Malware Analysis Report

2024-11-13 16:20

Sample ID 220524-sak1wsfcc4
Target 8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc
SHA256 8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc
Tags
rms discovery evasion rat suricata trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc

Threat Level: Known bad

The file 8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc was found to be: Known bad.

Malicious Activity Summary

rms discovery evasion rat suricata trojan upx

RMS

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

Executes dropped EXE

UPX packed file

Sets file to hidden

Stops running service(s)

Loads dropped DLL

Checks installed software on the system

Launches sc.exe

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Runs .reg file with regedit

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-24 14:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-24 14:55

Reported

2022-05-24 15:32

Platform

win7-20220414-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe"

Signatures

RMS

trojan rat rms

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata

Sets file to hidden

evasion

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Launches sc.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WindowsVolume\File2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
N/A N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
N/A N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A
N/A N/A C:\ProgramData\WindowsVolume\sysdisk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 548 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 548 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 548 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 548 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 548 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 548 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe C:\ProgramData\WindowsVolume\DiskServer.exe
PID 916 wrote to memory of 1196 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 916 wrote to memory of 1196 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 916 wrote to memory of 1196 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 916 wrote to memory of 1196 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 916 wrote to memory of 1196 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 916 wrote to memory of 1196 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 916 wrote to memory of 1196 N/A C:\ProgramData\WindowsVolume\DiskServer.exe C:\ProgramData\WindowsVolume\OpenDisk.exe
PID 1196 wrote to memory of 576 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1196 wrote to memory of 576 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1196 wrote to memory of 576 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1196 wrote to memory of 576 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1196 wrote to memory of 576 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1196 wrote to memory of 576 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1196 wrote to memory of 576 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File.exe
PID 1196 wrote to memory of 1940 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1196 wrote to memory of 1940 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1196 wrote to memory of 1940 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1196 wrote to memory of 1940 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1196 wrote to memory of 1940 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1196 wrote to memory of 1940 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1196 wrote to memory of 1940 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File2.exe
PID 1196 wrote to memory of 1944 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1196 wrote to memory of 1944 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1196 wrote to memory of 1944 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1196 wrote to memory of 1944 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1196 wrote to memory of 1944 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1196 wrote to memory of 1944 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1196 wrote to memory of 1944 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\File3.exe
PID 1196 wrote to memory of 852 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1196 wrote to memory of 852 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1196 wrote to memory of 852 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1196 wrote to memory of 852 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1196 wrote to memory of 852 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1196 wrote to memory of 852 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 1196 wrote to memory of 852 N/A C:\ProgramData\WindowsVolume\OpenDisk.exe C:\ProgramData\WindowsVolume\DiskUpdate.exe
PID 852 wrote to memory of 1840 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 852 wrote to memory of 1840 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 852 wrote to memory of 1840 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 852 wrote to memory of 1840 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 852 wrote to memory of 1840 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 852 wrote to memory of 1840 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 852 wrote to memory of 1840 N/A C:\ProgramData\WindowsVolume\DiskUpdate.exe C:\ProgramData\WindowsVolume\DiskUpdate1.exe
PID 1840 wrote to memory of 1452 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1452 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1452 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1452 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1452 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1452 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1452 N/A C:\ProgramData\WindowsVolume\DiskUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1452 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1452 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1452 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1452 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1452 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1452 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1452 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe

"C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe"

C:\ProgramData\WindowsVolume\DiskServer.exe

"C:\ProgramData\WindowsVolume\DiskServer.exe" -p834784734789789347892898943789787892

C:\ProgramData\WindowsVolume\OpenDisk.exe

"C:\ProgramData\WindowsVolume\OpenDisk.exe"

C:\ProgramData\WindowsVolume\File.exe

"C:\ProgramData\WindowsVolume\File.exe"

C:\ProgramData\WindowsVolume\File2.exe

"C:\ProgramData\WindowsVolume\File2.exe"

C:\ProgramData\WindowsVolume\File3.exe

"C:\ProgramData\WindowsVolume\File3.exe"

C:\ProgramData\WindowsVolume\DiskUpdate.exe

"C:\ProgramData\WindowsVolume\DiskUpdate.exe" -p78347834893489894237834783478785788989543536

C:\ProgramData\WindowsVolume\DiskUpdate1.exe

"C:\ProgramData\WindowsVolume\DiskUpdate1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\WindowsVolume\DiskInstall.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\ProgramData\WindowsVolume"

