Malware Analysis Report

2024-11-15 08:39

Sample ID 220415-gqyq5sghgq
Target 3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea
SHA256 3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea
Tags
rms rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea

Threat Level: Known bad

The file 3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea was found to be: Known bad.

Malicious Activity Summary

rms rat trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

RMS

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 06:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 06:01

Reported

2022-04-15 08:21

Platform

win7-20220414-en

Max time kernel

139s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe"

Signatures

RMS

trojan rat rms

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 824 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1220 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1220 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1220 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1896 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
PID 1896 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
PID 1896 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
PID 1896 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
PID 572 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 572 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 572 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 572 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe

"C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

rfusclient.exe -run_agent

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe -second

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe /tray /user

Network

Country Destination Domain Proto
US 8.8.8.8:53 server.rutils.com udp
US 209.205.218.178:5655 server.rutils.com tcp

Files

memory/824-54-0x00000000762C1000-0x00000000762C3000-memory.dmp

memory/1220-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

MD5 67ed43e7fe3cc719848a6884d2b35cee
SHA1 a0d3880042021ff670bea4a58349ea7f2c6e7926
SHA256 5043121594629631615d724543fdf1984fe816c0c791dc987d5cae6d1e773c44
SHA512 ff1835ba0e3d1978a5d4cf5b56e2a7134966a29662eb14528bebf65ba73a206be4bbead751dfb8950bdf4ac058181e2a13b808e50de1694e2b84bb23a9834e7c

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 7718f71bd99e74323812c29b2cc1a3af
SHA1 038eceb80597de438d8194f8f57245eb0239ff4b
SHA256 31616aac0c331e8dd52377a097c75625b658d3ce0f6cb29db7201f5c412d905b
SHA512 c87253addc9bd92a0465d2b7b38ac4fdd889089d2d8b7458d96cea960cd1078e4d7f87630488b69d46a198d7c9dbc93099dc1292759e80c5afe54f086ae00c76

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 7718f71bd99e74323812c29b2cc1a3af
SHA1 038eceb80597de438d8194f8f57245eb0239ff4b
SHA256 31616aac0c331e8dd52377a097c75625b658d3ce0f6cb29db7201f5c412d905b
SHA512 c87253addc9bd92a0465d2b7b38ac4fdd889089d2d8b7458d96cea960cd1078e4d7f87630488b69d46a198d7c9dbc93099dc1292759e80c5afe54f086ae00c76

memory/1896-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 7718f71bd99e74323812c29b2cc1a3af
SHA1 038eceb80597de438d8194f8f57245eb0239ff4b
SHA256 31616aac0c331e8dd52377a097c75625b658d3ce0f6cb29db7201f5c412d905b
SHA512 c87253addc9bd92a0465d2b7b38ac4fdd889089d2d8b7458d96cea960cd1078e4d7f87630488b69d46a198d7c9dbc93099dc1292759e80c5afe54f086ae00c76

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 2ce70466e5d84137fdc0da1633fbb1a8
SHA1 42d092401ce8c713bf1c0c1965c647b22f523b19
SHA256 914509cbe4084ff46835315d419dad78759fc08dfd8ce1a2038fbeb44402ce2d
SHA512 7c76b9cb30cb926cce74cbe2c5a538292ddfa5ea5ea3c25ccc6622a2bb80bc6861c702b17e0ca1880de42a456f1558a091eda8ce7e694bd597c29f27521de720

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 2ce70466e5d84137fdc0da1633fbb1a8
SHA1 42d092401ce8c713bf1c0c1965c647b22f523b19
SHA256 914509cbe4084ff46835315d419dad78759fc08dfd8ce1a2038fbeb44402ce2d
SHA512 7c76b9cb30cb926cce74cbe2c5a538292ddfa5ea5ea3c25ccc6622a2bb80bc6861c702b17e0ca1880de42a456f1558a091eda8ce7e694bd597c29f27521de720

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 2ce70466e5d84137fdc0da1633fbb1a8
SHA1 42d092401ce8c713bf1c0c1965c647b22f523b19
SHA256 914509cbe4084ff46835315d419dad78759fc08dfd8ce1a2038fbeb44402ce2d
SHA512 7c76b9cb30cb926cce74cbe2c5a538292ddfa5ea5ea3c25ccc6622a2bb80bc6861c702b17e0ca1880de42a456f1558a091eda8ce7e694bd597c29f27521de720

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 2ce70466e5d84137fdc0da1633fbb1a8
SHA1 42d092401ce8c713bf1c0c1965c647b22f523b19
SHA256 914509cbe4084ff46835315d419dad78759fc08dfd8ce1a2038fbeb44402ce2d
SHA512 7c76b9cb30cb926cce74cbe2c5a538292ddfa5ea5ea3c25ccc6622a2bb80bc6861c702b17e0ca1880de42a456f1558a091eda8ce7e694bd597c29f27521de720

