Analysis Overview
SHA256
5edbbf6443f06a4c257794934ceccddef65cbc68fd0e779a11b1496ae9e51eeb
Threat Level: Known bad
The file 6cf72f5fcd8496749d957f99e8b7489d was found to be: Known bad.
Malicious Activity Summary
Babadeda
Sodin,Sodinokibi,REvil
Babadeda Crypter
Modifies Windows Firewall
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Enumerates connected drives
Adds Run key to start application
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-01-21 09:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-21 09:35
Reported
2024-01-21 09:38
Platform
win7-20231129-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sodin,Sodinokibi,REvil
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Roaming\\R-Tools Technology\\R-Drive Image\\rimage.exe" | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\234287.bmp" | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\program files\ConvertFromMove.ADT | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\GetSuspend.gif | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\RestartEnable.aif | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\UnregisterSuspend.vsx | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\CloseConvertFrom.emf | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\GetUndo.vsd | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\LimitJoin.xltx | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\UnregisterRestore.bmp | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File created | \??\c:\program files\tmp | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File created | \??\c:\program files\r114f-readme.txt | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\ExportInstall.odt | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\SuspendDismount.wax | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\r114f-readme.txt | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\AssertRename.mp4 | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\CompleteSwitch.midi | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\RepairMerge.dotm | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\tmp | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\r114f-readme.txt | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\ApproveClose.wma | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\ExpandExit.rar | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\MoveClose.aif | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\PopRestore.ps1xml | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\StepUnlock.asp | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\StopExpand.3gpp | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\CloseCompress.xlsm | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\ConnectWait.ps1xml | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\MeasureProtect.inf | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\MountConvert.mov | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\RestartMerge.easmx | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\StepBackup.mp4v | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File created | \??\c:\program files (x86)\r114f-readme.txt | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\ApprovePing.wma | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\EnterDisable.mp4 | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\ImportPing.M2V | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\ReceiveApprove.mp3 | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\WatchHide.shtml | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tmp | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File created | \??\c:\program files (x86)\tmp | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\AddCheckpoint.sql | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\BackupExport.001 | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\RenameHide.cfg | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File opened for modification | \??\c:\program files\ResetMeasure.ppsm | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\r114f-readme.txt | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe
"C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe"
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
"C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | partnertaxi.sk | udp |
| US | 8.8.8.8:53 | bodyforwife.com | udp |
| US | 173.230.249.203:443 | bodyforwife.com | tcp |
| US | 173.230.249.203:443 | bodyforwife.com | tcp |
| US | 8.8.8.8:53 | parking.netgateway.eu | udp |
| DE | 91.210.226.175:443 | parking.netgateway.eu | tcp |
| DE | 91.210.226.175:443 | parking.netgateway.eu | tcp |
| US | 8.8.8.8:53 | freie-baugutachterpraxis.de | udp |
| FR | 92.205.52.135:443 | freie-baugutachterpraxis.de | tcp |
| FR | 92.205.52.135:443 | freie-baugutachterpraxis.de | tcp |
| US | 8.8.8.8:53 | geekwork.pl | udp |
| PL | 94.154.117.119:443 | geekwork.pl | tcp |
| PL | 94.154.117.119:443 | geekwork.pl | tcp |
| US | 8.8.8.8:53 | alsace-first.com | udp |
| FR | 213.186.33.4:443 | alsace-first.com | tcp |
| FR | 213.186.33.4:443 | alsace-first.com | tcp |
| US | 8.8.8.8:53 | jiloc.com | udp |
| CN | 116.153.39.128:443 | jiloc.com | tcp |
| CN | 119.188.49.80:443 | jiloc.com | tcp |
| CN | 120.233.179.100:443 | jiloc.com | tcp |
| CN | 218.11.1.241:443 | jiloc.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
| MD5 | 64edeea9d5b5bbe49b4c22666353ee60 |
| SHA1 | b312e5785ea31da217f1858820555856e4393466 |
| SHA256 | 7cb61a6fbdab9246b7ea368895a4cd928da5d3c61371cf14f3ac2fe39402f9db |
| SHA512 | 34189dfd28ec90e52f5ef4a6e92ee75b8af7ae04b9592324dcce740fdfa2652e5bdf0dccc712d5922322358f518375d0e70ae394045b0bdb7567ad97839e4ab4 |
\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
| MD5 | 55a168591b68d1b1fa8af89afa4c81a5 |
| SHA1 | 31db0c6178cf09710ddb9bfc5e1f15584b7cf401 |
| SHA256 | 25449d5ff157eee41449559913721f1a23a7ca4fc427f141a4adc5b0a473d112 |
| SHA512 | 29795bffff93b57e37971af5239efad6d7007ca30ec94499681a5e2c192626cc6cf7ec49b096ef30b5cb910ea30d6df9d007c2259afca97fa921ad771f7de11b |
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
| MD5 | 49186898dca05292964da2db3eb23b90 |
| SHA1 | b29a90983485462127ada8db02bdb2cb862d95a5 |
| SHA256 | bfcfdf1f04335ad9e99697d7c3cf5f5ebf261dbea68d892f642c1547e3862ab3 |
| SHA512 | 813450c9ec94b131816f7aecf105b46f31a70b9f2c69bf5132ca2586eaf138ea90eacb686a96a0a6e5b42b3534b052ea2d334aeb08a0b440337be1cb09643692 |
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
| MD5 | a8c922bc3e540279effd3f7412a83c30 |
| SHA1 | b1f26c253a72af772063b6c910c053fe6c8dd2ad |
| SHA256 | 875bedb03db4f4ae6b70108f4cdce4e783ceaa2b3eff86b1299992be7ec3ab7f |
| SHA512 | 05670248530198d43f5df0e3f916410e0fc77838c0008440cc2ed0128041b51fe52486694af58be276ae812a96d2d0d72f23a23b5c39d808369f64a32bc028ad |
memory/1884-423-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2268-424-0x00000000001B0000-0x0000000000958000-memory.dmp
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
| MD5 | 5a68fd557132bcbf3f9bb80124b84d42 |
| SHA1 | fd466abe54eef900288a7dc306df1bca4d378adb |
| SHA256 | 324d933119931529d77e9517f4e5634dc4d4289ddeccf89051a7451cc0bd27a0 |
| SHA512 | a89fec0dda2ec7b28917fb136df7ed7e9e4802eafafa7f78e152f8ccb15cc6503b1729ce59f346a4fa8173d0bb9606d11d47d01908872c57cb9fe1b0bdf7fc33 |
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\Help.xml
| MD5 | 3f517c15e8b924be1ab285723de6fbf9 |
| SHA1 | a89c94cddd6247805b62314bf5f93b0ef0e24b4d |
| SHA256 | b53e6b3f1308152656ba75fa329264364d52f86dc0b21992f0441831231de1b5 |
| SHA512 | 45156505decd0cd53dc9bf2575717e566fdc7ed239ec2d1233ac629f56b228795949bdae5533e3ec42b96fb1c5ae503133d6a32dba08a9e8744a0a3c59615af6 |
\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
| MD5 | f382cc5361fde9d0155cb417f1fd08ea |
| SHA1 | da046912f69fa7cc8e517bc4d1782656c84fd601 |
| SHA256 | 63ce6b191ff646ecb295c6018665c663e8253a58bb933f11ce66be6afc4d442c |
| SHA512 | 3753ee46865ec536e4915389ca5194768719e4e915b06b9ba1721eb2b55d4216053ade2a4fb4b43013f1bb6e62ab7f8ced7ff917c84872a03d972b5cbffa4324 |
memory/2268-428-0x00000000001B0000-0x0000000000958000-memory.dmp
C:\Users\r114f-readme.txt
| MD5 | 37d5ab65c80b0f454a8069114eed7f51 |
| SHA1 | 42ca02f25b402ff48c526edb91eb192ffb72eac5 |
