platform
win10v2004-20220414-en
Max time network
168s
Command Line
Signatures
RMS
Processes
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 20.42.73.26:443 | tcp | |
| GB | 92.123.143.240:80 | tcp | |
| GB | 92.123.143.240:80 | tcp | |
| GB | 92.123.143.240:80 | tcp | |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |