rms | 09f1f3a51f27caf87008f9543eb415178b4fa85715eaa9ddbb100ffc2f2d0437

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24/05/2022, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09f1f3a51f27caf87008f9543eb415178b4fa85715eaa9ddbb100ffc2f2d0437.exe
Size

4.0MB
MD5

8ec454c70b35e6f39e98c5375f730476
SHA1

a3b6297f489c5701294166503e2f691ded393df0
SHA256

09f1f3a51f27caf87008f9543eb415178b4fa85715eaa9ddbb100ffc2f2d0437
SHA512

c95fb98bfe57e87809f960da9dbb7696f17676595e60fe0a0d555a56fe0f2cb8c35ce0beb71b830df35776da3d38f0c34246678aa03b22d56beca015df914faa

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 8 IoCs

pid	Process
4324	run.exe
392	data.exe
260	rutserv.exe
4560	rutserv.exe
1900	rutserv.exe
3484	rfusclient.exe
5044	rfusclient.exe
2384	rfusclient.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022ecf-132.dat	upx
behavioral2/files/0x0007000000022ecf-131.dat	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	data.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	09f1f3a51f27caf87008f9543eb415178b4fa85715eaa9ddbb100ffc2f2d0437.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AIMP4\rutserv.exe	cmd.exe
File created	C:\Program Files (x86)\AIMP4\vp8decoder.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\AIMP4\regedit.reg	cmd.exe
File opened for modification	C:\Program Files (x86)\AIMP4	attrib.exe
File created	C:\Program Files (x86)\AIMP4\rfusclient.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\AIMP4\rfusclient.exe	cmd.exe
File created	C:\Program Files (x86)\AIMP4\rutserv.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\AIMP4\vp8decoder.dll	cmd.exe
File created	C:\Program Files (x86)\AIMP4\vp8encoder.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\AIMP4\vp8encoder.dll	cmd.exe
File created	C:\Program Files (x86)\AIMP4\regedit.reg	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
3120	taskkill.exe
1340	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	data.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1560	regedit.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
260	rutserv.exe
260	rutserv.exe
260	rutserv.exe
260	rutserv.exe
260	rutserv.exe
260	rutserv.exe
4560	rutserv.exe
4560	rutserv.exe
1900	rutserv.exe
1900	rutserv.exe
1900	rutserv.exe
1900	rutserv.exe
1900	rutserv.exe
1900	rutserv.exe
3484	rfusclient.exe
3484	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2384	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	260	rutserv.exe
Token: SeDebugPrivilege	4560	rutserv.exe
Token: SeTakeOwnershipPrivilege	1900	rutserv.exe
Token: SeTcbPrivilege	1900	rutserv.exe
Token: SeTcbPrivilege	1900	rutserv.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
260	rutserv.exe
4560	rutserv.exe
1900	rutserv.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4324	4384	09f1f3a51f27caf87008f9543eb415178b4fa85715eaa9ddbb100ffc2f2d0437.exe	80
PID 4384 wrote to memory of 4324	4384	09f1f3a51f27caf87008f9543eb415178b4fa85715eaa9ddbb100ffc2f2d0437.exe	80
PID 4384 wrote to memory of 4324	4384	09f1f3a51f27caf87008f9543eb415178b4fa85715eaa9ddbb100ffc2f2d0437.exe	80
PID 4324 wrote to memory of 4408	4324	run.exe	82
PID 4324 wrote to memory of 4408	4324	run.exe	82
PID 4324 wrote to memory of 4408	4324	run.exe	82
PID 4408 wrote to memory of 392	4408	cmd.exe	84
PID 4408 wrote to memory of 392	4408	cmd.exe	84
PID 4408 wrote to memory of 392	4408	cmd.exe	84
PID 392 wrote to memory of 4804	392	data.exe	87
PID 392 wrote to memory of 4804	392	data.exe	87
PID 392 wrote to memory of 4804	392	data.exe	87
PID 4804 wrote to memory of 3408	4804	WScript.exe	89
PID 4804 wrote to memory of 3408	4804	WScript.exe	89
PID 4804 wrote to memory of 3408	4804	WScript.exe	89
PID 3408 wrote to memory of 3120	3408	cmd.exe	91
PID 3408 wrote to memory of 3120	3408	cmd.exe	91
PID 3408 wrote to memory of 3120	3408	cmd.exe	91
PID 3408 wrote to memory of 1340	3408	cmd.exe	92
PID 3408 wrote to memory of 1340	3408	cmd.exe	92
PID 3408 wrote to memory of 1340	3408	cmd.exe	92
PID 3408 wrote to memory of 448	3408	cmd.exe	93
PID 3408 wrote to memory of 448	3408	cmd.exe	93
PID 3408 wrote to memory of 448	3408	cmd.exe	93
PID 3408 wrote to memory of 4912	3408	cmd.exe	94
PID 3408 wrote to memory of 4912	3408	cmd.exe	94
PID 3408 wrote to memory of 4912	3408	cmd.exe	94
PID 3408 wrote to memory of 260	3408	cmd.exe	95
PID 3408 wrote to memory of 260	3408	cmd.exe	95
PID 3408 wrote to memory of 260	3408	cmd.exe	95
PID 3408 wrote to memory of 1560	3408	cmd.exe	96
PID 3408 wrote to memory of 1560	3408	cmd.exe	96
PID 3408 wrote to memory of 1560	3408	cmd.exe	96
PID 3408 wrote to memory of 4560	3408	cmd.exe	97
PID 3408 wrote to memory of 4560	3408	cmd.exe	97
PID 3408 wrote to memory of 4560	3408	cmd.exe	97
PID 1900 wrote to memory of 5044	1900	rutserv.exe	101
PID 1900 wrote to memory of 5044	1900	rutserv.exe	101
PID 1900 wrote to memory of 5044	1900	rutserv.exe	101
PID 1900 wrote to memory of 3484	1900	rutserv.exe	100
PID 1900 wrote to memory of 3484	1900	rutserv.exe	100
PID 1900 wrote to memory of 3484	1900	rutserv.exe	100
PID 3484 wrote to memory of 2384	3484	rfusclient.exe	104
PID 3484 wrote to memory of 2384	3484	rfusclient.exe	104
PID 3484 wrote to memory of 2384	3484	rfusclient.exe	104