C:\Windows\SysWOW64\sc.exe

sc stop RManService

C:\Windows\SysWOW64\sc.exe

sc stop VolumeDisk0

C:\Windows\SysWOW64\sc.exe

sc stop VDeviceCard

C:\Windows\SysWOW64\sc.exe

sc stop NPackStereo

C:\Windows\SysWOW64\sc.exe

sc stop ServiceWork

C:\Windows\SysWOW64\sc.exe

sc stop IntelDriver

C:\Windows\SysWOW64\sc.exe

sc stop AMIHardware

C:\Windows\SysWOW64\sc.exe

sc delete RManService

C:\Windows\SysWOW64\sc.exe

sc delete VolumeDisk0

C:\Windows\SysWOW64\sc.exe

sc delete VDeviceCard

C:\Windows\SysWOW64\sc.exe

sc delete NPackStereo

C:\Windows\SysWOW64\sc.exe

sc delete ServiceWork

C:\Windows\SysWOW64\sc.exe

sc delete IntelDriver

C:\Windows\SysWOW64\sc.exe

sc delete AMIHardware

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rfusclient.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rutserv.exe /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\SystemVolume0\SysHardDisk" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"

C:\ProgramData\WindowsVolume\sysdisk.exe

"C:\ProgramData\WindowsVolume\sysdisk.exe" /silentinstall

C:\ProgramData\WindowsVolume\sysdisk.exe

"C:\ProgramData\WindowsVolume\sysdisk.exe" /firewall

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"

C:\Windows\SysWOW64\sc.exe

sc failure VolumeDisk0 reset= 0 actions= restart/500/restart/500/restart/500

C:\Windows\SysWOW64\sc.exe

sc config VolumeDisk0 obj= LocalSystem type= interact type= own

C:\ProgramData\WindowsVolume\sysdisk.exe

"C:\ProgramData\WindowsVolume\sysdisk.exe" /start

C:\ProgramData\WindowsVolume\sysdisk.exe

C:\ProgramData\WindowsVolume\sysdisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe /tray

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\ProgramData\WindowsVolume\*.*"

C:\ProgramData\WindowsVolume\volumedisk.exe

C:\ProgramData\WindowsVolume\volumedisk.exe /tray

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\ProgramData\WindowsVolume\File2.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 oldbet.ru udp
RU 31.177.80.70:80 oldbet.ru tcp

Files

memory/548-54-0x0000000075D21000-0x0000000075D23000-memory.dmp

\ProgramData\WindowsVolume\DiskServer.exe

MD5 54836054da86cdf2c6faf9902c999a19
SHA1 2e4b2e3807d7db4dfbee403931dd200140ac5538
SHA256 3419e24d04e32b7cb750b03f7de1fade3cba8ce93a7ac91597db6a3f43eb7419
SHA512 96b4441abb02bd671694d4989785a82ebbdab7c8bba026b30905982f0fe764aca3c0de736132d43c66c1ca9b758873a687d315f69187c775f09971f60d62d5e7

memory/916-56-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\DiskServer.exe

MD5 54836054da86cdf2c6faf9902c999a19
SHA1 2e4b2e3807d7db4dfbee403931dd200140ac5538
SHA256 3419e24d04e32b7cb750b03f7de1fade3cba8ce93a7ac91597db6a3f43eb7419
SHA512 96b4441abb02bd671694d4989785a82ebbdab7c8bba026b30905982f0fe764aca3c0de736132d43c66c1ca9b758873a687d315f69187c775f09971f60d62d5e7

C:\ProgramData\WindowsVolume\DiskServer.exe

MD5 54836054da86cdf2c6faf9902c999a19
SHA1 2e4b2e3807d7db4dfbee403931dd200140ac5538
SHA256 3419e24d04e32b7cb750b03f7de1fade3cba8ce93a7ac91597db6a3f43eb7419
SHA512 96b4441abb02bd671694d4989785a82ebbdab7c8bba026b30905982f0fe764aca3c0de736132d43c66c1ca9b758873a687d315f69187c775f09971f60d62d5e7

\ProgramData\WindowsVolume\OpenDisk.exe

MD5 229c8ccea94ef0b27d3c183733abdc18
SHA1 df2da0ba2e2c1a0a8ef9827469268484e5c02a33
SHA256 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa
SHA512 a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

\ProgramData\WindowsVolume\OpenDisk.exe

MD5 229c8ccea94ef0b27d3c183733abdc18
SHA1 df2da0ba2e2c1a0a8ef9827469268484e5c02a33
SHA256 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa
SHA512 a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

