rms | cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668

Analysis

max time kernel
146s
max time network
160s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe
Size

4.3MB
MD5

e8cac02b1c6407ee2ab0b08d6c669fb1
SHA1

497ff2c6f0f4612d63ec5eaded75f74f28e729f3
SHA256

cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668
SHA512

4ea97a5e0a60c995e66ecc3d62dab5868db16319ccea223bc6daa3ef1617d9d0d1eb90571f0a4bffc0eac6b4478e135b424eda47c7b6887458c8f592c49d818c
SSDEEP

98304:7JYvakukyg+fCpLG9fevK46z4hF42Xp+wsTWgIZY3TOavcQ4IkxfY:7JAaHDnfCBsfewzcF42Xp+wZgIm3DcQD

Score

10^/10

rms evasion persistence rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 8 IoCs

Processes:

rms.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

1396 rms.exe
1728 rutserv.exe
1928 rutserv.exe
816 rutserv.exe
1648 rutserv.exe
1524 rfusclient.exe
1564 rfusclient.exe
364 rfusclient.exe
Modifies Windows Firewall 1 TTPs 8 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

892 netsh.exe
320 netsh.exe
1168 netsh.exe
1916 netsh.exe
864 netsh.exe
1564 netsh.exe
1264 netsh.exe
1484 netsh.exe

pid	process
892	netsh.exe
320	netsh.exe
1168	netsh.exe
1916	netsh.exe
864	netsh.exe
1564	netsh.exe
1264	netsh.exe
1484	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rms.exe	upx
\Users\Admin\AppData\Local\Temp\rms.exe	upx
C:\Users\Admin\AppData\Local\Temp\rms.exe	upx
behavioral1/memory/1396-68-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1396-73-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1396-145-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1420 cmd.exe

pid	process
1420	cmd.exe

Loads dropped DLL 13 IoCs

Processes:

WScript.exerms.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid	process
1696	WScript.exe
1396	rms.exe
1728	rutserv.exe
1396	rms.exe
1928	rutserv.exe
1396	rms.exe
816	rutserv.exe
1648	rutserv.exe
1648	rutserv.exe
1648	rutserv.exe
1524	rfusclient.exe
1564	rfusclient.exe
364	rfusclient.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rms.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts.exe = "C:\\Windows\\SysWOW64\\catroot3\\svchosts.exe"	rms.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rms.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1396-68-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1396-73-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\svchosts.exe	autoit_exe
behavioral1/memory/1396-145-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in System32 directory 20 IoCs

Processes:

rms.exerutserv.exe

description	ioc	process
File created	C:\Windows\SysWOW64\catroot3\RIPCServer.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\rfusclient.exe	rms.exe
File created	C:\Windows\SysWOW64\catroot3\ID.txt	rms.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\catroot3\Microsoft.VC90.CRT.manifest	rms.exe
File created	C:\Windows\SysWOW64\catroot3\msvcp90.dll	rms.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll	rms.exe
File created	C:\Windows\SysWOW64\de.exe	rms.exe
File created	C:\Windows\SysWOW64\catroot3\gdiplus.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\msvcr90.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\rutserv.exe	rms.exe
File created	C:\Windows\SysWOW64\catroot3\RWLN.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\set.reg	rms.exe
File created	C:\Windows\SysWOW64\catroot3\vp8decoder.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll	rms.exe
File opened for modification	C:\Windows\SysWOW64\catroot3	rms.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\catroot3\vp8encoder.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\svchosts.exe	rms.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

364 sc.exe
1692 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

1724 regedit.exe
Runs net.exe

pid	process
364	sc.exe
1692	sc.exe

pid	process
1724	regedit.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rms.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
1396	rms.exe
1396	rms.exe
1396	rms.exe
1396	rms.exe
1396	rms.exe
1728	rutserv.exe
1728	rutserv.exe
1928	rutserv.exe
1928	rutserv.exe
816	rutserv.exe
816	rutserv.exe
1648	rutserv.exe
1648	rutserv.exe
1648	rutserv.exe
1648	rutserv.exe
1524	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