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4912	attrib.exe

C:\Users\Admin\AppData\Local\Temp\09f1f3a51f27caf87008f9543eb415178b4fa85715eaa9ddbb100ffc2f2d0437.exe
"C:\Users\Admin\AppData\Local\Temp\09f1f3a51f27caf87008f9543eb415178b4fa85715eaa9ddbb100ffc2f2d0437.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
  "C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C3B2.tmp\run.bat" "C:\Users\Admin\AppData\Roaming\Windows\control\run.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Users\Admin\AppData\Roaming\Windows\control\data.exe
      data.exe -p0912 -d C:\Users\Admin\AppData\Roaming\Windows\control
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\control\install.bat" "
        6⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        7⤵
        
        PID:448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files (x86)\AIMP4"
        7⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4912
        
        C:\Program Files (x86)\AIMP4\rutserv.exe
        
        "rutserv.exe" /silentinstall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:260
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s regedit.reg
        7⤵
        Runs .reg file with regedit
        
        PID:1560
        
        C:\Program Files (x86)\AIMP4\rutserv.exe
        
        "rutserv.exe" /start
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4560

C:\Program Files (x86)\AIMP4\rutserv.exe
"C:\Program Files (x86)\AIMP4\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Program Files (x86)\AIMP4\rfusclient.exe
  "C:\Program Files (x86)\AIMP4\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Program Files (x86)\AIMP4\rfusclient.exe
    "C:\Program Files (x86)\AIMP4\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2384
- C:\Program Files (x86)\AIMP4\rfusclient.exe
  "C:\Program Files (x86)\AIMP4\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:5044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AIMP4\regedit.reg

