rms | 6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5

Analysis

max time kernel
137s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
24/05/2022, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe
Size

2.6MB
MD5

8a2a1a539b09daea31c6d7b5fe030a5f
SHA1

afe6bf6655244be1b4b873ec47acfc265cf4ca4b
SHA256

6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5
SHA512

13e882472e197179ec7f95584f0a4c7809e9b88164b92c5ddd03cb60c66f5779810c528fb7627ee50f14f581b896ae4292fa4f70e7d303774e6fad7f15556c3c

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000014491-111.dat	acprotect
behavioral1/files/0x00080000000142d6-130.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
1348	Rar.exe
1236	gomi.exe
396	gomi.exe
1216	gomi.exe
1144	gomi.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000014504-110.dat	upx
behavioral1/files/0x0006000000014491-111.dat	upx
behavioral1/files/0x000800000001422c-112.dat	upx
behavioral1/files/0x000800000001422c-114.dat	upx
behavioral1/files/0x000800000001422c-116.dat	upx
behavioral1/files/0x000800000001422c-117.dat	upx
behavioral1/files/0x000800000001422c-119.dat	upx
behavioral1/files/0x000800000001422c-124.dat	upx
behavioral1/files/0x000800000001422c-126.dat	upx
behavioral1/files/0x000800000001422c-128.dat	upx
behavioral1/files/0x00080000000142d6-130.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
1748	cmd.exe
1688	cmd.exe
1688	cmd.exe
1688	cmd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
1472	timeout.exe
872	timeout.exe
1920	timeout.exe
1484	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
992	taskkill.exe
1664	taskkill.exe
1560	taskkill.exe
1564	taskkill.exe
1524	taskkill.exe
1328	taskkill.exe
752	taskkill.exe
2004	taskkill.exe
1120	taskkill.exe
1264	taskkill.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1988	regedit.exe
1376	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1236	gomi.exe
1236	gomi.exe
1236	gomi.exe
1236	gomi.exe
396	gomi.exe
396	gomi.exe
1216	gomi.exe
1216	gomi.exe
1144	gomi.exe
1144	gomi.exe
1144	gomi.exe
1144	gomi.exe
1144	gomi.exe
1144	gomi.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1236	gomi.exe
Token: SeDebugPrivilege	1216	gomi.exe
Token: SeTakeOwnershipPrivilege	1144	gomi.exe
Token: SeTcbPrivilege	1144	gomi.exe
Token: SeTcbPrivilege	1144	gomi.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1236	gomi.exe
396	gomi.exe
1216	gomi.exe
1144	gomi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2000	1984	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe	27
PID 1984 wrote to memory of 2000	1984	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe	27
PID 1984 wrote to memory of 2000	1984	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe	27
PID 1984 wrote to memory of 2000	1984	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe	27
PID 1984 wrote to memory of 2000	1984	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe	27
PID 1984 wrote to memory of 2000	1984	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe	27
PID 1984 wrote to memory of 2000	1984	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe	27
PID 2000 wrote to memory of 1748	2000	WScript.exe	28
PID 2000 wrote to memory of 1748	2000	WScript.exe	28
PID 2000 wrote to memory of 1748	2000	WScript.exe	28
PID 2000 wrote to memory of 1748	2000	WScript.exe	28
PID 2000 wrote to memory of 1748	2000	WScript.exe	28
PID 2000 wrote to memory of 1748	2000	WScript.exe	28
PID 2000 wrote to memory of 1748	2000	WScript.exe	28
PID 1748 wrote to memory of 1348	1748	cmd.exe	30
PID 1748 wrote to memory of 1348	1748	cmd.exe	30
PID 1748 wrote to memory of 1348	1748	cmd.exe	30
PID 1748 wrote to memory of 1348	1748	cmd.exe	30
PID 1748 wrote to memory of 1348	1748	cmd.exe	30
PID 1748 wrote to memory of 1348	1748	cmd.exe	30
PID 1748 wrote to memory of 1348	1748	cmd.exe	30
PID 1748 wrote to memory of 1472	1748	cmd.exe	31
PID 1748 wrote to memory of 1472	1748	cmd.exe	31
PID 1748 wrote to memory of 1472	1748	cmd.exe	31
PID 1748 wrote to memory of 1472	1748	cmd.exe	31
PID 1748 wrote to memory of 1472	1748	cmd.exe	31
PID 1748 wrote to memory of 1472	1748	cmd.exe	31
PID 1748 wrote to memory of 1472	1748	cmd.exe	31
PID 1748 wrote to memory of 456	1748	cmd.exe	32
PID 1748 wrote to memory of 456	1748	cmd.exe	32
PID 1748 wrote to memory of 456	1748	cmd.exe	32
PID 1748 wrote to memory of 456	1748	cmd.exe	32
PID 1748 wrote to memory of 456	1748	cmd.exe	32
PID 1748 wrote to memory of 456	1748	cmd.exe	32
PID 1748 wrote to memory of 456	1748	cmd.exe	32
PID 1748 wrote to memory of 872	1748	cmd.exe	33
PID 1748 wrote to memory of 872	1748	cmd.exe	33
PID 1748 wrote to memory of 872	1748	cmd.exe	33
PID 1748 wrote to memory of 872	1748	cmd.exe	33
PID 1748 wrote to memory of 872	1748	cmd.exe	33
PID 1748 wrote to memory of 872	1748	cmd.exe	33
PID 1748 wrote to memory of 872	1748	cmd.exe	33
PID 456 wrote to memory of 1688	456	WScript.exe	34
PID 456 wrote to memory of 1688	456	WScript.exe	34
PID 456 wrote to memory of 1688	456	WScript.exe	34
PID 456 wrote to memory of 1688	456	WScript.exe	34
PID 456 wrote to memory of 1688	456	WScript.exe	34
PID 456 wrote to memory of 1688	456	WScript.exe	34
PID 456 wrote to memory of 1688	456	WScript.exe	34
PID 1688 wrote to memory of 1840	1688	cmd.exe	36
PID 1688 wrote to memory of 1840	1688	cmd.exe	36
PID 1688 wrote to memory of 1840	1688	cmd.exe	36
PID 1688 wrote to memory of 1840	1688	cmd.exe	36
PID 1688 wrote to memory of 1840	1688	cmd.exe	36
PID 1688 wrote to memory of 1840	1688	cmd.exe	36
PID 1688 wrote to memory of 1840	1688	cmd.exe	36
PID 1688 wrote to memory of 1328	1688	cmd.exe	37
PID 1688 wrote to memory of 1328	1688	cmd.exe	37
PID 1688 wrote to memory of 1328	1688	cmd.exe	37
PID 1688 wrote to memory of 1328	1688	cmd.exe	37
PID 1688 wrote to memory of 1328	1688	cmd.exe	37
PID 1688 wrote to memory of 1328	1688	cmd.exe	37
PID 1688 wrote to memory of 1328	1688	cmd.exe	37
PID 1688 wrote to memory of 1264	1688	cmd.exe	39