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 2ce70466e5d84137fdc0da1633fbb1a8
SHA1 42d092401ce8c713bf1c0c1965c647b22f523b19
SHA256 914509cbe4084ff46835315d419dad78759fc08dfd8ce1a2038fbeb44402ce2d
SHA512 7c76b9cb30cb926cce74cbe2c5a538292ddfa5ea5ea3c25ccc6622a2bb80bc6861c702b17e0ca1880de42a456f1558a091eda8ce7e694bd597c29f27521de720

memory/1636-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 2ce70466e5d84137fdc0da1633fbb1a8
SHA1 42d092401ce8c713bf1c0c1965c647b22f523b19
SHA256 914509cbe4084ff46835315d419dad78759fc08dfd8ce1a2038fbeb44402ce2d
SHA512 7c76b9cb30cb926cce74cbe2c5a538292ddfa5ea5ea3c25ccc6622a2bb80bc6861c702b17e0ca1880de42a456f1558a091eda8ce7e694bd597c29f27521de720

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 2ce70466e5d84137fdc0da1633fbb1a8
SHA1 42d092401ce8c713bf1c0c1965c647b22f523b19
SHA256 914509cbe4084ff46835315d419dad78759fc08dfd8ce1a2038fbeb44402ce2d
SHA512 7c76b9cb30cb926cce74cbe2c5a538292ddfa5ea5ea3c25ccc6622a2bb80bc6861c702b17e0ca1880de42a456f1558a091eda8ce7e694bd597c29f27521de720

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arabic.lg

MD5 8e66ace6092bd48466784fec9bc3648b
SHA1 98ae43d49ebcc409d704b4bd6a3a3b2c508046ec
SHA256 4dc45baa86597a4c3d08b8297a7cd621e57089390837c3b1ef875393b34d2bf6
SHA512 cccf9e14ff4d35b0f08b80a5ca8684b5feaf2677769154ff5e9a9122683787984750913768605375c1bbe23c20ff88e0193aa62dbd5bf1a738b759f44438ca48

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

MD5 c360aef5dc787625e9ae4c10b64046b6
SHA1 4ef3d4669a3064a1ff6410a51b1f88f0d26c80dc
SHA256 026a53be27b56b3ea2a7e8eab6db5286577972ee05acfe90ba4c0d9cf3c22316
SHA512 0f817d1dedc86de2e1e30cc97825bc45fab61ab6180a2789fd9deb655a39380a980007c3dbebc1454892a348760edf5de379ceb3cb91c6f50577a141a7b5a0e3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

MD5 18b460b50e628e95d0996f7512919175
SHA1 c69031b95919ada3501433f9b52eb411e1611e55
SHA256 1c4148af9a155ce14c4a82c7053a168299550da6cc9b185525c532f8b99e53ab
SHA512 33e19312686ed35dbdb4535fab5a048287a7fd9286684ef7c82645c0582dff67350c74ee3a732f6dd27eb696e0513fc86958743511014b9a2fcd9f7dba4d68f8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

MD5 6b80eb95fb4cddae6ddc1c4400f68679
SHA1 36d09af02dd302bdc290fb2efa942851ab3b9fc9
SHA256 39c086aa35f89643eab71ebaf957057fc8b04e8dfca1bbeb5d73efefd92d0e5e
SHA512 cd2225863bf5ca4546d986636bdab16d9feebb4f698a255835f76d684288d2b1a7579fb23cf11eb7587215200522a60adf32a1b279fa5ea5c49e60f8fba6720f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

MD5 8fe35595a0b4da766c1ea8b8427f0a72
SHA1 6487ae59d763e4e8090a4f4fff8884122cb81baf
SHA256 3770b492fbbf08f8748e3573824af868795e9155502376c25a86d4220fbece9c
SHA512 378ec583b652eb5695879765b7c7377b54ec43b467c28778eca6b17e85a35987c093358016b2ec4b05f48bfa01892ec87349af419571112920d395bf1cba50ca

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

MD5 42884b2e53d2af199ff8839c2975cf08
SHA1 a2d24abfa6b0a5b99dc8cb01ff920be77e42f6fc
SHA256 8f210fc42c691d281bfd5b485c0c8be3e11ddf0503585a5edc5856164eadcb3b
SHA512 7685e08534743bfc59e37c9ddcdb0675806eb3e7344ed4b58685e2429c0a758fe58d1a9b5a0db72de16656b0abea19c0954adc73f2be0909b5985f1ef5d8da01

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

MD5 c155922e21309dc7764e090f48ab3a87
SHA1 9942b200ade8a123f916efbb18c04ad0d2a261ae
SHA256 e088de46b352fa898b59604501206a3d59d830fdf1b3276a8afbb072a30a3bde
SHA512 f2e7d1d7abdb63078d14266a97ef2e8d7f4a946a98b804be32c3af153be55d78214172d12dc3261e65add31aac9ea7e1be5f9acfe42d1bbf797e3c5799c62057

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

MD5 78a6f2b2b256a1c82faaa789c46bc7ce
SHA1 6aeafea46458599cd2d7b0c061630247e4e3d4db
SHA256 0f83229f69c10d8c8afdf0ee0275b5e727e936b1e07159779a68ebd2f613ae05
SHA512 2e5b79104abf66426c328976eec331420bf71f03649a71df2f5f2ef3dcfe463c369e87b60906d8144fe574e45a354be40f26da896bbd9b402062813cf181394e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turkish.lg