Filesize
20KB

MD5
c66b1e11597de4f2d855b049e869aae0

SHA1
abb8e58154276e8040bd557d98e3db3bb4833ada

SHA256
6c6124111ae8ab5f9459babb5059e569890aaa2639194ed718434483035fe7e7

SHA512
965734b03a449ca9078cc9d2e4444cdd7b7e8ae425491ec412ff09bde11726e50af5b1916adb3fa91dd3bc09d90319e94caa15e6bb8c6b845f525e7e2a305e48

Download Submit
C:\Program Files (x86)\AIMP4\rfusclient.exe

Filesize
5.3MB

MD5
81ae34db80a0caf1daea63813b0f0775

SHA1
3fa7dae03377484a9cd4d4087996d6c180919892

SHA256
3ade295e9fd9d185ba46fea24efbbb1f98b3b3657ea091a7f563aa78c59c3fd8

SHA512
0a9691f0ab2147918321cba4a074f1509e8959f0f363b30e257f6e79af48873cfcaeee7da537439d41a4f78045c5f969e3be130463a50971d0021a5363e174e2

Download Submit
C:\Program Files (x86)\AIMP4\rfusclient.exe

Filesize
5.3MB

MD5
81ae34db80a0caf1daea63813b0f0775

SHA1
3fa7dae03377484a9cd4d4087996d6c180919892

SHA256
3ade295e9fd9d185ba46fea24efbbb1f98b3b3657ea091a7f563aa78c59c3fd8

SHA512
0a9691f0ab2147918321cba4a074f1509e8959f0f363b30e257f6e79af48873cfcaeee7da537439d41a4f78045c5f969e3be130463a50971d0021a5363e174e2

Download Submit
C:\Program Files (x86)\AIMP4\rfusclient.exe

Filesize
5.3MB

MD5
81ae34db80a0caf1daea63813b0f0775

SHA1
3fa7dae03377484a9cd4d4087996d6c180919892

SHA256
3ade295e9fd9d185ba46fea24efbbb1f98b3b3657ea091a7f563aa78c59c3fd8

SHA512
0a9691f0ab2147918321cba4a074f1509e8959f0f363b30e257f6e79af48873cfcaeee7da537439d41a4f78045c5f969e3be130463a50971d0021a5363e174e2

Download Submit
C:\Program Files (x86)\AIMP4\rfusclient.exe

Filesize
5.3MB

MD5
81ae34db80a0caf1daea63813b0f0775

SHA1
3fa7dae03377484a9cd4d4087996d6c180919892

SHA256
3ade295e9fd9d185ba46fea24efbbb1f98b3b3657ea091a7f563aa78c59c3fd8

SHA512
0a9691f0ab2147918321cba4a074f1509e8959f0f363b30e257f6e79af48873cfcaeee7da537439d41a4f78045c5f969e3be130463a50971d0021a5363e174e2

Download Submit
C:\Program Files (x86)\AIMP4\rutserv.exe

Filesize
6.2MB

MD5
f662011fe19222ed86deca17ab4ad773

SHA1
5dc0ada48deca251e58252698ee5e298f1ebed3d

SHA256
283436d3c74a8a2807c98fab6674ca536c366d3c38f561c04277baa60a4d1f7e

SHA512
d5eadb20f8a481a707c546381b7e9641bf0632221b26e69fbd64b5e938d2a7f9f18445a159558c86717eeb1b7edb29c4035822f7a91365d16f6f548213e16046

Download Submit
C:\Program Files (x86)\AIMP4\rutserv.exe

Filesize
6.2MB

MD5
f662011fe19222ed86deca17ab4ad773

SHA1
5dc0ada48deca251e58252698ee5e298f1ebed3d

SHA256
283436d3c74a8a2807c98fab6674ca536c366d3c38f561c04277baa60a4d1f7e

SHA512
d5eadb20f8a481a707c546381b7e9641bf0632221b26e69fbd64b5e938d2a7f9f18445a159558c86717eeb1b7edb29c4035822f7a91365d16f6f548213e16046

