rms | 42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86

Analysis

max time kernel
150s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
Size

6.3MB
MD5

c487df0d8110c309c1ea8a872c4430e0
SHA1

21bb67055523e00966a8915581d1fb54f3f26c70
SHA256

42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86
SHA512

d4d4ea62daf89492613fb98c584978e4d0faa52196564a9312f7780a0bcf6141139afb3ec99791a66eac9d6963c75dae8076f994748d453f6fa243539d57c8fd
SSDEEP

196608:zgBdvBXdjCKRk81r3nONoG0pRzxMFrQj+:UnvBXH1r3nOx0pRSv

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "123.exe"	regedit.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 12 IoCs

pid	Process
2020	sorry.exe
1688	start.exe
1604	vopros.exe
1412	error.exe
984	lc13DF.tmp
1936	rutserv.exe
1764	rutserv.exe
1408	rutserv.exe
928	rutserv.exe
1920	rfusclient.exe
592	rfusclient.exe
1780	mail.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000014aaf-111.dat	upx
behavioral1/files/0x0006000000014aaf-113.dat	upx
behavioral1/memory/1936-114-0x0000000000400000-0x0000000000AC9000-memory.dmp	upx
behavioral1/files/0x0006000000014aaf-116.dat	upx
behavioral1/memory/1764-118-0x0000000000400000-0x0000000000AC9000-memory.dmp	upx
behavioral1/memory/1764-119-0x0000000000400000-0x0000000000AC9000-memory.dmp	upx
behavioral1/files/0x0006000000014aaf-121.dat	upx
behavioral1/files/0x0006000000014aaf-123.dat	upx
behavioral1/files/0x000600000001462a-134.dat	upx
behavioral1/files/0x000600000001462a-136.dat	upx
behavioral1/memory/1408-135-0x0000000000400000-0x0000000000AC9000-memory.dmp	upx
behavioral1/files/0x000600000001462a-139.dat	upx
behavioral1/files/0x000600000001462a-143.dat	upx
behavioral1/memory/928-138-0x0000000000400000-0x0000000000AC9000-memory.dmp	upx
behavioral1/files/0x000600000001462a-141.dat	upx
behavioral1/memory/1408-146-0x0000000000400000-0x0000000000AC9000-memory.dmp	upx
behavioral1/memory/1920-147-0x0000000000400000-0x00000000009C9000-memory.dmp	upx
behavioral1/memory/592-148-0x0000000000400000-0x00000000009C9000-memory.dmp	upx
behavioral1/memory/928-163-0x0000000000400000-0x0000000000AC9000-memory.dmp	upx
behavioral1/memory/1920-165-0x0000000000400000-0x00000000009C9000-memory.dmp	upx