MD5 2099795cc874ddb6bc22f34f1f6ff8f0
SHA1 fa423d8db42d6dabe58efacc6bd38bf6b9a25800
SHA256 beeb4409dbb580bf5246b2a5739b253513239dca62621a1c9e92041cd223bca0
SHA512 363a7ff773de9ce898b98d8c666e5b66f4c59acccbcfeed5ab313b7506f59c1d554345cb492fbe720e187ee8a6f8205ce6e34808663a0cd1383f3a88c9e9ba73

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Swedish.lg

MD5 7f79e44686ec67fa03f5eb2157be0e95
SHA1 b0788205f8e134d4d8bf8b9510da4fdf71f203ed
SHA256 d080ad158a8b083ddccb18f9ea5177bc5da11ab01112b04b14ef3917f8f53d9f
SHA512 f6528df47bfce981ab8a54e617111667cf10fb39022e05c2718fa767503316b89379319c8a535d7342f47342b470dd739c5f4bd2da936d2e59b63ff7a2c6742a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spanish.lg

MD5 72dbf6cda53dd026be0ca832806643cd
SHA1 7a884b324ef4b48d9429f7c3f255f0e27d998028
SHA256 bf08cecf114a34535c1b06df9675eb8d6b8ce56d925d1d536cb2c3edaa07dcd0
SHA512 a6c2bdc00d6447aa234bc6c8b65dc3d2214e26d2fd5f6f07cb5db63ce1c4d4a06824743c3239eb60555a488c10735239892ec6658a358881326ff5e57f42603f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese-Brazilian.lg

MD5 f768f95e49c7092e16b0f19b328fe57b
SHA1 8b70ce67074862c79e61cba15f7bffea53d8632c
SHA256 d6c19126bfcea74dd5525ec13cfee394f8124cf3a1af34a84d443d6ea824d419
SHA512 0388775b4ff9cd7c1016d92b938a58e94073ccdb3dbc91d1fb0c1bb38ba74e8e367140090adf510a2bd423924f65c3ab94d497d66f5972d9aecfb1c50b47a6db

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Polish.lg

MD5 1c11ddfdccb34efe5fd3201a90b09ffc
SHA1 28421bc35d3d3eaaf10000da6c06e4982ec1acc2
SHA256 c0aa8df31b4f8e796a140159201b6809de077d58bafc6515c368f03cbacc5954
SHA512 b4b1da92e9ae5a0d560887b2cf9bfd1373ad5fdc94e173c1002de7c6dd57995c408d4f658b6c22aa9060b582812531901fcb0c7b212ac49aadcd91b1ae5f02db

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Norwegian.lg

MD5 b0b9aac2125db5ea4b06623900e2e8d6
SHA1 095b8f9326d53ee7d14758c1c0810fcd6993cab3
SHA256 6e3cc5e24337846c660cfc1e5e2e7ec18a5ec94702dbf1f8ae253fd00a1b07d9
SHA512 feccad04b242f33a91d1fc311d495c41cf922f7ed91b922e8d5dc0c28ba77c29e2e81a0ebf8c6d0b4e3e91fc397f01bec8eaf277ad6a8cfda064fc9cb520aabf

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Korean.lg

MD5 6a02429f647df9b53fb7fa02e289da75
SHA1 2ad17e95a4b91f36a9eb22a98a9fdbac96d602a3
SHA256 84f90a4dde8abfb48f1b6a2601952861a85df0cfb2ae1f2e27435b47534a8f06
SHA512 8cddaf8fc1782769875fe21e1070085c85773ff84ce2fe51bbdc1f8f8577f4ecdcc1d92c93f5cb4c2bd3478a8d1aaf28b5e2e120ecbbd111f91348e66d5c01eb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Japanese.lg

MD5 219c07808c3707ea123d018f48b1046d
SHA1 c82cc84ae347640d1ae16cf774c2ce04f7bee8aa
SHA256 ba275f68ccf0634cf5038ff17cc90748fe3a336c82cc5bde856a10efe4632e9b
SHA512 bd4fb22e4acf8223ae3f3ff1a7498310f3494efac2236ce88595288727b20cc6e174681926b11cf70353d1ac4ce7210fff1ebfc8c36f2e89fe56946d0a1c7b5f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Italian.lg

MD5 62bae9a3b61257771bc4487774d03392
SHA1 cf64d7012fdbb662257508a9cab7b77808c78716
SHA256 01ba730325b4807b877ca64db8aec1fc261cfd24b6cee0b55519194d29f2da98
SHA512 2b29df2eb014d26644c5c4d60dc3c11a122caaa0119a266b560b111987695e2fedcd1e19e9aa2eec30eb303688d0ab9e2602536845cabbeda652691866ed77f6

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hebrew.lg

MD5 f1c253bcdb334df95b4016f0994fc172
SHA1 c4185b62278dcba8fed32f4c9ffebb1b0b91daac
SHA256 a6623f691d947be4327b53662af986827aeeba497a07cdba5224402ae55b5fd9
SHA512 3868ca19f158dc4c4feeca67940b9b82db042d9f80bb3336f4ef027f5588dcd598eb7d007dba63020266a347b438694f2467502f60fe776a84857ca5b939d05e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\German.lg