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2004	attrib.exe
1776	attrib.exe
1120	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe
"C:\Users\Admin\AppData\Local\Temp\6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Log\run.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Log\pause.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Log\Rar.exe
      "Rar.exe" e -p65352493 db.exe
      4⤵
      Executes dropped EXE
      PID:1348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:1472
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Log\install.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state off
        6⤵
        
        PID:1840
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im systemc.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im drivemanag.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im dumprep.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winlogs.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im gomi.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
      - C:\Windows\SysWOW64\net.exe
        
        net stop RManService
        6⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RManService
        7⤵
        
        PID:1780
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        6⤵
        
        PID:1980
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f
        6⤵
        
        PID:1348
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f
        6⤵
        
        PID:1608
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "regedit.reg"
        6⤵
        Modifies firewall policy service
        Runs .reg file with regedit
        
        PID:1988
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:1920
      - C:\Folder58\gomi.exe
        
        gomi.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1236
      - C:\Folder58\gomi.exe
        
        gomi.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:396
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s regedit.reg
        6⤵
        Modifies firewall policy service
        Runs .reg file with regedit
        
        PID:1376
      - C:\Folder58\gomi.exe
        
        gomi.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1216
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        
        PID:1088
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        
        PID:568
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "RManService"
        6⤵
        
        PID:1732
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:1484
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Folder58\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:2004
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Folder58"
        6⤵
        Views/modifies file attributes
        
        PID:1776
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Log"
        6⤵
        Views/modifies file attributes
        
        PID:1120
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rar.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rar.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:872

C:\Folder58\gomi.exe
C:\Folder58\gomi.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Folder58\gomi.exe

Filesize
1.5MB

MD5
3ab6d8eb36e5b882a7fa063ad05cfc20

SHA1
9e5d7eb702d2332a896b951931ecc9c5fd507bcd

SHA256
c8832c170a07d75ee4d015852fdb996bbef83c463a7bcbcf5757499cc4f73d88

SHA512
937602a16fb1b2009b51e7174121ccd7af73bbb984797c6ef44d3d1e907f19aacf8cdf19f9da1e4df8aa8ec4d5ba1266befc02a3fe4dcc16e18b0d9d79b2802a