Loads dropped DLL 17 IoCs

pid	Process
1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
2020	sorry.exe
2020	sorry.exe
2020	sorry.exe
2020	sorry.exe
816	cmd.exe
816	cmd.exe
1588	MsiExec.exe
1588	MsiExec.exe
1588	MsiExec.exe
928	rutserv.exe
928	rutserv.exe
816	cmd.exe
816	cmd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000014112-55.dat	autoit_exe
behavioral1/files/0x0006000000014112-56.dat	autoit_exe
behavioral1/files/0x0006000000014112-58.dat	autoit_exe
behavioral1/files/0x0006000000014112-57.dat	autoit_exe
behavioral1/files/0x0006000000014112-60.dat	autoit_exe
behavioral1/files/0x0006000000014112-62.dat	autoit_exe
behavioral1/files/0x000600000001411b-63.dat	autoit_exe
behavioral1/files/0x000600000001411b-64.dat	autoit_exe
behavioral1/files/0x000600000001411b-66.dat	autoit_exe
behavioral1/files/0x000600000001411b-67.dat	autoit_exe
behavioral1/files/0x000600000001411b-65.dat	autoit_exe
behavioral1/files/0x000600000001411b-69.dat	autoit_exe
behavioral1/files/0x00060000000141af-78.dat	autoit_exe
behavioral1/files/0x00060000000141af-77.dat	autoit_exe
behavioral1/files/0x00060000000141af-80.dat	autoit_exe
behavioral1/files/0x0006000000014209-83.dat	autoit_exe
behavioral1/files/0x0006000000014209-82.dat	autoit_exe
behavioral1/files/0x0006000000014209-85.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System Settings\webmvorbisencoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\System Settings\vp8encoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\System Settings\vp8decoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\System Settings\rutserv.exe	msiexec.exe
File created	C:\Windows\SysWOW64\System Settings\webmmux.dll	msiexec.exe
File created	C:\Windows\SysWOW64\System Settings\RWLN.dll	msiexec.exe
File created	C:\Windows\SysWOW64\System Settings\RIPCServer.dll	msiexec.exe
File created	C:\Windows\SysWOW64\System Settings\rfusclient.exe	msiexec.exe
File created	C:\Windows\SysWOW64\System Settings\webmvorbisdecoder.dll	msiexec.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft777\Microsoft.vbs	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Microsoft777\Microsoft.vbs	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Microsoft777\setup.msi	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Microsoft777\777.reg	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Installer\{34131A4A-1F13-4CDE-A408-2FC1BFCC6F07}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Microsoft777\sorry.exe	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Microsoft777\install.cmd	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File created	C:\Windows\Installer\6d060c.ipi	msiexec.exe
File created	C:\Windows\Microsoft777\__tmp_rar_sfx_access_check_7118528	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File created	C:\Windows\Microsoft777\mail.exe	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Microsoft777\mail.exe	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Installer\MSI12C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft777\sorry.exe	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File created	C:\Windows\Microsoft777\777.reg	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File created	C:\Windows\Microsoft777\error.exe	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Microsoft777\error.exe	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File created	C:\Windows\Microsoft777\install.cmd	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File created	C:\Windows\Installer\6d060e.msi	msiexec.exe
File created	C:\Windows\Microsoft777\install.vbs	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Microsoft777\start.exe	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Microsoft777\vopros.exe	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Installer\MSI16ED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6d060c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft777\mail.EXE	mail.exe
File opened for modification	C:\Windows\Microsoft777\install.vbs	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File created	C:\Windows\Microsoft777\setup.msi	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File created	C:\Windows\Microsoft777\start.exe	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File created	C:\Windows\Microsoft777\vopros.exe	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File opened for modification	C:\Windows\Microsoft777\winmgmts:\root\cimv2	sorry.exe
File opened for modification	C:\Windows\Installer\6d060a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft777	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
File created	C:\Windows\Installer\6d060a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13B2.tmp	msiexec.exe
File created	C:\Windows\Installer\{34131A4A-1F13-4CDE-A408-2FC1BFCC6F07}\ARPPRODUCTICON.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\ProductName = "MultiHack"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\SourceList\LastUsedSource = "n;1;C:\\Windows\\Microsoft777\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\A4A1314331F1EDC44A80F21CFBCCF670	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\PackageCode = "8C0502D55BE2DEB4ABF890E2DE3B1B83"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\Version = "34144256"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\ProductIcon = "C:\\Windows\\Installer\\{34131A4A-1F13-4CDE-A408-2FC1BFCC6F07}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4A1314331F1EDC44A80F21CFBCCF670	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4A1314331F1EDC44A80F21CFBCCF670\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4A1314331F1EDC44A80F21CFBCCF670\SourceList\Net\1 = "C:\\Windows\\Microsoft777\\"	msiexec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
944	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft777\winmgmts:\root\cimv2	sorry.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1528	regedit.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1976	PING.EXE
656	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
520	msiexec.exe
520	msiexec.exe
1936	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
1764	rutserv.exe
1764	rutserv.exe
1408	rutserv.exe
1408	rutserv.exe
928	rutserv.exe
928	rutserv.exe
928	rutserv.exe
928	rutserv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1604	vopros.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeSecurityPrivilege	520	msiexec.exe
Token: SeCreateTokenPrivilege	2016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2016	msiexec.exe
Token: SeLockMemoryPrivilege	2016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2016	msiexec.exe
Token: SeMachineAccountPrivilege	2016	msiexec.exe
Token: SeTcbPrivilege	2016	msiexec.exe
Token: SeSecurityPrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeLoadDriverPrivilege	2016	msiexec.exe
Token: SeSystemProfilePrivilege	2016	msiexec.exe
Token: SeSystemtimePrivilege	2016	msiexec.exe
Token: SeProfSingleProcessPrivilege	2016	msiexec.exe
Token: SeIncBasePriorityPrivilege	2016	msiexec.exe
Token: SeCreatePagefilePrivilege	2016	msiexec.exe
Token: SeCreatePermanentPrivilege	2016	msiexec.exe
Token: SeBackupPrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeShutdownPrivilege	2016	msiexec.exe
Token: SeDebugPrivilege	2016	msiexec.exe
Token: SeAuditPrivilege	2016	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2016	msiexec.exe
Token: SeChangeNotifyPrivilege	2016	msiexec.exe
Token: SeRemoteShutdownPrivilege	2016	msiexec.exe
Token: SeUndockPrivilege	2016	msiexec.exe
Token: SeSyncAgentPrivilege	2016	msiexec.exe
Token: SeEnableDelegationPrivilege	2016	msiexec.exe
Token: SeManageVolumePrivilege	2016	msiexec.exe
Token: SeImpersonatePrivilege	2016	msiexec.exe
Token: SeCreateGlobalPrivilege	2016	msiexec.exe
Token: SeShutdownPrivilege	972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	972	msiexec.exe
Token: SeCreateTokenPrivilege	972	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	972	msiexec.exe
Token: SeLockMemoryPrivilege	972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	972	msiexec.exe
Token: SeMachineAccountPrivilege	972	msiexec.exe
Token: SeTcbPrivilege	972	msiexec.exe
Token: SeSecurityPrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeLoadDriverPrivilege	972	msiexec.exe
Token: SeSystemProfilePrivilege	972	msiexec.exe
Token: SeSystemtimePrivilege	972	msiexec.exe
Token: SeProfSingleProcessPrivilege	972	msiexec.exe
Token: SeIncBasePriorityPrivilege	972	msiexec.exe
Token: SeCreatePagefilePrivilege	972	msiexec.exe
Token: SeCreatePermanentPrivilege	972	msiexec.exe
Token: SeBackupPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeShutdownPrivilege	972	msiexec.exe
Token: SeDebugPrivilege	972	msiexec.exe
Token: SeAuditPrivilege	972	msiexec.exe
Token: SeSystemEnvironmentPrivilege	972	msiexec.exe
Token: SeChangeNotifyPrivilege	972	msiexec.exe
Token: SeRemoteShutdownPrivilege	972	msiexec.exe
Token: SeUndockPrivilege	972	msiexec.exe
Token: SeSyncAgentPrivilege	972	msiexec.exe
Token: SeEnableDelegationPrivilege	972	msiexec.exe
Token: SeManageVolumePrivilege	972	msiexec.exe
Token: SeImpersonatePrivilege	972	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1936	rutserv.exe
1764	rutserv.exe
1408	rutserv.exe
928	rutserv.exe
1780	mail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2020	1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe	26
PID 1752 wrote to memory of 2020	1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe	26
PID 1752 wrote to memory of 2020	1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe	26
PID 1752 wrote to memory of 2020	1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe	26
PID 1752 wrote to memory of 2020	1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe	26
PID 1752 wrote to memory of 2020	1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe	26
PID 1752 wrote to memory of 2020	1752	42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe	26
PID 2020 wrote to memory of 1688	2020	sorry.exe	27
PID 2020 wrote to memory of 1688	2020	sorry.exe	27
PID 2020 wrote to memory of 1688	2020	sorry.exe	27
PID 2020 wrote to memory of 1688	2020	sorry.exe	27
PID 2020 wrote to memory of 1688	2020	sorry.exe	27
PID 2020 wrote to memory of 1688	2020	sorry.exe	27
PID 2020 wrote to memory of 1688	2020	sorry.exe	27
PID 1688 wrote to memory of 612	1688	start.exe	28
PID 1688 wrote to memory of 612	1688	start.exe	28
PID 1688 wrote to memory of 612	1688	start.exe	28
PID 1688 wrote to memory of 612	1688	start.exe	28
PID 1688 wrote to memory of 612	1688	start.exe	28
PID 1688 wrote to memory of 612	1688	start.exe	28
PID 1688 wrote to memory of 612	1688	start.exe	28
PID 612 wrote to memory of 816	612	WScript.exe	30
PID 612 wrote to memory of 816	612	WScript.exe	30
PID 612 wrote to memory of 816	612	WScript.exe	30
PID 612 wrote to memory of 816	612	WScript.exe	30
PID 612 wrote to memory of 816	612	WScript.exe	30
PID 612 wrote to memory of 816	612	WScript.exe	30
PID 612 wrote to memory of 816	612	WScript.exe	30
PID 816 wrote to memory of 1604	816	cmd.exe	32
PID 816 wrote to memory of 1604	816	cmd.exe	32
PID 816 wrote to memory of 1604	816	cmd.exe	32
PID 816 wrote to memory of 1604	816	cmd.exe	32
PID 816 wrote to memory of 1604	816	cmd.exe	32
PID 816 wrote to memory of 1604	816	cmd.exe	32
PID 816 wrote to memory of 1604	816	cmd.exe	32
PID 816 wrote to memory of 1412	816	cmd.exe	33
PID 816 wrote to memory of 1412	816	cmd.exe	33
PID 816 wrote to memory of 1412	816	cmd.exe	33
PID 816 wrote to memory of 1412	816	cmd.exe	33
PID 816 wrote to memory of 1412	816	cmd.exe	33
PID 816 wrote to memory of 1412	816	cmd.exe	33
PID 816 wrote to memory of 1412	816	cmd.exe	33
PID 816 wrote to memory of 1540	816	cmd.exe	34
PID 816 wrote to memory of 1540	816	cmd.exe	34
PID 816 wrote to memory of 1540	816	cmd.exe	34
PID 816 wrote to memory of 1540	816	cmd.exe	34
PID 816 wrote to memory of 1540	816	cmd.exe	34
PID 816 wrote to memory of 1540	816	cmd.exe	34
PID 816 wrote to memory of 1540	816	cmd.exe	34
PID 816 wrote to memory of 2016	816	cmd.exe	35
PID 816 wrote to memory of 2016	816	cmd.exe	35
PID 816 wrote to memory of 2016	816	cmd.exe	35
PID 816 wrote to memory of 2016	816	cmd.exe	35
PID 816 wrote to memory of 2016	816	cmd.exe	35
PID 816 wrote to memory of 2016	816	cmd.exe	35
PID 816 wrote to memory of 2016	816	cmd.exe	35
PID 816 wrote to memory of 972	816	cmd.exe	37
PID 816 wrote to memory of 972	816	cmd.exe	37
PID 816 wrote to memory of 972	816	cmd.exe	37
PID 816 wrote to memory of 972	816	cmd.exe	37
PID 816 wrote to memory of 972	816	cmd.exe	37
PID 816 wrote to memory of 972	816	cmd.exe	37
PID 816 wrote to memory of 972	816	cmd.exe	37
PID 816 wrote to memory of 656	816	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe
"C:\Users\Admin\AppData\Local\Temp\42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\Microsoft777\sorry.exe
  "C:\Windows\Microsoft777\sorry.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\Microsoft777\start.exe
    "C:\Windows\Microsoft777\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\Microsoft777\install.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:612
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\Microsoft777\install.cmd" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:816
      - C:\Windows\Microsoft777\vopros.exe
        