MD5 14d228712681b346e3910d72ad337d0c
SHA1 e13b71686e0887d3cfd6a6bacbe0e8c345f2602d
SHA256 e5358640906c61b3474a6cf803dd967d0e3c576dfd6368646f6e09a5acb4a431
SHA512 3b3c9a1760a1042295f529344d0904f08edee43d1ac946e04eb55e49c767b1bb90da7edad5d51868842c6624efd5c741227b7a3794bcdf3769870c075242fea2

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\French.lg

MD5 84d6b9987b7e52e32cb230856df57487
SHA1 0f544792675ef0993022768594f2c8b051dfd83e
SHA256 c771abe02aa0a0d6cbe37ba09b62ba4ec17195c85c2f11af13555c48afa5fcd2
SHA512 9273923c2e4545a2f48f2b00c3f22f7426a523a6347f63ae066b828b6d853de4791a143043714e388ca1b7fa40ad2c0809dd3041dcb5e36c007db90d7b9bf6e7

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

MD5 d1f7b90ca4647f9246927d32af1fea57
SHA1 e5553070704d142a84e598ac015feb4c3cb96cb7
SHA256 67d16f7f24999269b264e84a884cfb03e87705ec9eef342ee0d7379e5c04c240
SHA512 df3909faa870eee856b80e803dd7cf72c9972fa80c477a366e7c9c3cbdd6f694881ebc695fd67ce1afb2181a8699e399d8708922b4994e574b209159b61becd5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dutch.lg

MD5 c5b854838dba2e259b0216a89ce8d50f
SHA1 863442944210d40654b336685a51e8542b95c56d
SHA256 8a9475ac44cda25fa749b814cbe5c2837326b8f1565e0dfbdbf79cd6bfdb99be
SHA512 cf6b92e67299b329d2f15525178e8c13f088570d75c484b4986834d5078d962c49f5387554ee7cfc3484cc25921f32282a230fdddf40d2e857d8fd9865205789

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Danish.lg

MD5 1760c67e9e696c2a21efc2e6af49fd87
SHA1 f0d9317093b5d90a9721bf08689c427e79081f05
SHA256 1dd3dbe1bc8a0fe7bf63abbdeb78f5e8fd86b3e03f23495cb4ccea79308e7cae
SHA512 cf2595532a285c617dc5333928d9217ebc0e4c06c1f28f742b29ec3ee9cb3d55fd86d612e99540dc4c59e2c6d094027efa3879333d846647d8445f76fcb0bf81

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Czech.lg

MD5 9f2fc2133731272cbf022300b3cb32f6
SHA1 7632ee3a7b329d7c509298c298a61c2532701ed0
SHA256 debf4286d7548ec59eccae0d86d3e735b14a895d85e3efacfe3b37e94ebb4316
SHA512 58577a50e405b556e42351e35a02d3fe536f032c52fe4682d5e4fa7d4fe0abd60d02ca513672fd9bd54046e840c2d7e964b90ee322f9a59906b29e1fdfbc7075

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ChineseT.lg

MD5 a5de798ae043119dcd1f469ccaa93d83
SHA1 8cbf1b02f0c22eef305b1a00f2cf06fcc2d1e107
SHA256 d47fe430e4414f1285f67d93ee5ec1b6cb5f8c89b126b5558f97165579018f45
SHA512 87816f770a0d8568dc68d939e1504ba6156e643e560c4b8f610e143b7bbe7d729c4b0f6595cdc2f6e3fa1aa8fc4334aa6192a2d78a6e467b429c12025a63f7e9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ChineseS.lg

MD5 1b1fb5d5b3a34199682b381826128d10
SHA1 49862566b76aab47e365bcdf1993b3c542fd0a2d
SHA256 0137cc6245a8dcf82c1b8100fe2c90ecb19ec263f01009082885b07f125540ea
SHA512 d8e207e5a912e4e4f4b874abbd14362d6806941066f5a78283fa47543a73947bf786e4b119c8557c9b2093a32cb465a6db314fdb0aaa1e412c1ddfd0fb850dce

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

MD5 8a6cbb2d45463e4941c8c98262584582
SHA1 c3d9461cade69e2225bef48307237d28c07560da
SHA256 9844a78de57ba2a974f061820e22dbb7a7cf13e6f8a923ed7eac133135ad0a5e
SHA512 eda58d007ebdf4dddc6425bd4a25c0129a0113a2d5df3b6c2073b7ae12178a894cb486a7c91ca258f31ee68dc9a90b7743c18c8ce160e173b6d549bb03c470d0