\ProgramData\WindowsVolume\OpenDisk.exe

MD5 229c8ccea94ef0b27d3c183733abdc18
SHA1 df2da0ba2e2c1a0a8ef9827469268484e5c02a33
SHA256 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa
SHA512 a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

memory/1196-63-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\OpenDisk.exe

MD5 229c8ccea94ef0b27d3c183733abdc18
SHA1 df2da0ba2e2c1a0a8ef9827469268484e5c02a33
SHA256 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa
SHA512 a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

\ProgramData\WindowsVolume\OpenDisk.exe

MD5 229c8ccea94ef0b27d3c183733abdc18
SHA1 df2da0ba2e2c1a0a8ef9827469268484e5c02a33
SHA256 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa
SHA512 a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

C:\ProgramData\WindowsVolume\OpenDisk.exe

MD5 229c8ccea94ef0b27d3c183733abdc18
SHA1 df2da0ba2e2c1a0a8ef9827469268484e5c02a33
SHA256 071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa
SHA512 a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

\ProgramData\WindowsVolume\File.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

C:\ProgramData\WindowsVolume\File.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

\ProgramData\WindowsVolume\File.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

memory/576-71-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\File.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

memory/1940-76-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\File3.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

memory/1944-81-0x0000000000000000-mapping.dmp

\ProgramData\WindowsVolume\File3.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

C:\ProgramData\WindowsVolume\DiskUpdate.exe

MD5 b8d1cbe50014041985bf44c08c0482bb
SHA1 87dea8cac12c16f2ed17126560611ba1a0dfe7fe
SHA256 3be527e7c6ef1ee1f42320b713743b697de8492af356f49bd69946a1fd14ea66
SHA512 495c7914b20abe50f7b72a1a5e64c86ff3a7d22831141ca8b12507e2937f279e29b27a25b88b7fbcf1d6d78b5b200e102523fa9c685d5d80ca2c806b629d89e9

C:\ProgramData\WindowsVolume\File2.exe

MD5 e4c489dba5c6a05ec636053388ff70c1
SHA1 ad2268260bc7370b39efc4a080b7a55c4d467942
SHA256 86abf05a8baf4a901b76070a2380c0e429953c88e8c3a5edb9659ba10556087f
SHA512 e188274f004dd2215d33b68e45e4a889f85f09ebc4be67fde489b87744daf434559f82375f432c23f25bc8316af189b85d90085a2fd58446e5c6e846f2170185

C:\ProgramData\WindowsVolume\File3.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

\ProgramData\WindowsVolume\File3.exe

MD5 114f5bfb83d3c1a44dbf04aed9c458b5
SHA1 dc1fee3135992a572cd46896ffe68f9f9f4a4e86
SHA256 69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e
SHA512 e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

C:\ProgramData\WindowsVolume\File2.exe

MD5 e4c489dba5c6a05ec636053388ff70c1
SHA1 ad2268260bc7370b39efc4a080b7a55c4d467942
SHA256 86abf05a8baf4a901b76070a2380c0e429953c88e8c3a5edb9659ba10556087f
SHA512 e188274f004dd2215d33b68e45e4a889f85f09ebc4be67fde489b87744daf434559f82375f432c23f25bc8316af189b85d90085a2fd58446e5c6e846f2170185

\ProgramData\WindowsVolume\File2.exe

MD5 e4c489dba5c6a05ec636053388ff70c1
SHA1 ad2268260bc7370b39efc4a080b7a55c4d467942
SHA256 86abf05a8baf4a901b76070a2380c0e429953c88e8c3a5edb9659ba10556087f
SHA512 e188274f004dd2215d33b68e45e4a889f85f09ebc4be67fde489b87744daf434559f82375f432c23f25bc8316af189b85d90085a2fd58446e5c6e846f2170185

memory/852-87-0x0000000000000000-mapping.dmp

\ProgramData\WindowsVolume\DiskUpdate.exe

MD5 b8d1cbe50014041985bf44c08c0482bb
SHA1 87dea8cac12c16f2ed17126560611ba1a0dfe7fe
SHA256 3be527e7c6ef1ee1f42320b713743b697de8492af356f49bd69946a1fd14ea66
SHA512 495c7914b20abe50f7b72a1a5e64c86ff3a7d22831141ca8b12507e2937f279e29b27a25b88b7fbcf1d6d78b5b200e102523fa9c685d5d80ca2c806b629d89e9