        vopros.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1604
      - C:\Windows\Microsoft777\error.exe
        
        error.exe
        6⤵
        Executes dropped EXE
        
        PID:1412
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\Microsoft777\Microsoft.vbs"
        6⤵
        
        PID:1540
      - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
      - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {B159125C-6EAA-409F-8F12-C5388879372F} /qn REBOOT=ReallySuppress
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:656
      - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /I "setup.msi" /qn
        6⤵
        
        PID:1668
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1976
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s 777.reg
        6⤵
        Blocks application from running via registry modification
        Runs .reg file with regedit
        
        PID:1528
      - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /f
        6⤵
        Modifies registry key
        
        PID:944
      - C:\Windows\Microsoft777\mail.exe
        
        mail.exe
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0546B2A871CF24DB12C29FD7DDE9FC74
  2⤵
  - Loads dropped DLL
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\lc13DF.tmp
    "C:\Users\Admin\AppData\Local\Temp\lc13DF.tmp"
    3⤵
    - Executes dropped EXE
    PID:984
- C:\Windows\SysWOW64\System Settings\rutserv.exe
  "C:\Windows\SysWOW64\System Settings\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1936
- C:\Windows\SysWOW64\System Settings\rutserv.exe
  "C:\Windows\SysWOW64\System Settings\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1764
- C:\Windows\SysWOW64\System Settings\rutserv.exe
  "C:\Windows\SysWOW64\System Settings\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1408

C:\Windows\SysWOW64\System Settings\rutserv.exe
"C:\Windows\SysWOW64\System Settings\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:928
- C:\Windows\SysWOW64\System Settings\rfusclient.exe
  "C:\Windows\SysWOW64\System Settings\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\SysWOW64\System Settings\rfusclient.exe
  "C:\Windows\SysWOW64\System Settings\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lc13DF.tmp