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 7718f71bd99e74323812c29b2cc1a3af
SHA1 038eceb80597de438d8194f8f57245eb0239ff4b
SHA256 31616aac0c331e8dd52377a097c75625b658d3ce0f6cb29db7201f5c412d905b
SHA512 c87253addc9bd92a0465d2b7b38ac4fdd889089d2d8b7458d96cea960cd1078e4d7f87630488b69d46a198d7c9dbc93099dc1292759e80c5afe54f086ae00c76

memory/1160-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 7718f71bd99e74323812c29b2cc1a3af
SHA1 038eceb80597de438d8194f8f57245eb0239ff4b
SHA256 31616aac0c331e8dd52377a097c75625b658d3ce0f6cb29db7201f5c412d905b
SHA512 c87253addc9bd92a0465d2b7b38ac4fdd889089d2d8b7458d96cea960cd1078e4d7f87630488b69d46a198d7c9dbc93099dc1292759e80c5afe54f086ae00c76

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

MD5 ced3d982304bf674430c9108a86dcc90
SHA1 f83140d206ac596f7ea35ba2eafecc50e259cda3
SHA256 253975b46a3f4ad484df2e987fa4785adc82249a1c63bcf24275b4304077da62
SHA512 d1ebfaaf39948bfefaa47bcae2a2d5a80390e88ca3bcb08148252444281a6d90137292d3d2a748957e341d833067c691e728bb77c2886ff8a9a8ed59f265fe3e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

MD5 e5cfd27192004199b4b4871f476262b0
SHA1 0258e3d73cd185e9c3b4a50aa1af406b55fad867
SHA256 07488db42d1f9de09f6334c71f6c097a1e768bd8249e1f80f08a872f16c6f719
SHA512 39d4080bf1da6c34317e7fcd725ddc19e918f00a786ce590e8c17d98252b225f76e32a1575809e93cce560e3ac38eb401f45f9757b33211eb28afd7921629c13

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 06:01

Reported

2022-04-15 08:21

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe"

Signatures

RMS

trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4932 created 4116 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 3656 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 3656 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 3304 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
PID 3304 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
PID 3304 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
PID 4932 wrote to memory of 2848 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
PID 4932 wrote to memory of 2848 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
PID 4932 wrote to memory of 2848 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
PID 2848 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 2848 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 2848 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe

"C:\Users\Admin\AppData\Local\Temp\3cc9e7d200d5e06142cf837f60b87d99b25d188c7cb52ab0bbdbe9090b7aeaea.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

rfusclient.exe -run_agent

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe -second

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe /tray /user

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 server.rutils.com udp
US 209.205.218.178:5655 server.rutils.com tcp
GB 51.104.15.252:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 204.79.197.203:80 tcp

Files

memory/3656-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

MD5 67ed43e7fe3cc719848a6884d2b35cee
SHA1 a0d3880042021ff670bea4a58349ea7f2c6e7926
SHA256 5043121594629631615d724543fdf1984fe816c0c791dc987d5cae6d1e773c44
SHA512 ff1835ba0e3d1978a5d4cf5b56e2a7134966a29662eb14528bebf65ba73a206be4bbead751dfb8950bdf4ac058181e2a13b808e50de1694e2b84bb23a9834e7c

memory/3304-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 7718f71bd99e74323812c29b2cc1a3af
SHA1 038eceb80597de438d8194f8f57245eb0239ff4b
SHA256 31616aac0c331e8dd52377a097c75625b658d3ce0f6cb29db7201f5c412d905b
SHA512 c87253addc9bd92a0465d2b7b38ac4fdd889089d2d8b7458d96cea960cd1078e4d7f87630488b69d46a198d7c9dbc93099dc1292759e80c5afe54f086ae00c76

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 7718f71bd99e74323812c29b2cc1a3af
SHA1 038eceb80597de438d8194f8f57245eb0239ff4b
SHA256 31616aac0c331e8dd52377a097c75625b658d3ce0f6cb29db7201f5c412d905b
SHA512 c87253addc9bd92a0465d2b7b38ac4fdd889089d2d8b7458d96cea960cd1078e4d7f87630488b69d46a198d7c9dbc93099dc1292759e80c5afe54f086ae00c76

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 2ce70466e5d84137fdc0da1633fbb1a8
SHA1 42d092401ce8c713bf1c0c1965c647b22f523b19
SHA256 914509cbe4084ff46835315d419dad78759fc08dfd8ce1a2038fbeb44402ce2d
SHA512 7c76b9cb30cb926cce74cbe2c5a538292ddfa5ea5ea3c25ccc6622a2bb80bc6861c702b17e0ca1880de42a456f1558a091eda8ce7e694bd597c29f27521de720

memory/4116-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 2ce70466e5d84137fdc0da1633fbb1a8
SHA1 42d092401ce8c713bf1c0c1965c647b22f523b19
SHA256 914509cbe4084ff46835315d419dad78759fc08dfd8ce1a2038fbeb44402ce2d
SHA512 7c76b9cb30cb926cce74cbe2c5a538292ddfa5ea5ea3c25ccc6622a2bb80bc6861c702b17e0ca1880de42a456f1558a091eda8ce7e694bd597c29f27521de720

memory/2848-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 2ce70466e5d84137fdc0da1633fbb1a8
SHA1 42d092401ce8c713bf1c0c1965c647b22f523b19
SHA256 914509cbe4084ff46835315d419dad78759fc08dfd8ce1a2038fbeb44402ce2d
SHA512 7c76b9cb30cb926cce74cbe2c5a538292ddfa5ea5ea3c25ccc6622a2bb80bc6861c702b17e0ca1880de42a456f1558a091eda8ce7e694bd597c29f27521de720