C:\ProgramData\WindowsVolume\DiskUpdate.exe

MD5 b8d1cbe50014041985bf44c08c0482bb
SHA1 87dea8cac12c16f2ed17126560611ba1a0dfe7fe
SHA256 3be527e7c6ef1ee1f42320b713743b697de8492af356f49bd69946a1fd14ea66
SHA512 495c7914b20abe50f7b72a1a5e64c86ff3a7d22831141ca8b12507e2937f279e29b27a25b88b7fbcf1d6d78b5b200e102523fa9c685d5d80ca2c806b629d89e9

memory/1940-90-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 6b1d852d23d46bae7b63a9407b24d78b
SHA1 3ddb8cfea4ace01bf9aabed72c8653247455ec60
SHA256 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d
SHA512 b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 6b1d852d23d46bae7b63a9407b24d78b
SHA1 3ddb8cfea4ace01bf9aabed72c8653247455ec60
SHA256 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d
SHA512 b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 6b1d852d23d46bae7b63a9407b24d78b
SHA1 3ddb8cfea4ace01bf9aabed72c8653247455ec60
SHA256 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d
SHA512 b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

memory/1840-94-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 6b1d852d23d46bae7b63a9407b24d78b
SHA1 3ddb8cfea4ace01bf9aabed72c8653247455ec60
SHA256 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d
SHA512 b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

C:\ProgramData\WindowsVolume\DiskInstall.bat

MD5 a46bdedc1e6587433dc98119f338d175
SHA1 01334536e159f71bc5bc1e7b7a0e75490c169c36
SHA256 604b240dd5e0ae92578c785bf46888b93307588f00af62cf6296b2f1c86eeb50
SHA512 e8010ea23bb01e707342fab42fb3b73fc6f82d0abfdd0354f01ed68e7e05aafaed3991f7deb9bc368de3c36deec7dbc7e4fa4e1178134d9e941f0c77cb52a394

C:\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 6b1d852d23d46bae7b63a9407b24d78b
SHA1 3ddb8cfea4ace01bf9aabed72c8653247455ec60
SHA256 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d
SHA512 b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

\ProgramData\WindowsVolume\DiskUpdate1.exe

MD5 6b1d852d23d46bae7b63a9407b24d78b
SHA1 3ddb8cfea4ace01bf9aabed72c8653247455ec60
SHA256 5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d
SHA512 b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

memory/1452-100-0x0000000000000000-mapping.dmp

memory/808-102-0x0000000000000000-mapping.dmp

memory/1548-104-0x0000000000000000-mapping.dmp

memory/1164-106-0x0000000000000000-mapping.dmp

memory/1680-108-0x0000000000000000-mapping.dmp

memory/672-110-0x0000000000000000-mapping.dmp

memory/1768-112-0x0000000000000000-mapping.dmp

memory/1532-114-0x0000000000000000-mapping.dmp

memory/1844-116-0x0000000000000000-mapping.dmp

memory/1484-118-0x0000000000000000-mapping.dmp

memory/876-120-0x0000000000000000-mapping.dmp

memory/1676-122-0x0000000000000000-mapping.dmp

memory/2028-124-0x0000000000000000-mapping.dmp

memory/1772-126-0x0000000000000000-mapping.dmp

memory/596-128-0x0000000000000000-mapping.dmp

memory/1712-130-0x0000000000000000-mapping.dmp

memory/1192-132-0x0000000000000000-mapping.dmp

memory/1196-134-0x0000000000000000-mapping.dmp

memory/1836-136-0x0000000000000000-mapping.dmp

memory/2016-138-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\config_set.reg

MD5 414c6b489ecaf832f3e457d8cb916cf2
SHA1 ece8a342cfb3912cfc823e1866f73fc56bbe542d
SHA256 9b0ec9a5173c9835629d497478d29f9bea792b7a5da55c343faa8347c55d6034
SHA512 d858b2a1e8fb42298e9dab6287a7c6c7418adfcc19961d70c0dd07b5f65d6c5d9a3472699aaea7021c957afd181b114ff02d9a52f1373d9c12413ce5f0b6eacd

\ProgramData\WindowsVolume\sysdisk.exe

MD5 4e5d6b099b69fb935da7e0e7a4df8b26
SHA1 5643d2dbde01664012a6022725982f59973e12fb
SHA256 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b
SHA512 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 4e5d6b099b69fb935da7e0e7a4df8b26
SHA1 5643d2dbde01664012a6022725982f59973e12fb
SHA256 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b
SHA512 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

memory/1936-143-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 4e5d6b099b69fb935da7e0e7a4df8b26
SHA1 5643d2dbde01664012a6022725982f59973e12fb
SHA256 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b
SHA512 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