Filesize
12KB

MD5
f5683f66d320bd271e6b8a27af3e0c27

SHA1
4c59ccad1f576a9ff947fe2b4dab2e75ec4e6579

SHA256
fdc7d2b60f60b052b97a6af34caebc9bdbab08c381172c8cf02cdf7d5aee1706

SHA512
fb8323201bb5b6bccc626c3d364e89da0edafcc5073f76d9c40a458a9868d7bbc4e16388f44a44b6c134b2fbd8d4ab202d7cd5ee2e285c325153623a4b4eda35

Download Submit
C:\Windows\Installer\MSI12C7.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\MSI13B2.tmp

Filesize
91KB

MD5
3fe30e3727ac3e4a3b6e832b6a14a1c4

SHA1
a27a7f7193f5255f4a7b4150a000998cb4a420cc

SHA256
b3bc41b77a13c3a45d43fd2a7b1cdf37f5212798c602282e0e0d1ec52a4dbb8f

SHA512
b842766faeb6ce7f641854f8d120d8c34808773d4c0916b3097f04f398bdf36e92405804ef998607ebbbf5299b42bdf35420f4cc99e4a82f1508b55a058e6827

Download Submit
C:\Windows\Microsoft777\777.reg

Filesize
1KB

MD5
2bfa8662bf8f25a54b094b5907116cfe

SHA1
ab7fc4ffc106a26543397b24b8a2ec285de77cf2

SHA256
2d968864e53baf0d76eb60672ddd083ad5ab95e9bf886176753fed85497efde7

SHA512
32afdde6633378df2ae62962989f884df7b1fe5fc14c19ddce30d708fe255891f3b899941fd201cf47e51bb2db7ca55c8f6314ee4cc1b24c1d79298f9b69d3eb

Download Submit
C:\Windows\Microsoft777\Microsoft.vbs

Filesize
207B

MD5
af155221c6cdddd509f1deac92e7c0fc

SHA1
c630951b546fa410d8e7c68f05b15a9ccbe3c5e1

SHA256
7d676428a2b0f9ae917619d3d1b5ddc996c738bd7f6c3dfe84c74fde345a64ed

SHA512
2a16fbaa214e00794df1484eca0fac86a46b7e2ff55f629f2eff2a11e54af1ff2215511baabba9316ceb3e48e293e47f858f6b1bf5d5801d6265d65521f2e5d6

Download Submit
C:\Windows\Microsoft777\error.exe

Filesize
839KB

MD5
bd69d45fb9381151c0b7598960e9092f

SHA1
6ee8ad2b2287a99fe188167927d34728ade686a4

SHA256
9ca7b939153fde3eb5e8d93a34c490fe66ebfd13d5bc63a6b33417c29415e81a

SHA512
05f264fac4b9d3bb5aa5ddd120518a5f09b6e7a696f00301cde9bce89d4720064eb39175e0bb215d5120764e0043236d129fa674b615d57a671a0e9e9f12bfed

Download Submit
C:\Windows\Microsoft777\error.exe

Filesize
839KB

MD5
bd69d45fb9381151c0b7598960e9092f

SHA1
6ee8ad2b2287a99fe188167927d34728ade686a4

SHA256
9ca7b939153fde3eb5e8d93a34c490fe66ebfd13d5bc63a6b33417c29415e81a

SHA512
05f264fac4b9d3bb5aa5ddd120518a5f09b6e7a696f00301cde9bce89d4720064eb39175e0bb215d5120764e0043236d129fa674b615d57a671a0e9e9f12bfed

Download Submit
C:\Windows\Microsoft777\install.cmd

Filesize
415B

MD5
4bbe0dc072b85a5410d66aa36c996846

SHA1
8a415cdad3e284c97fb72bb1e2968c92bd395ccb

SHA256
fd07eaa604523569ec3e2d25c72d335ad5a8dd2ffa1b7e9939b2ab6b63a3ff87

SHA512
810d8afb1db6015e432def545d07b569e6e4bbf3c39326a1cf14004b640a7f53918cf27e9785487b5a5f06e3db81b6824b07e97f11a893be2266706801916d0d

Download Submit
C:\Windows\Microsoft777\install.vbs

Filesize
114B

MD5
6e893ee4f32605a432dd2d97869a0a83

SHA1
e30c9e197f0e9643969a7c4d4ce759f3724c4e56

SHA256
9127171760e91482149f3dcb835bd2896e6e2dd83a83b5bcbbbe2068da11db91

SHA512
4490e80135eb19f4d32145e66248531f19d5a359e662c48e7e0e77fe8804dcfbd275caf0c5c7f7066d4e5eaf04512a1ddc3fd12fc699974f15c2d071723c4101

Download Submit
C:\Windows\Microsoft777\mail.exe

Filesize
907KB

MD5
eb40c7410b4bf634ed8f9f2712689e3a

SHA1
76434c54f402ecbda56cec9b6fbac7b4006c4821

SHA256
3c7d6e1b5eac2976a2a7d10541faeaf5dd43596f5274d0830e81dd5608c2064f

SHA512
c8885be51daca45fade846bb857d2faee9adbe6d5f9f817c61052261857fe1abadce646ffbc54d98acfa9aba6945a4bda0b093cad2e1c3f42077e0fc67fc88d4

Download Submit
C:\Windows\Microsoft777\mail.exe

Filesize
907KB

MD5
eb40c7410b4bf634ed8f9f2712689e3a

SHA1
76434c54f402ecbda56cec9b6fbac7b4006c4821

SHA256
3c7d6e1b5eac2976a2a7d10541faeaf5dd43596f5274d0830e81dd5608c2064f

SHA512
c8885be51daca45fade846bb857d2faee9adbe6d5f9f817c61052261857fe1abadce646ffbc54d98acfa9aba6945a4bda0b093cad2e1c3f42077e0fc67fc88d4

Download Submit
C:\Windows\Microsoft777\setup.msi

Filesize
5.2MB

MD5
38817a0a333ea9d46d72a4ca474f8e03

SHA1
4188718462a8e2c85d904b065a9fac602c0e194f

SHA256
4ff14ad66ca1a136bc3a72750d91ddaf5927c8eaf106f9c383442dca0a812b47

SHA512
a041f248e0846589446adf0bd7a813c1d743efece6dc200feb4f059bf252322095d445d56d02717a544b8521849a7b1119b168d607db745440d2cd2b987f977c