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arabic.lg

MD5 8e66ace6092bd48466784fec9bc3648b
SHA1 98ae43d49ebcc409d704b4bd6a3a3b2c508046ec
SHA256 4dc45baa86597a4c3d08b8297a7cd621e57089390837c3b1ef875393b34d2bf6
SHA512 cccf9e14ff4d35b0f08b80a5ca8684b5feaf2677769154ff5e9a9122683787984750913768605375c1bbe23c20ff88e0193aa62dbd5bf1a738b759f44438ca48

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ChineseS.lg

MD5 1b1fb5d5b3a34199682b381826128d10
SHA1 49862566b76aab47e365bcdf1993b3c542fd0a2d
SHA256 0137cc6245a8dcf82c1b8100fe2c90ecb19ec263f01009082885b07f125540ea
SHA512 d8e207e5a912e4e4f4b874abbd14362d6806941066f5a78283fa47543a73947bf786e4b119c8557c9b2093a32cb465a6db314fdb0aaa1e412c1ddfd0fb850dce

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ChineseT.lg

MD5 a5de798ae043119dcd1f469ccaa93d83
SHA1 8cbf1b02f0c22eef305b1a00f2cf06fcc2d1e107
SHA256 d47fe430e4414f1285f67d93ee5ec1b6cb5f8c89b126b5558f97165579018f45
SHA512 87816f770a0d8568dc68d939e1504ba6156e643e560c4b8f610e143b7bbe7d729c4b0f6595cdc2f6e3fa1aa8fc4334aa6192a2d78a6e467b429c12025a63f7e9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Czech.lg

MD5 9f2fc2133731272cbf022300b3cb32f6
SHA1 7632ee3a7b329d7c509298c298a61c2532701ed0
SHA256 debf4286d7548ec59eccae0d86d3e735b14a895d85e3efacfe3b37e94ebb4316
SHA512 58577a50e405b556e42351e35a02d3fe536f032c52fe4682d5e4fa7d4fe0abd60d02ca513672fd9bd54046e840c2d7e964b90ee322f9a59906b29e1fdfbc7075

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Danish.lg

MD5 1760c67e9e696c2a21efc2e6af49fd87
SHA1 f0d9317093b5d90a9721bf08689c427e79081f05
SHA256 1dd3dbe1bc8a0fe7bf63abbdeb78f5e8fd86b3e03f23495cb4ccea79308e7cae
SHA512 cf2595532a285c617dc5333928d9217ebc0e4c06c1f28f742b29ec3ee9cb3d55fd86d612e99540dc4c59e2c6d094027efa3879333d846647d8445f76fcb0bf81

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spanish.lg

MD5 72dbf6cda53dd026be0ca832806643cd
SHA1 7a884b324ef4b48d9429f7c3f255f0e27d998028
SHA256 bf08cecf114a34535c1b06df9675eb8d6b8ce56d925d1d536cb2c3edaa07dcd0
SHA512 a6c2bdc00d6447aa234bc6c8b65dc3d2214e26d2fd5f6f07cb5db63ce1c4d4a06824743c3239eb60555a488c10735239892ec6658a358881326ff5e57f42603f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese-Brazilian.lg

MD5 f768f95e49c7092e16b0f19b328fe57b
SHA1 8b70ce67074862c79e61cba15f7bffea53d8632c
SHA256 d6c19126bfcea74dd5525ec13cfee394f8124cf3a1af34a84d443d6ea824d419
SHA512 0388775b4ff9cd7c1016d92b938a58e94073ccdb3dbc91d1fb0c1bb38ba74e8e367140090adf510a2bd423924f65c3ab94d497d66f5972d9aecfb1c50b47a6db

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Polish.lg

MD5 1c11ddfdccb34efe5fd3201a90b09ffc
SHA1 28421bc35d3d3eaaf10000da6c06e4982ec1acc2
SHA256 c0aa8df31b4f8e796a140159201b6809de077d58bafc6515c368f03cbacc5954
SHA512 b4b1da92e9ae5a0d560887b2cf9bfd1373ad5fdc94e173c1002de7c6dd57995c408d4f658b6c22aa9060b582812531901fcb0c7b212ac49aadcd91b1ae5f02db

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Norwegian.lg

MD5 b0b9aac2125db5ea4b06623900e2e8d6
SHA1 095b8f9326d53ee7d14758c1c0810fcd6993cab3
SHA256 6e3cc5e24337846c660cfc1e5e2e7ec18a5ec94702dbf1f8ae253fd00a1b07d9
SHA512 feccad04b242f33a91d1fc311d495c41cf922f7ed91b922e8d5dc0c28ba77c29e2e81a0ebf8c6d0b4e3e91fc397f01bec8eaf277ad6a8cfda064fc9cb520aabf