\ProgramData\WindowsVolume\sysdisk.exe

MD5 4e5d6b099b69fb935da7e0e7a4df8b26
SHA1 5643d2dbde01664012a6022725982f59973e12fb
SHA256 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b
SHA512 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 4e5d6b099b69fb935da7e0e7a4df8b26
SHA1 5643d2dbde01664012a6022725982f59973e12fb
SHA256 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b
SHA512 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

memory/1472-147-0x0000000000000000-mapping.dmp

memory/840-150-0x0000000000000000-mapping.dmp

memory/1992-152-0x0000000000000000-mapping.dmp

memory/1568-154-0x0000000000000000-mapping.dmp

\ProgramData\WindowsVolume\sysdisk.exe

MD5 4e5d6b099b69fb935da7e0e7a4df8b26
SHA1 5643d2dbde01664012a6022725982f59973e12fb
SHA256 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b
SHA512 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

memory/360-157-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 4e5d6b099b69fb935da7e0e7a4df8b26
SHA1 5643d2dbde01664012a6022725982f59973e12fb
SHA256 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b
SHA512 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

C:\ProgramData\WindowsVolume\sysdisk.exe

MD5 4e5d6b099b69fb935da7e0e7a4df8b26
SHA1 5643d2dbde01664012a6022725982f59973e12fb
SHA256 95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b
SHA512 758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

C:\ProgramData\WindowsVolume\russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 c51216743d2fddc2e8c67f092b7f862d
SHA1 04fd9048253180784459592f5ebe6442f46898f1
SHA256 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94
SHA512 b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

C:\ProgramData\WindowsVolume\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\ProgramData\WindowsVolume\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

\ProgramData\WindowsVolume\volumedisk.exe

MD5 c51216743d2fddc2e8c67f092b7f862d
SHA1 04fd9048253180784459592f5ebe6442f46898f1
SHA256 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94
SHA512 b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

\ProgramData\WindowsVolume\volumedisk.exe

MD5 c51216743d2fddc2e8c67f092b7f862d
SHA1 04fd9048253180784459592f5ebe6442f46898f1
SHA256 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94
SHA512 b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

memory/876-168-0x0000000000000000-mapping.dmp

memory/1716-169-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 c51216743d2fddc2e8c67f092b7f862d
SHA1 04fd9048253180784459592f5ebe6442f46898f1
SHA256 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94
SHA512 b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 c51216743d2fddc2e8c67f092b7f862d
SHA1 04fd9048253180784459592f5ebe6442f46898f1
SHA256 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94
SHA512 b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

C:\ProgramData\WindowsVolume\DiskInstall2.bat

MD5 52d57e611e45ceae3107a9606c798df8
SHA1 a559ee95833113e022c4e5116508641847e31dd3
SHA256 1511fc19a2f4a670f7ced8ff7980bb0f8eb5ef840c0c116fc96ec3b241a588e7
SHA512 1c86c712988c97fab61461dfd6cc67912d11e1816af8e96f7a2432a591097e1182b179be0555c80cfbedb9441beeac526398b54fac4f49af1fed7dde75030306

memory/1920-175-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\Diskpart.dat

MD5 1a18270fb3fd76df0d01087e99dddcc6
SHA1 26732b781736ed80654e3a41839b50e3d2e36db5
SHA256 fb9b9ae62c41448d117cbc468b2bf4eebb0665605cb864f28822f2b71f78dbda
SHA512 63d260f4972c6a403af97c3c6e371f516a5d3fbc1090bfe2b41b4dd88ff900b98217fb2225b53948fc480c33d1b9753bbf1e4a4df1613069f0f211a556a95f19

memory/1984-178-0x0000000000000000-mapping.dmp

C:\ProgramData\WindowsVolume\volumedisk.exe

MD5 c51216743d2fddc2e8c67f092b7f862d
SHA1 04fd9048253180784459592f5ebe6442f46898f1
SHA256 101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94
SHA512 b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

memory/800-181-0x0000000000000000-mapping.dmp

memory/1840-183-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-24 14:55

Reported

2022-05-24 15:32

Platform

win10v2004-20220414-en

Max time network

168s

Command Line

N/A

Signatures

RMS

trojan rat rms

Processes

N/A

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 20.42.73.26:443 tcp
GB 92.123.143.240:80 tcp
GB 92.123.143.240:80 tcp
GB 92.123.143.240:80 tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp

Files

N/A