Download Submit
C:\Windows\Microsoft777\sorry.exe

Filesize
840KB

MD5
092fd2e08c599a8d4659bb4647cd53c0

SHA1
058cdc66abf3b34a09d83c0bcf03c99cd65a6806

SHA256
8617d193fb46ca516aa9f5fa38bb8335b92e6d016c382a9a5f5601d9c506ad9f

SHA512
bdd9fe6560dc75f1bdd229037d20edaaaafc86bdc4e4703f45c575fa423ccbe4628567315a50142f497c295f3a1d276b798fce6aa24841c83bea4dd23424b79d

Download Submit
C:\Windows\Microsoft777\sorry.exe

Filesize
840KB

MD5
092fd2e08c599a8d4659bb4647cd53c0

SHA1
058cdc66abf3b34a09d83c0bcf03c99cd65a6806

SHA256
8617d193fb46ca516aa9f5fa38bb8335b92e6d016c382a9a5f5601d9c506ad9f

SHA512
bdd9fe6560dc75f1bdd229037d20edaaaafc86bdc4e4703f45c575fa423ccbe4628567315a50142f497c295f3a1d276b798fce6aa24841c83bea4dd23424b79d

Download Submit
C:\Windows\Microsoft777\start.exe

Filesize
839KB

MD5
756974a4c907f2cb8053a3e5ef3f61d4

SHA1
c42f3922584bf89c75f4c232ad1aa59c91fb4298

SHA256
c98d7b9490933987f84f77952d6dbe5d77331abf2d604e43db8f28a60917de92

SHA512
f5059efcaad4068046ea5248b697eee2cacdf48775ff746d4a7c91e826c2d8c77ebb00b6e88fbae0b510bfc8308a958fbda74ac3802bd1930696d7ce6e756d61

Download Submit
C:\Windows\Microsoft777\start.exe

Filesize
839KB

MD5
756974a4c907f2cb8053a3e5ef3f61d4

SHA1
c42f3922584bf89c75f4c232ad1aa59c91fb4298

SHA256
c98d7b9490933987f84f77952d6dbe5d77331abf2d604e43db8f28a60917de92

SHA512
f5059efcaad4068046ea5248b697eee2cacdf48775ff746d4a7c91e826c2d8c77ebb00b6e88fbae0b510bfc8308a958fbda74ac3802bd1930696d7ce6e756d61

Download Submit
C:\Windows\Microsoft777\vopros.exe

Filesize
839KB

MD5
b3db041c2a2c537ede3d9d1a8a3339fa

SHA1
a2eda9d10571dbecd9cc480ad58d430ee73400c4

SHA256
b7243be292f82a4c529ca1800361e197991aece3cb3272084cad61274fc22ebb

SHA512
6238d211f2b598ffbc82c1bfb8e7b7a4d94b5f88114170c57f0552de4ad60ebee147b112f4111e6e7d3b4f12193f4f6171abc8abc947cff54bf9976e03ab5182

Download Submit
C:\Windows\Microsoft777\vopros.exe

Filesize
839KB

MD5
b3db041c2a2c537ede3d9d1a8a3339fa

SHA1
a2eda9d10571dbecd9cc480ad58d430ee73400c4

SHA256
b7243be292f82a4c529ca1800361e197991aece3cb3272084cad61274fc22ebb

SHA512
6238d211f2b598ffbc82c1bfb8e7b7a4d94b5f88114170c57f0552de4ad60ebee147b112f4111e6e7d3b4f12193f4f6171abc8abc947cff54bf9976e03ab5182

Download Submit
C:\Windows\SysWOW64\System Settings\RIPCServer.dll

Filesize
144KB

MD5
de0e701b512a180ee324a7db45ac3723

SHA1
b448c0a5e98526181c1f71db8ca47b3247519dbd

SHA256
5d5d86ddae52ccbed8fe1638926da9390c01b828dcd62fe6392f582f9ed58d2f

SHA512
2d86f0bc35bd05d8a3d40d4403def974d621abfa21f01683f6f5f9f4622149f39fc42de50edf37259127a369478e45f633ca79570727b811a431a95764778506

Download Submit
C:\Windows\SysWOW64\System Settings\RWLN.dll

Filesize
975KB

MD5
cb8a716e0ae37612e87814977d96fc77

SHA1
5345318ff76b675828fb9dbb2df90cdc0c0a75b2

SHA256
a636f7d68bc44da7fff43b8acc0cde7656668147f9cffeae22f3e186cc83ccfb

SHA512
354cd8a4c249c11793be06cd8291168d2add024aa23b88dd01068582f7c13ae1dc71482217578823afe01086f12e4f8fd3582bf5b11067e29d9bf3b26ca88682

Download Submit
C:\Windows\SysWOW64\System Settings\rfusclient.exe

Filesize
1.5MB

MD5
f0df2dafed9a5d7b3086a469f9a3632d

SHA1
1912a04e0a7efdd9550dd01c6aa95809b3942332

SHA256
ab51901a985325d0170d3631c744766c8e6a0c8a19aa603c2a935e76509903ba

SHA512
1e677faef34767ae3bb91f23e6affd1598262da022c107a6a512bb226a9af49e4c9d5bbdf3577f1cd239176fb7e75833cb914f24884665f7fc9e81b97b75c20e

Download Submit
C:\Windows\SysWOW64\System Settings\rfusclient.exe

Filesize
1.5MB

MD5
f0df2dafed9a5d7b3086a469f9a3632d

SHA1
1912a04e0a7efdd9550dd01c6aa95809b3942332

SHA256
ab51901a985325d0170d3631c744766c8e6a0c8a19aa603c2a935e76509903ba

SHA512
1e677faef34767ae3bb91f23e6affd1598262da022c107a6a512bb226a9af49e4c9d5bbdf3577f1cd239176fb7e75833cb914f24884665f7fc9e81b97b75c20e