Download Submit
C:\Program Files (x86)\AIMP4\rutserv.exe

Filesize
6.2MB

MD5
f662011fe19222ed86deca17ab4ad773

SHA1
5dc0ada48deca251e58252698ee5e298f1ebed3d

SHA256
283436d3c74a8a2807c98fab6674ca536c366d3c38f561c04277baa60a4d1f7e

SHA512
d5eadb20f8a481a707c546381b7e9641bf0632221b26e69fbd64b5e938d2a7f9f18445a159558c86717eeb1b7edb29c4035822f7a91365d16f6f548213e16046

Download Submit
C:\Program Files (x86)\AIMP4\rutserv.exe

Filesize
6.2MB

MD5
f662011fe19222ed86deca17ab4ad773

SHA1
5dc0ada48deca251e58252698ee5e298f1ebed3d

SHA256
283436d3c74a8a2807c98fab6674ca536c366d3c38f561c04277baa60a4d1f7e

SHA512
d5eadb20f8a481a707c546381b7e9641bf0632221b26e69fbd64b5e938d2a7f9f18445a159558c86717eeb1b7edb29c4035822f7a91365d16f6f548213e16046

Download Submit
C:\Program Files (x86)\AIMP4\vp8decoder.dll

Filesize
368KB

MD5
e48c0e66dbfef46696c92785d158ddc7

SHA1
7a333891d6000603ecb9a9bac3784fff78f88718

SHA256
54911e050fce3345ec0d05c7cd02c2d345921dcf3aca724f072277bda0c6995c

SHA512
98004dabfb09f207997d82f304a57eefdb6e94764ac958c0b314a2e16293454c3e22bb0a6ff1cacfd2f5f675e8f7a8bf6594924ec29e23e11d035fd6c0e4cb66

Download Submit
C:\Program Files (x86)\AIMP4\vp8encoder.dll

Filesize
624KB

MD5
52c276be805fe7b86fed6755bb4211d9

SHA1
34c4fa24890fefba170eb065c546b56ada981777

SHA256
7a30f464ad62611212fbd6db948b814cb0d0e8093ddae9fd0c2ecf320b58d722

SHA512
735a8645419e89a9421ead028658a897e9f894de65fe47f1da23c08065d55cdff02acbe9d0ae75cf388d9bd03ea87121e4f555cbdf862df8add067262fea3cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3B2.tmp\run.bat

Filesize
57B

MD5
54de80fdcb656763c621e7b96398762c

SHA1
b0c52a5b3d62a59d7a26ed0c7e29f180ba82af74

SHA256
4079ac72ef75960cea0875b55f7adca6facee3d8e923ebb7b32f3eaa9a5aafa3

SHA512
9e6341fc409f74e4a0c720e9f2764938a405023edf35f0bf18a798676c145f0ed4e0608174041273d8ddd166837a9f8aea5cb1ace7f268896c09c5b10dba940f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\data.exe

Filesize
3.9MB

MD5
5e0d4ab57f2afe720079fb707e8f222a

SHA1
979b427cefb8495981e5537ab018647dbc95e9f8

SHA256
f3f50a09def9d09362c73ae694c118fad14bdc16fd0f38af2f52f2e8e7f6ffa2

SHA512
659fd14fed3dcd84ceeab2f2e15a1598257d0f00203eca9ec47f2a253497810ed81e3be7ce598598c380cf9b5d2f8938ad45116504c30e950b3fb4c9ffd09afd

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\data.exe

Filesize
3.9MB

MD5
5e0d4ab57f2afe720079fb707e8f222a

SHA1
979b427cefb8495981e5537ab018647dbc95e9f8

SHA256
f3f50a09def9d09362c73ae694c118fad14bdc16fd0f38af2f52f2e8e7f6ffa2

SHA512
659fd14fed3dcd84ceeab2f2e15a1598257d0f00203eca9ec47f2a253497810ed81e3be7ce598598c380cf9b5d2f8938ad45116504c30e950b3fb4c9ffd09afd

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\install.bat

Filesize
909B

MD5
fd71f20f31e6df66461ecd495424bfca

SHA1
dd05e97f99ae66c3cd397c09977728d785f3e2fe

SHA256
55fbb24b92be79b023d713cceaf44d669de5c9b154e662c696fc1c23e6bb1dcb

SHA512
6fa3d05a896913d5ed53bc4aed9edd9e39b17f9f3961007b9671f08981db8b50ca24f427925bc5141d31e9f40f1fb4bbbd72d087516dd26845fcca838ec8cde0