Download Submit
C:\Folder58\gomi.exe

Filesize
1.5MB

MD5
3ab6d8eb36e5b882a7fa063ad05cfc20

SHA1
9e5d7eb702d2332a896b951931ecc9c5fd507bcd

SHA256
c8832c170a07d75ee4d015852fdb996bbef83c463a7bcbcf5757499cc4f73d88

SHA512
937602a16fb1b2009b51e7174121ccd7af73bbb984797c6ef44d3d1e907f19aacf8cdf19f9da1e4df8aa8ec4d5ba1266befc02a3fe4dcc16e18b0d9d79b2802a

Download Submit
C:\Folder58\gomi.exe

Filesize
1.5MB

MD5
3ab6d8eb36e5b882a7fa063ad05cfc20

SHA1
9e5d7eb702d2332a896b951931ecc9c5fd507bcd

SHA256
c8832c170a07d75ee4d015852fdb996bbef83c463a7bcbcf5757499cc4f73d88

SHA512
937602a16fb1b2009b51e7174121ccd7af73bbb984797c6ef44d3d1e907f19aacf8cdf19f9da1e4df8aa8ec4d5ba1266befc02a3fe4dcc16e18b0d9d79b2802a

Download Submit
C:\Folder58\gomi.exe

Filesize
1.5MB

MD5
3ab6d8eb36e5b882a7fa063ad05cfc20

SHA1
9e5d7eb702d2332a896b951931ecc9c5fd507bcd

SHA256
c8832c170a07d75ee4d015852fdb996bbef83c463a7bcbcf5757499cc4f73d88

SHA512
937602a16fb1b2009b51e7174121ccd7af73bbb984797c6ef44d3d1e907f19aacf8cdf19f9da1e4df8aa8ec4d5ba1266befc02a3fe4dcc16e18b0d9d79b2802a

Download Submit
C:\Folder58\gomi.exe

Filesize
1.5MB

MD5
3ab6d8eb36e5b882a7fa063ad05cfc20

SHA1
9e5d7eb702d2332a896b951931ecc9c5fd507bcd

SHA256
c8832c170a07d75ee4d015852fdb996bbef83c463a7bcbcf5757499cc4f73d88

SHA512
937602a16fb1b2009b51e7174121ccd7af73bbb984797c6ef44d3d1e907f19aacf8cdf19f9da1e4df8aa8ec4d5ba1266befc02a3fe4dcc16e18b0d9d79b2802a

Download Submit
C:\Folder58\install.bat

Filesize
1KB

MD5
379e05ab18749582bc5aa5ea9fbb33e4

SHA1
d18bd461625d8f83150604e209a1754e60c66fef

SHA256
ff6649a0a1168d490529681ea1c801f19dbd8173a487dc1eeaf86650edca32d9

SHA512
e9645d62b79dcf62d30e7623d5215929c92a449b844165a49e9be245dec891e1f6975db3f2d193c4724f88aac83cc12a30bceb0fac0a63bd5f7661742877ab03

Download Submit
C:\Folder58\regedit.reg

Filesize
12KB

MD5
7d50e31b37b58aa43fcfff52c384f16b

SHA1
c3728f85982747d0f8a1349f160b69e7ea23fdcb

SHA256
472f214e33e6bde4ef55b66473a12f8989d6c2b8364199170f939cd9e843a021

SHA512
572aca3ed267c4389e839682376c3b4ff619825b83bfbebd3968473ca93ea68f09af4f47df16b8526e812aec839ee49771d4749717cf056a81d5a2e05dc05f04

Download Submit
C:\Folder58\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
C:\Log\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\Log\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\Log\db.exe

Filesize
2.4MB

MD5
4e1329f325c2277305ad7a146c4751e8

SHA1
a3fd874ae6d47f3d3a88201584756819c50baf80

SHA256
59167b0516d08e90b91a688a50fdd7eaba892164ad3f96d3e988be89ace24460

SHA512
a4ad13fb9599b0696995d1c889f858d3cab9ddfd2be8e6a42f41062d2a3ab4c54b609fc05bf5d9d2b3b84af25e8250f91eec88868a73d1c013c9759d6d6f5155