Download Submit
C:\Windows\SysWOW64\System Settings\rfusclient.exe

Filesize
1.5MB

MD5
f0df2dafed9a5d7b3086a469f9a3632d

SHA1
1912a04e0a7efdd9550dd01c6aa95809b3942332

SHA256
ab51901a985325d0170d3631c744766c8e6a0c8a19aa603c2a935e76509903ba

SHA512
1e677faef34767ae3bb91f23e6affd1598262da022c107a6a512bb226a9af49e4c9d5bbdf3577f1cd239176fb7e75833cb914f24884665f7fc9e81b97b75c20e

Download Submit
C:\Windows\SysWOW64\System Settings\rutserv.exe

Filesize
1.6MB

MD5
4fdcba1e3699c0d92f5ab670fc0347fb

SHA1
f482fb6ce980ef9842a73ca7d2e91f66ee324e9e

SHA256
b54ffbf0e6c3a2952b592af79f8ec72ce4451251cee9130db803b123e4aadbd4

SHA512
b898fc39903d92c84f76fb0421691eca5c24fd8f4a6c470e6b1ff1443a4e17a13a78b2071d1c04b17bb15091916f34d1380c9277bcbdac8cb3c0b0502fd0014b

Download Submit
C:\Windows\SysWOW64\System Settings\rutserv.exe

Filesize
1.6MB

MD5
4fdcba1e3699c0d92f5ab670fc0347fb

SHA1
f482fb6ce980ef9842a73ca7d2e91f66ee324e9e

SHA256
b54ffbf0e6c3a2952b592af79f8ec72ce4451251cee9130db803b123e4aadbd4

SHA512
b898fc39903d92c84f76fb0421691eca5c24fd8f4a6c470e6b1ff1443a4e17a13a78b2071d1c04b17bb15091916f34d1380c9277bcbdac8cb3c0b0502fd0014b

Download Submit
C:\Windows\SysWOW64\System Settings\rutserv.exe

Filesize
1.6MB

MD5
4fdcba1e3699c0d92f5ab670fc0347fb

SHA1
f482fb6ce980ef9842a73ca7d2e91f66ee324e9e

SHA256
b54ffbf0e6c3a2952b592af79f8ec72ce4451251cee9130db803b123e4aadbd4

SHA512
b898fc39903d92c84f76fb0421691eca5c24fd8f4a6c470e6b1ff1443a4e17a13a78b2071d1c04b17bb15091916f34d1380c9277bcbdac8cb3c0b0502fd0014b

Download Submit
C:\Windows\SysWOW64\System Settings\rutserv.exe

Filesize
1.6MB

MD5
4fdcba1e3699c0d92f5ab670fc0347fb

SHA1
f482fb6ce980ef9842a73ca7d2e91f66ee324e9e

SHA256
b54ffbf0e6c3a2952b592af79f8ec72ce4451251cee9130db803b123e4aadbd4

SHA512
b898fc39903d92c84f76fb0421691eca5c24fd8f4a6c470e6b1ff1443a4e17a13a78b2071d1c04b17bb15091916f34d1380c9277bcbdac8cb3c0b0502fd0014b

Download Submit
C:\Windows\SysWOW64\System Settings\rutserv.exe

Filesize
1.6MB

MD5
4fdcba1e3699c0d92f5ab670fc0347fb

SHA1
f482fb6ce980ef9842a73ca7d2e91f66ee324e9e

SHA256
b54ffbf0e6c3a2952b592af79f8ec72ce4451251cee9130db803b123e4aadbd4

SHA512
b898fc39903d92c84f76fb0421691eca5c24fd8f4a6c470e6b1ff1443a4e17a13a78b2071d1c04b17bb15091916f34d1380c9277bcbdac8cb3c0b0502fd0014b

Download Submit
C:\Windows\SysWOW64\System Settings\vp8decoder.dll

Filesize
368KB

MD5
e48c0e66dbfef46696c92785d158ddc7

SHA1
7a333891d6000603ecb9a9bac3784fff78f88718

SHA256
54911e050fce3345ec0d05c7cd02c2d345921dcf3aca724f072277bda0c6995c

SHA512
98004dabfb09f207997d82f304a57eefdb6e94764ac958c0b314a2e16293454c3e22bb0a6ff1cacfd2f5f675e8f7a8bf6594924ec29e23e11d035fd6c0e4cb66

Download Submit
C:\Windows\SysWOW64\System Settings\vp8encoder.dll

Filesize
624KB

MD5
52c276be805fe7b86fed6755bb4211d9

SHA1
34c4fa24890fefba170eb065c546b56ada981777

SHA256
7a30f464ad62611212fbd6db948b814cb0d0e8093ddae9fd0c2ecf320b58d722

SHA512
735a8645419e89a9421ead028658a897e9f894de65fe47f1da23c08065d55cdff02acbe9d0ae75cf388d9bd03ea87121e4f555cbdf862df8add067262fea3cd9

Download Submit
C:\Windows\SysWOW64\System Settings\webmmux.dll

Filesize
236KB

MD5
6392e8c2b5c504f559754edf8f67329d

SHA1
2a35861aafd4c0535ebfcb3cd2f654870fb5aaf1

SHA256
6f66529a6628072ccdab8f0f2234775f58c10d33ac0369294f469be9fa917c8e

SHA512
fc99fc4a444571cce48a0319674b9d958409aa34e1724560a0e407b8ebfda45f1545c19e142021e92aba8e287a5c82501952f63e079fa6914a784c27fb0dd261

Download Submit
C:\Windows\SysWOW64\System Settings\webmvorbisdecoder.dll

Filesize
323KB

MD5
2361597a296ff6056b974eb0343aefff

SHA1
e7dfa13de9a90dfc6163201ca73ca616f7c1b41f

SHA256
86b347edc2fad430ac813b56fec5da61453444b8d9c5625be5ddee34b5d0f6ff

SHA512
5910ad1970f0ca070e61af0b29681cde1d689b67d04a8b6783dd42faf10259cd4896f1ef7a03170907b24e963db7ced08837ba7d737b42277151a70bb4e128e3