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Korean.lg

MD5 6a02429f647df9b53fb7fa02e289da75
SHA1 2ad17e95a4b91f36a9eb22a98a9fdbac96d602a3
SHA256 84f90a4dde8abfb48f1b6a2601952861a85df0cfb2ae1f2e27435b47534a8f06
SHA512 8cddaf8fc1782769875fe21e1070085c85773ff84ce2fe51bbdc1f8f8577f4ecdcc1d92c93f5cb4c2bd3478a8d1aaf28b5e2e120ecbbd111f91348e66d5c01eb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Japanese.lg

MD5 219c07808c3707ea123d018f48b1046d
SHA1 c82cc84ae347640d1ae16cf774c2ce04f7bee8aa
SHA256 ba275f68ccf0634cf5038ff17cc90748fe3a336c82cc5bde856a10efe4632e9b
SHA512 bd4fb22e4acf8223ae3f3ff1a7498310f3494efac2236ce88595288727b20cc6e174681926b11cf70353d1ac4ce7210fff1ebfc8c36f2e89fe56946d0a1c7b5f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Italian.lg

MD5 62bae9a3b61257771bc4487774d03392
SHA1 cf64d7012fdbb662257508a9cab7b77808c78716
SHA256 01ba730325b4807b877ca64db8aec1fc261cfd24b6cee0b55519194d29f2da98
SHA512 2b29df2eb014d26644c5c4d60dc3c11a122caaa0119a266b560b111987695e2fedcd1e19e9aa2eec30eb303688d0ab9e2602536845cabbeda652691866ed77f6

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hebrew.lg

MD5 f1c253bcdb334df95b4016f0994fc172
SHA1 c4185b62278dcba8fed32f4c9ffebb1b0b91daac
SHA256 a6623f691d947be4327b53662af986827aeeba497a07cdba5224402ae55b5fd9
SHA512 3868ca19f158dc4c4feeca67940b9b82db042d9f80bb3336f4ef027f5588dcd598eb7d007dba63020266a347b438694f2467502f60fe776a84857ca5b939d05e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\German.lg

MD5 14d228712681b346e3910d72ad337d0c
SHA1 e13b71686e0887d3cfd6a6bacbe0e8c345f2602d
SHA256 e5358640906c61b3474a6cf803dd967d0e3c576dfd6368646f6e09a5acb4a431
SHA512 3b3c9a1760a1042295f529344d0904f08edee43d1ac946e04eb55e49c767b1bb90da7edad5d51868842c6624efd5c741227b7a3794bcdf3769870c075242fea2

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\French.lg

MD5 84d6b9987b7e52e32cb230856df57487
SHA1 0f544792675ef0993022768594f2c8b051dfd83e
SHA256 c771abe02aa0a0d6cbe37ba09b62ba4ec17195c85c2f11af13555c48afa5fcd2
SHA512 9273923c2e4545a2f48f2b00c3f22f7426a523a6347f63ae066b828b6d853de4791a143043714e388ca1b7fa40ad2c0809dd3041dcb5e36c007db90d7b9bf6e7

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

MD5 d1f7b90ca4647f9246927d32af1fea57
SHA1 e5553070704d142a84e598ac015feb4c3cb96cb7
SHA256 67d16f7f24999269b264e84a884cfb03e87705ec9eef342ee0d7379e5c04c240
SHA512 df3909faa870eee856b80e803dd7cf72c9972fa80c477a366e7c9c3cbdd6f694881ebc695fd67ce1afb2181a8699e399d8708922b4994e574b209159b61becd5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dutch.lg

MD5 c5b854838dba2e259b0216a89ce8d50f
SHA1 863442944210d40654b336685a51e8542b95c56d
SHA256 8a9475ac44cda25fa749b814cbe5c2837326b8f1565e0dfbdbf79cd6bfdb99be
SHA512 cf6b92e67299b329d2f15525178e8c13f088570d75c484b4986834d5078d962c49f5387554ee7cfc3484cc25921f32282a230fdddf40d2e857d8fd9865205789

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Swedish.lg

MD5 7f79e44686ec67fa03f5eb2157be0e95
SHA1 b0788205f8e134d4d8bf8b9510da4fdf71f203ed
SHA256 d080ad158a8b083ddccb18f9ea5177bc5da11ab01112b04b14ef3917f8f53d9f
SHA512 f6528df47bfce981ab8a54e617111667cf10fb39022e05c2718fa767503316b89379319c8a535d7342f47342b470dd739c5f4bd2da936d2e59b63ff7a2c6742a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turkish.lg

MD5 2099795cc874ddb6bc22f34f1f6ff8f0
SHA1 fa423d8db42d6dabe58efacc6bd38bf6b9a25800
SHA256 beeb4409dbb580bf5246b2a5739b253513239dca62621a1c9e92041cd223bca0
SHA512 363a7ff773de9ce898b98d8c666e5b66f4c59acccbcfeed5ab313b7506f59c1d554345cb492fbe720e187ee8a6f8205ce6e34808663a0cd1383f3a88c9e9ba73