Download Submit
C:\Log\gomi.exe

Filesize
1.5MB

MD5
3ab6d8eb36e5b882a7fa063ad05cfc20

SHA1
9e5d7eb702d2332a896b951931ecc9c5fd507bcd

SHA256
c8832c170a07d75ee4d015852fdb996bbef83c463a7bcbcf5757499cc4f73d88

SHA512
937602a16fb1b2009b51e7174121ccd7af73bbb984797c6ef44d3d1e907f19aacf8cdf19f9da1e4df8aa8ec4d5ba1266befc02a3fe4dcc16e18b0d9d79b2802a

Download Submit
C:\Log\install.bat

Filesize
1KB

MD5
379e05ab18749582bc5aa5ea9fbb33e4

SHA1
d18bd461625d8f83150604e209a1754e60c66fef

SHA256
ff6649a0a1168d490529681ea1c801f19dbd8173a487dc1eeaf86650edca32d9

SHA512
e9645d62b79dcf62d30e7623d5215929c92a449b844165a49e9be245dec891e1f6975db3f2d193c4724f88aac83cc12a30bceb0fac0a63bd5f7661742877ab03

Download Submit
C:\Log\install.vbs

Filesize
91B

MD5
1f2c79274a03a035333b15ed68fee8e4

SHA1
2e87549734e5a9e48d4ef75fa9fb06e9cfda2a5b

SHA256
50ec14a13ee65068dc43b7d884fc4d6fa7baa0e5a6095a469ce658dd8d78452f

SHA512
8ddec880f4af6ac1a066c5fa4fc0f57a9c97f038a8098a8a073bfe06bd2353b0ba7dc106ab6eaba5f36e057acb54b023b2a56cfc37df5b04bf5263f12f92b750

Download Submit
C:\Log\pause.bat

Filesize
289B

MD5
d340028ad65d29c89e751a66f89ccd13

SHA1
bd062d9e2909df4819d4c64263c441e16776570e

SHA256
44b5bfeb4d47d3c06d3c0dd0e9f029bad3250ea36d72512d3b62ab701bbaf680

SHA512
3bc53564e5af014f8b8ff8ae6cd4ed9df657611b87b342388df04ebeda5ec0623a4114008fc97a2e133f1d37231982edf1beab9bafd75a49c349ad7a374f8328

Download Submit
C:\Log\regedit.reg

Filesize
12KB

MD5
7d50e31b37b58aa43fcfff52c384f16b

SHA1
c3728f85982747d0f8a1349f160b69e7ea23fdcb

SHA256
472f214e33e6bde4ef55b66473a12f8989d6c2b8364199170f939cd9e843a021

SHA512
572aca3ed267c4389e839682376c3b4ff619825b83bfbebd3968473ca93ea68f09af4f47df16b8526e812aec839ee49771d4749717cf056a81d5a2e05dc05f04

Download Submit
C:\Log\run.vbs

Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
C:\Log\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
\Folder58\gomi.exe

Filesize
1.5MB

MD5
3ab6d8eb36e5b882a7fa063ad05cfc20

SHA1
9e5d7eb702d2332a896b951931ecc9c5fd507bcd

SHA256
c8832c170a07d75ee4d015852fdb996bbef83c463a7bcbcf5757499cc4f73d88

SHA512
937602a16fb1b2009b51e7174121ccd7af73bbb984797c6ef44d3d1e907f19aacf8cdf19f9da1e4df8aa8ec4d5ba1266befc02a3fe4dcc16e18b0d9d79b2802a

Download Submit
\Folder58\gomi.exe

Filesize
1.5MB

MD5
3ab6d8eb36e5b882a7fa063ad05cfc20

SHA1
9e5d7eb702d2332a896b951931ecc9c5fd507bcd

SHA256
c8832c170a07d75ee4d015852fdb996bbef83c463a7bcbcf5757499cc4f73d88

SHA512
937602a16fb1b2009b51e7174121ccd7af73bbb984797c6ef44d3d1e907f19aacf8cdf19f9da1e4df8aa8ec4d5ba1266befc02a3fe4dcc16e18b0d9d79b2802a

Download Submit
\Folder58\gomi.exe

Filesize
1.5MB

MD5
3ab6d8eb36e5b882a7fa063ad05cfc20

SHA1
9e5d7eb702d2332a896b951931ecc9c5fd507bcd

SHA256
c8832c170a07d75ee4d015852fdb996bbef83c463a7bcbcf5757499cc4f73d88

SHA512
937602a16fb1b2009b51e7174121ccd7af73bbb984797c6ef44d3d1e907f19aacf8cdf19f9da1e4df8aa8ec4d5ba1266befc02a3fe4dcc16e18b0d9d79b2802a

Download Submit
\Log\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
memory/1984-54-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download