Download Submit
C:\Windows\SysWOW64\System Settings\webmvorbisencoder.dll

Filesize
1.7MB

MD5
807fc5bc29937d3de9d2b680b454c9b4

SHA1
dfecb87e8e1d32adcabb10d234c2447fed12bf13

SHA256
dc0741f7365fbcbaf7cf69535933b3e585e715a19d77dee57bbd9feecb6b7e27

SHA512
0ad0df1c41e847e59a4739b051c9f6672f1444fa17dc61d2006f667c86eabffa893309e82e9542d7e19d2e583e93f25a1235837c575e079fe72899acaa7d4142

Download Submit
\Users\Admin\AppData\Local\Temp\lc13DF.tmp

Filesize
12KB

MD5
f5683f66d320bd271e6b8a27af3e0c27

SHA1
4c59ccad1f576a9ff947fe2b4dab2e75ec4e6579

SHA256
fdc7d2b60f60b052b97a6af34caebc9bdbab08c381172c8cf02cdf7d5aee1706

SHA512
fb8323201bb5b6bccc626c3d364e89da0edafcc5073f76d9c40a458a9868d7bbc4e16388f44a44b6c134b2fbd8d4ab202d7cd5ee2e285c325153623a4b4eda35

Download Submit
\Windows\Installer\MSI12C7.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
\Windows\Installer\MSI13B2.tmp

Filesize
91KB

MD5
3fe30e3727ac3e4a3b6e832b6a14a1c4

SHA1
a27a7f7193f5255f4a7b4150a000998cb4a420cc

SHA256
b3bc41b77a13c3a45d43fd2a7b1cdf37f5212798c602282e0e0d1ec52a4dbb8f

SHA512
b842766faeb6ce7f641854f8d120d8c34808773d4c0916b3097f04f398bdf36e92405804ef998607ebbbf5299b42bdf35420f4cc99e4a82f1508b55a058e6827

Download Submit
\Windows\Microsoft777\error.exe

Filesize
839KB

MD5
bd69d45fb9381151c0b7598960e9092f

SHA1
6ee8ad2b2287a99fe188167927d34728ade686a4

SHA256
9ca7b939153fde3eb5e8d93a34c490fe66ebfd13d5bc63a6b33417c29415e81a

SHA512
05f264fac4b9d3bb5aa5ddd120518a5f09b6e7a696f00301cde9bce89d4720064eb39175e0bb215d5120764e0043236d129fa674b615d57a671a0e9e9f12bfed

Download Submit
\Windows\Microsoft777\mail.exe

Filesize
907KB

MD5
eb40c7410b4bf634ed8f9f2712689e3a

SHA1
76434c54f402ecbda56cec9b6fbac7b4006c4821

SHA256
3c7d6e1b5eac2976a2a7d10541faeaf5dd43596f5274d0830e81dd5608c2064f

SHA512
c8885be51daca45fade846bb857d2faee9adbe6d5f9f817c61052261857fe1abadce646ffbc54d98acfa9aba6945a4bda0b093cad2e1c3f42077e0fc67fc88d4

Download Submit
\Windows\Microsoft777\mail.exe

Filesize
907KB

MD5
eb40c7410b4bf634ed8f9f2712689e3a

SHA1
76434c54f402ecbda56cec9b6fbac7b4006c4821

SHA256
3c7d6e1b5eac2976a2a7d10541faeaf5dd43596f5274d0830e81dd5608c2064f

SHA512
c8885be51daca45fade846bb857d2faee9adbe6d5f9f817c61052261857fe1abadce646ffbc54d98acfa9aba6945a4bda0b093cad2e1c3f42077e0fc67fc88d4

Download Submit
\Windows\Microsoft777\sorry.exe

Filesize
840KB

MD5
092fd2e08c599a8d4659bb4647cd53c0

SHA1
058cdc66abf3b34a09d83c0bcf03c99cd65a6806

SHA256
8617d193fb46ca516aa9f5fa38bb8335b92e6d016c382a9a5f5601d9c506ad9f

SHA512
bdd9fe6560dc75f1bdd229037d20edaaaafc86bdc4e4703f45c575fa423ccbe4628567315a50142f497c295f3a1d276b798fce6aa24841c83bea4dd23424b79d

Download Submit
\Windows\Microsoft777\sorry.exe

Filesize
840KB

MD5
092fd2e08c599a8d4659bb4647cd53c0

SHA1
058cdc66abf3b34a09d83c0bcf03c99cd65a6806

SHA256
8617d193fb46ca516aa9f5fa38bb8335b92e6d016c382a9a5f5601d9c506ad9f

SHA512
bdd9fe6560dc75f1bdd229037d20edaaaafc86bdc4e4703f45c575fa423ccbe4628567315a50142f497c295f3a1d276b798fce6aa24841c83bea4dd23424b79d

Download Submit
\Windows\Microsoft777\sorry.exe

Filesize
840KB

MD5
092fd2e08c599a8d4659bb4647cd53c0

SHA1
058cdc66abf3b34a09d83c0bcf03c99cd65a6806

SHA256
8617d193fb46ca516aa9f5fa38bb8335b92e6d016c382a9a5f5601d9c506ad9f

SHA512
bdd9fe6560dc75f1bdd229037d20edaaaafc86bdc4e4703f45c575fa423ccbe4628567315a50142f497c295f3a1d276b798fce6aa24841c83bea4dd23424b79d

Download Submit
\Windows\Microsoft777\sorry.exe

Filesize
840KB

MD5
092fd2e08c599a8d4659bb4647cd53c0

SHA1
058cdc66abf3b34a09d83c0bcf03c99cd65a6806

SHA256
8617d193fb46ca516aa9f5fa38bb8335b92e6d016c382a9a5f5601d9c506ad9f

SHA512
bdd9fe6560dc75f1bdd229037d20edaaaafc86bdc4e4703f45c575fa423ccbe4628567315a50142f497c295f3a1d276b798fce6aa24841c83bea4dd23424b79d