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\regedit.reg

Filesize
20KB

MD5
c66b1e11597de4f2d855b049e869aae0

SHA1
abb8e58154276e8040bd557d98e3db3bb4833ada

SHA256
6c6124111ae8ab5f9459babb5059e569890aaa2639194ed718434483035fe7e7

SHA512
965734b03a449ca9078cc9d2e4444cdd7b7e8ae425491ec412ff09bde11726e50af5b1916adb3fa91dd3bc09d90319e94caa15e6bb8c6b845f525e7e2a305e48

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\rfusclient.exe

Filesize
5.3MB

MD5
81ae34db80a0caf1daea63813b0f0775

SHA1
3fa7dae03377484a9cd4d4087996d6c180919892

SHA256
3ade295e9fd9d185ba46fea24efbbb1f98b3b3657ea091a7f563aa78c59c3fd8

SHA512
0a9691f0ab2147918321cba4a074f1509e8959f0f363b30e257f6e79af48873cfcaeee7da537439d41a4f78045c5f969e3be130463a50971d0021a5363e174e2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

Filesize
21KB

MD5
7034935f2ebeccc4fc3dcc843ca00e7b

SHA1
4416dab999c461bb2dc549eff5ec256ffaa8b01d

SHA256
13ecb2bd4e213a11f72a2449faf1704381b84f11599cc114869443f3d39be03b

SHA512
f14cb55b0110c4a24369342ba597a9fbf87cace7847300a86566cf15b670e9827e2c164a17ac84081c74c965ca0c13ea7731e4204fb3ec6b37c606f368515b80

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

Filesize
21KB

MD5
7034935f2ebeccc4fc3dcc843ca00e7b

SHA1
4416dab999c461bb2dc549eff5ec256ffaa8b01d

SHA256
13ecb2bd4e213a11f72a2449faf1704381b84f11599cc114869443f3d39be03b

SHA512
f14cb55b0110c4a24369342ba597a9fbf87cace7847300a86566cf15b670e9827e2c164a17ac84081c74c965ca0c13ea7731e4204fb3ec6b37c606f368515b80

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\rutserv.exe

Filesize
6.2MB

MD5
f662011fe19222ed86deca17ab4ad773

SHA1
5dc0ada48deca251e58252698ee5e298f1ebed3d

SHA256
283436d3c74a8a2807c98fab6674ca536c366d3c38f561c04277baa60a4d1f7e

SHA512
d5eadb20f8a481a707c546381b7e9641bf0632221b26e69fbd64b5e938d2a7f9f18445a159558c86717eeb1b7edb29c4035822f7a91365d16f6f548213e16046

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs

Filesize
117B

MD5
65fc32766a238ff3e95984e325357dbb

SHA1
3ac16a2648410be8aa75f3e2817fbf69bb0e8922

SHA256
a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

SHA512
621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\vp8decoder.dll

Filesize
368KB

MD5
e48c0e66dbfef46696c92785d158ddc7

SHA1
7a333891d6000603ecb9a9bac3784fff78f88718

SHA256
54911e050fce3345ec0d05c7cd02c2d345921dcf3aca724f072277bda0c6995c

SHA512
98004dabfb09f207997d82f304a57eefdb6e94764ac958c0b314a2e16293454c3e22bb0a6ff1cacfd2f5f675e8f7a8bf6594924ec29e23e11d035fd6c0e4cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\vp8encoder.dll

Filesize
624KB

MD5
52c276be805fe7b86fed6755bb4211d9

SHA1
34c4fa24890fefba170eb065c546b56ada981777

SHA256
7a30f464ad62611212fbd6db948b814cb0d0e8093ddae9fd0c2ecf320b58d722

SHA512
735a8645419e89a9421ead028658a897e9f894de65fe47f1da23c08065d55cdff02acbe9d0ae75cf388d9bd03ea87121e4f555cbdf862df8add067262fea3cd9

Download Submit