rpcss32.exe – Trojan Swisyn removal

Created files:

%SysDir%\505815795 – Trojan Swisyn
%SysDir%\avtapi32.dll – Trojan Swisyn
%SysDir%\hal32.exe – Trojan Swisyn
%SysDir%\rasser32.dll – Trojan Swisyn
%SysDir%\rasser32.exe – Trojan Swisyn
%SysDir%\rpcss32.exe – Trojan Swisyn
%SysDir%\config\systemprofile\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\dakkneicofbkfcckakgbapagllhecbmh\manifest.json – Trojan Swisyn
%SysDir%\config\systemprofile\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences – Trojan Swisyn

Autostart registry keys:

HKLM\Software\Classes\CLSID\{BDF3E07E-05E5-4187-B370-E440E93A5961}\InprocServer32 : %WinDir%\System32\avtapi32.dll
HKLM\Software\Classes\CLSID\{BDF3E07E-05E5-4187-B370-E440E93A5961}\InprocServer32\ThreadingModel: Both
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL: \SysWin\lsass.exe2\rasser32.exe?q?q?
?|?????
?|???w9??w???Y?Ow???,$?$?q?q?????q??q?q???6v?6
0????|6v??,$???????????|T?????|????

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs: 01000000
HKLM\System\CurrentControlSet\Services\helpsvc32\Type: 10000000
HKLM\System\CurrentControlSet\Services\helpsvc32\Start: 02000000
HKLM\System\CurrentControlSet\Services\helpsvc32\DisplayName: Help and Support
HKLM\System\CurrentControlSet\Services\helpsvc32\ImagePath: %WinDir%\System32\rpcss32.exe

Detected by UnHackMe:

rpcss32.exe
Default location: %SysDir%\rpcss32.exe

Dropper information:
SHA256: c5991f6f9f37091b5a3b3c502af9bc5046225b733b0e41c1683bb50f610614cd
SHA1: 241fb62c6b04b8b26dda089ab2254753cb5ddefc
MD5: 0c17b3726a0d7f46ed8f3fa177bad696
File size: 1412096 bytes