| SHA256 | 5a22c6d02cee6c116bfe198b82eed0bedcce40cd998efde538b21268c6a453fb |
| SHA512 | 90238cd1502e2f9ab8b8f1605eb8b6167786238d906f7d55b84b4f17e6991c3aa0a79515679370a6727422f12661dcffcbb338dac0f8c9513b33253ed4cacea6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-21 09:35
Reported
2024-01-21 09:38
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sodin,Sodinokibi,REvil
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Roaming\\R-Tools Technology\\R-Drive Image\\rimage.exe" | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8x3s56lgg7.bmp" | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe
"C:\Users\Admin\AppData\Local\Temp\6cf72f5fcd8496749d957f99e8b7489d.exe"
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
"C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | partnertaxi.sk | udp |
| US | 8.8.8.8:53 | bodyforwife.com | udp |
| US | 173.230.249.203:443 | bodyforwife.com | tcp |
| US | 8.8.8.8:53 | jamesfell.com | udp |
| US | 173.230.249.203:443 | jamesfell.com | tcp |
| US | 8.8.8.8:53 | 203.249.230.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
| MD5 | 3cee4866f4be8aa2d1874953f1ed82b1 |
| SHA1 | fd3d6d890d104d00e6ff54ad2cb498ac6ea16c97 |
| SHA256 | 42a3880731d9a79a0c3c7e5c54f6b44583d9ac7c826ffd000f21e42827e911d4 |
| SHA512 | d312fbadf17d7b9ac9c31c87d984b4bfc290350a0ae07cd784ebb80ec5d1ec5e7ab5b6a9dd205d795b0a65d4c4c62c2f1e8d6f494cfa8501a8865efaa3e7a24a |
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
| MD5 | e87ba29ce7cce2c4b47b457e6aeb0627 |
| SHA1 | 3e1b0310d35f53810b708a32bbf82e98df2b81db |
| SHA256 | 24d7f0fa99146f608c920deaad20039c25b11d7b309ad53139a18fc3c7e8249c |
| SHA512 | 0e58cfefffcd576f2520c3ac76808d1871c9c2dd5562d24d6889e9d7a8cb9573b5906ee15824a5042dc3f6a63bd934d6718a091a839c529813fc71f31b41401b |
memory/1200-428-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
| MD5 | 38ba8cb4226ec7b129b4463fd0bf319a |
| SHA1 | 6166e9a11a38fef6a197fcaee7b61dfa27976858 |
| SHA256 | caa362e600619f3d397a44380e9171b43975f4cf3dec54e577610ee070f97717 |
| SHA512 | 6dbb93618e9ace27e3010e2291e420a8ff87d1449cb5a7ebc6f238c1d117c4d8b11397efd9e478758892055975ac5a73e849f61fed155cb366df523d2b07b7b1 |
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\rimage.exe
| MD5 | 41506e2515428be8a44da2fbbd440657 |
| SHA1 | 361553936ee423b7e170111d7fd3b67d119fbdba |
| SHA256 | 9b7fb441def61bbbc6630856c3fcd9ddc921d2add8924ba6df9592b3f586f706 |
| SHA512 | 7487d3f06cf2f280e25422e8f22fa8738dca2d89d1c71210e55b4759e422645bfc8a63cac2de258626d7329e25ddd0b9dcb69896ea20b56832fb5530f2bba974 |
memory/1160-429-0x0000000000810000-0x0000000000FB8000-memory.dmp
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
| MD5 | dc411c4643dad59bfe5d3a19b775c9c9 |
| SHA1 | ed99b3357a71c05253f15778c3e37d5372055916 |
| SHA256 | f3d6d04613c604b04bac46abfa2aabb5f722daea66c29635bd4e0bf8cf839b5c |
| SHA512 | 5d808f968c3a6413884fd619023e61baa5c5294cf79376e8294f709265d726d828486ac2110df7be77f60f70074ce0ec4298f0c11ee067bce2b7920196f2b428 |
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\Help.xml
| MD5 | 3f517c15e8b924be1ab285723de6fbf9 |
| SHA1 | a89c94cddd6247805b62314bf5f93b0ef0e24b4d |
| SHA256 | b53e6b3f1308152656ba75fa329264364d52f86dc0b21992f0441831231de1b5 |
| SHA512 | 45156505decd0cd53dc9bf2575717e566fdc7ed239ec2d1233ac629f56b228795949bdae5533e3ec42b96fb1c5ae503133d6a32dba08a9e8744a0a3c59615af6 |
C:\Users\Admin\AppData\Roaming\R-Tools Technology\R-Drive Image\sunmscapi.dll
| MD5 | 059880106001e05cbf02a9a305697db9 |
| SHA1 | ccf208bcb7605138d1bd5f8b0247183d6c649b88 |
| SHA256 | ad7dea1811b4f86fa88a697fa84688f9b3b7cf80ee521480fad560821031047d |
| SHA512 | cb43b07790dff0e6de3956c66513ea793cfdf2f82db2b741e08cc9fb07fc35e5c0be4ae5e7795985fc8deb28f069a5f199c492fea87fdb4790b5eabd16709a5a |
C:\Recovery\zzrd1r7t1-readme.txt
| MD5 | a768bf80055e28460b404a527e1191d0 |
| SHA1 | 12327fdca3c69cf496e8f3b3d8116a0434a3bcbd |
| SHA256 | 1c150b9cb8463635e19852bdd0bbff2281c98642ead4aa95d364d246aa4049f0 |
| SHA512 | 1c0edda16974a90e82abae1008d8551c7a027ed293c58c4333950f7a04250318687ba755329e51d7ea614814421cbbf463c2d39b36f4ea11d0581dc7f5e639d8 |