Download Submit
\Windows\Microsoft777\start.exe

Filesize
839KB

MD5
756974a4c907f2cb8053a3e5ef3f61d4

SHA1
c42f3922584bf89c75f4c232ad1aa59c91fb4298

SHA256
c98d7b9490933987f84f77952d6dbe5d77331abf2d604e43db8f28a60917de92

SHA512
f5059efcaad4068046ea5248b697eee2cacdf48775ff746d4a7c91e826c2d8c77ebb00b6e88fbae0b510bfc8308a958fbda74ac3802bd1930696d7ce6e756d61

Download Submit
\Windows\Microsoft777\start.exe

Filesize
839KB

MD5
756974a4c907f2cb8053a3e5ef3f61d4

SHA1
c42f3922584bf89c75f4c232ad1aa59c91fb4298

SHA256
c98d7b9490933987f84f77952d6dbe5d77331abf2d604e43db8f28a60917de92

SHA512
f5059efcaad4068046ea5248b697eee2cacdf48775ff746d4a7c91e826c2d8c77ebb00b6e88fbae0b510bfc8308a958fbda74ac3802bd1930696d7ce6e756d61

Download Submit
\Windows\Microsoft777\start.exe

Filesize
839KB

MD5
756974a4c907f2cb8053a3e5ef3f61d4

SHA1
c42f3922584bf89c75f4c232ad1aa59c91fb4298

SHA256
c98d7b9490933987f84f77952d6dbe5d77331abf2d604e43db8f28a60917de92

SHA512
f5059efcaad4068046ea5248b697eee2cacdf48775ff746d4a7c91e826c2d8c77ebb00b6e88fbae0b510bfc8308a958fbda74ac3802bd1930696d7ce6e756d61

Download Submit
\Windows\Microsoft777\start.exe

Filesize
839KB

MD5
756974a4c907f2cb8053a3e5ef3f61d4

SHA1
c42f3922584bf89c75f4c232ad1aa59c91fb4298

SHA256
c98d7b9490933987f84f77952d6dbe5d77331abf2d604e43db8f28a60917de92

SHA512
f5059efcaad4068046ea5248b697eee2cacdf48775ff746d4a7c91e826c2d8c77ebb00b6e88fbae0b510bfc8308a958fbda74ac3802bd1930696d7ce6e756d61

Download Submit
\Windows\Microsoft777\vopros.exe

Filesize
839KB

MD5
b3db041c2a2c537ede3d9d1a8a3339fa

SHA1
a2eda9d10571dbecd9cc480ad58d430ee73400c4

SHA256
b7243be292f82a4c529ca1800361e197991aece3cb3272084cad61274fc22ebb

SHA512
6238d211f2b598ffbc82c1bfb8e7b7a4d94b5f88114170c57f0552de4ad60ebee147b112f4111e6e7d3b4f12193f4f6171abc8abc947cff54bf9976e03ab5182

Download Submit
\Windows\SysWOW64\System Settings\rfusclient.exe

Filesize
1.5MB

MD5
f0df2dafed9a5d7b3086a469f9a3632d

SHA1
1912a04e0a7efdd9550dd01c6aa95809b3942332

SHA256
ab51901a985325d0170d3631c744766c8e6a0c8a19aa603c2a935e76509903ba

SHA512
1e677faef34767ae3bb91f23e6affd1598262da022c107a6a512bb226a9af49e4c9d5bbdf3577f1cd239176fb7e75833cb914f24884665f7fc9e81b97b75c20e

Download Submit
\Windows\SysWOW64\System Settings\rfusclient.exe

Filesize
1.5MB

MD5
f0df2dafed9a5d7b3086a469f9a3632d

SHA1
1912a04e0a7efdd9550dd01c6aa95809b3942332

SHA256
ab51901a985325d0170d3631c744766c8e6a0c8a19aa603c2a935e76509903ba

SHA512
1e677faef34767ae3bb91f23e6affd1598262da022c107a6a512bb226a9af49e4c9d5bbdf3577f1cd239176fb7e75833cb914f24884665f7fc9e81b97b75c20e

Download Submit
memory/520-92-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/592-148-0x0000000000400000-0x00000000009C9000-memory.dmp

Filesize
5.8MB

Download
memory/928-138-0x0000000000400000-0x0000000000AC9000-memory.dmp

Filesize
6.8MB

Download
memory/928-164-0x0000000002DE0000-0x00000000033A9000-memory.dmp

Filesize
5.8MB

Download
memory/928-145-0x0000000002DE0000-0x00000000033A9000-memory.dmp

Filesize
5.8MB

Download
memory/928-149-0x0000000002DE0000-0x00000000033A9000-memory.dmp

Filesize
5.8MB

Download
memory/928-163-0x0000000000400000-0x0000000000AC9000-memory.dmp

Filesize
6.8MB

Download
memory/1408-135-0x0000000000400000-0x0000000000AC9000-memory.dmp

Filesize
6.8MB

Download
memory/1408-146-0x0000000000400000-0x0000000000AC9000-memory.dmp

Filesize
6.8MB

Download
memory/1752-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1764-118-0x0000000000400000-0x0000000000AC9000-memory.dmp

Filesize
6.8MB

Download
memory/1764-119-0x0000000000400000-0x0000000000AC9000-memory.dmp

Filesize
6.8MB

Download
memory/1920-147-0x0000000000400000-0x00000000009C9000-memory.dmp

Filesize
5.8MB

Download
memory/1920-165-0x0000000000400000-0x00000000009C9000-memory.dmp

Filesize
5.8MB

Download
memory/1936-114-0x0000000000400000-0x0000000000AC9000-memory.dmp

Filesize
6.8MB

Download