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

MD5 c155922e21309dc7764e090f48ab3a87
SHA1 9942b200ade8a123f916efbb18c04ad0d2a261ae
SHA256 e088de46b352fa898b59604501206a3d59d830fdf1b3276a8afbb072a30a3bde
SHA512 f2e7d1d7abdb63078d14266a97ef2e8d7f4a946a98b804be32c3af153be55d78214172d12dc3261e65add31aac9ea7e1be5f9acfe42d1bbf797e3c5799c62057

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

MD5 c360aef5dc787625e9ae4c10b64046b6
SHA1 4ef3d4669a3064a1ff6410a51b1f88f0d26c80dc
SHA256 026a53be27b56b3ea2a7e8eab6db5286577972ee05acfe90ba4c0d9cf3c22316
SHA512 0f817d1dedc86de2e1e30cc97825bc45fab61ab6180a2789fd9deb655a39380a980007c3dbebc1454892a348760edf5de379ceb3cb91c6f50577a141a7b5a0e3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

MD5 18b460b50e628e95d0996f7512919175
SHA1 c69031b95919ada3501433f9b52eb411e1611e55
SHA256 1c4148af9a155ce14c4a82c7053a168299550da6cc9b185525c532f8b99e53ab
SHA512 33e19312686ed35dbdb4535fab5a048287a7fd9286684ef7c82645c0582dff67350c74ee3a732f6dd27eb696e0513fc86958743511014b9a2fcd9f7dba4d68f8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

MD5 6b80eb95fb4cddae6ddc1c4400f68679
SHA1 36d09af02dd302bdc290fb2efa942851ab3b9fc9
SHA256 39c086aa35f89643eab71ebaf957057fc8b04e8dfca1bbeb5d73efefd92d0e5e
SHA512 cd2225863bf5ca4546d986636bdab16d9feebb4f698a255835f76d684288d2b1a7579fb23cf11eb7587215200522a60adf32a1b279fa5ea5c49e60f8fba6720f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

MD5 8fe35595a0b4da766c1ea8b8427f0a72
SHA1 6487ae59d763e4e8090a4f4fff8884122cb81baf
SHA256 3770b492fbbf08f8748e3573824af868795e9155502376c25a86d4220fbece9c
SHA512 378ec583b652eb5695879765b7c7377b54ec43b467c28778eca6b17e85a35987c093358016b2ec4b05f48bfa01892ec87349af419571112920d395bf1cba50ca

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

MD5 42884b2e53d2af199ff8839c2975cf08
SHA1 a2d24abfa6b0a5b99dc8cb01ff920be77e42f6fc
SHA256 8f210fc42c691d281bfd5b485c0c8be3e11ddf0503585a5edc5856164eadcb3b
SHA512 7685e08534743bfc59e37c9ddcdb0675806eb3e7344ed4b58685e2429c0a758fe58d1a9b5a0db72de16656b0abea19c0954adc73f2be0909b5985f1ef5d8da01

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

MD5 78a6f2b2b256a1c82faaa789c46bc7ce
SHA1 6aeafea46458599cd2d7b0c061630247e4e3d4db
SHA256 0f83229f69c10d8c8afdf0ee0275b5e727e936b1e07159779a68ebd2f613ae05
SHA512 2e5b79104abf66426c328976eec331420bf71f03649a71df2f5f2ef3dcfe463c369e87b60906d8144fe574e45a354be40f26da896bbd9b402062813cf181394e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

MD5 8a6cbb2d45463e4941c8c98262584582
SHA1 c3d9461cade69e2225bef48307237d28c07560da
SHA256 9844a78de57ba2a974f061820e22dbb7a7cf13e6f8a923ed7eac133135ad0a5e
SHA512 eda58d007ebdf4dddc6425bd4a25c0129a0113a2d5df3b6c2073b7ae12178a894cb486a7c91ca258f31ee68dc9a90b7743c18c8ce160e173b6d549bb03c470d0

memory/428-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 7718f71bd99e74323812c29b2cc1a3af
SHA1 038eceb80597de438d8194f8f57245eb0239ff4b
SHA256 31616aac0c331e8dd52377a097c75625b658d3ce0f6cb29db7201f5c412d905b
SHA512 c87253addc9bd92a0465d2b7b38ac4fdd889089d2d8b7458d96cea960cd1078e4d7f87630488b69d46a198d7c9dbc93099dc1292759e80c5afe54f086ae00c76

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

MD5 e5cfd27192004199b4b4871f476262b0
SHA1 0258e3d73cd185e9c3b4a50aa1af406b55fad867
SHA256 07488db42d1f9de09f6334c71f6c097a1e768bd8249e1f80f08a872f16c6f719
SHA512 39d4080bf1da6c34317e7fcd725ddc19e918f00a786ce590e8c17d98252b225f76e32a1575809e93cce560e3ac38eb401f45f9757b33211eb28afd7921629c13

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

MD5 ced3d982304bf674430c9108a86dcc90
SHA1 f83140d206ac596f7ea35ba2eafecc50e259cda3
SHA256 253975b46a3f4ad484df2e987fa4785adc82249a1c63bcf24275b4304077da62
SHA512 d1ebfaaf39948bfefaa47bcae2a2d5a80390e88ca3bcb08148252444281a6d90137292d3d2a748957e341d833067c691e728bb77c2886ff8a9a8ed59f265fe3e