364 rfusclient.exe

pid	process
364	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rutserv.exerutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	1728	rutserv.exe
Token: SeDebugPrivilege	816	rutserv.exe
Token: SeTakeOwnershipPrivilege	1648	rutserv.exe
Token: SeTcbPrivilege	1648	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exeWScript.exerms.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1032 wrote to memory of 1696	1032	cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe	WScript.exe
PID 1032 wrote to memory of 1696	1032	cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe	WScript.exe
PID 1032 wrote to memory of 1696	1032	cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe	WScript.exe
PID 1032 wrote to memory of 1696	1032	cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe	WScript.exe
PID 1696 wrote to memory of 1396	1696	WScript.exe	rms.exe
PID 1696 wrote to memory of 1396	1696	WScript.exe	rms.exe
PID 1696 wrote to memory of 1396	1696	WScript.exe	rms.exe
PID 1696 wrote to memory of 1396	1696	WScript.exe	rms.exe
PID 1032 wrote to memory of 1420	1032	cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe	cmd.exe
PID 1032 wrote to memory of 1420	1032	cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe	cmd.exe
PID 1032 wrote to memory of 1420	1032	cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe	cmd.exe
PID 1032 wrote to memory of 1420	1032	cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe	cmd.exe
PID 1396 wrote to memory of 864	1396	rms.exe	netsh.exe
PID 1396 wrote to memory of 864	1396	rms.exe	netsh.exe
PID 1396 wrote to memory of 864	1396	rms.exe	netsh.exe
PID 1396 wrote to memory of 864	1396	rms.exe	netsh.exe
PID 1396 wrote to memory of 364	1396	rms.exe	sc.exe
PID 1396 wrote to memory of 364	1396	rms.exe	sc.exe
PID 1396 wrote to memory of 364	1396	rms.exe	sc.exe
PID 1396 wrote to memory of 364	1396	rms.exe	sc.exe
PID 1396 wrote to memory of 1932	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1932	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1932	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1932	1396	rms.exe	net.exe
PID 1932 wrote to memory of 544	1932	net.exe	net1.exe
PID 1932 wrote to memory of 544	1932	net.exe	net1.exe
PID 1932 wrote to memory of 544	1932	net.exe	net1.exe
PID 1932 wrote to memory of 544	1932	net.exe	net1.exe
PID 1396 wrote to memory of 1476	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1476	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1476	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1476	1396	rms.exe	net.exe
PID 1476 wrote to memory of 920	1476	net.exe	net1.exe
PID 1476 wrote to memory of 920	1476	net.exe	net1.exe
PID 1476 wrote to memory of 920	1476	net.exe	net1.exe
PID 1476 wrote to memory of 920	1476	net.exe	net1.exe
PID 1396 wrote to memory of 1692	1396	rms.exe	sc.exe
PID 1396 wrote to memory of 1692	1396	rms.exe	sc.exe
PID 1396 wrote to memory of 1692	1396	rms.exe	sc.exe
PID 1396 wrote to memory of 1692	1396	rms.exe	sc.exe
PID 1396 wrote to memory of 1724	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1724	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1724	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1724	1396	rms.exe	net.exe
PID 1724 wrote to memory of 1400	1724	net.exe	net1.exe
PID 1724 wrote to memory of 1400	1724	net.exe	net1.exe
PID 1724 wrote to memory of 1400	1724	net.exe	net1.exe
PID 1724 wrote to memory of 1400	1724	net.exe	net1.exe
PID 1396 wrote to memory of 1160	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1160	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1160	1396	rms.exe	net.exe
PID 1396 wrote to memory of 1160	1396	rms.exe	net.exe
PID 1160 wrote to memory of 1156	1160	net.exe	net1.exe
PID 1160 wrote to memory of 1156	1160	net.exe	net1.exe
PID 1160 wrote to memory of 1156	1160	net.exe	net1.exe
PID 1160 wrote to memory of 1156	1160	net.exe	net1.exe
PID 1396 wrote to memory of 580	1396	rms.exe	schtasks.exe
PID 1396 wrote to memory of 580	1396	rms.exe	schtasks.exe
PID 1396 wrote to memory of 580	1396	rms.exe	schtasks.exe
PID 1396 wrote to memory of 580	1396	rms.exe	schtasks.exe
PID 1396 wrote to memory of 1564	1396	rms.exe	netsh.exe
PID 1396 wrote to memory of 1564	1396	rms.exe	netsh.exe
PID 1396 wrote to memory of 1564	1396	rms.exe	netsh.exe
PID 1396 wrote to memory of 1564	1396	rms.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe
"C:\Users\Admin\AppData\Local\Temp\cd981a20183b128f674579669e130c0c9dc66ff1d3de45c28b6ac62fa9de7668.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\rms.exe
"C:\Users\Admin\AppData\Local\Temp\rms.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:864

C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= disabled
4⤵
- Launches sc.exe
PID:364

C:\Windows\SysWOW64\net.exe
net stop rserver3
4⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop rserver3
5⤵
PID:544

C:\Windows\SysWOW64\net.exe
net stop Telnet
4⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Telnet
5⤵
PID:920

C:\Windows\SysWOW64\sc.exe
sc config tlntsvr start= disabled
4⤵
- Launches sc.exe
PID:1692

C:\Windows\SysWOW64\net.exe
net stop "Service Host Controller"
4⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Service Host Controller"
5⤵
PID:1400

C:\Windows\SysWOW64\net.exe
net user HelpAssistant /delete
4⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user HelpAssistant /delete
5⤵
PID:1156

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn security /f
4⤵
PID:580

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="Microsoft Outlook Express"
4⤵
- Modifies Windows Firewall
PID:1564

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="Service Host Controller"
4⤵
- Modifies Windows Firewall
PID:1264

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="•®бв-Їа®жҐбб ¤«п б«г¦Ў Windows"
4⤵
- Modifies Windows Firewall
PID:1484

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="•®бв-Їа®жҐбб ¤«п § ¤ з Windows"
4⤵
- Modifies Windows Firewall
PID:892

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete portopening tcp 57009
4⤵
- Modifies Windows Firewall
PID:320

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="cam_server"
4⤵
- Modifies Windows Firewall
PID:1168

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete portopening tcp 57011 all
4⤵
- Modifies Windows Firewall
PID:1916

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"rutserv.exe" /silentinstall
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"rutserv.exe" /firewall
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1928

C:\Windows\SysWOW64\regedit.exe
regedit /s set.reg
4⤵
- Runs .reg file with regedit
PID:1724

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"rutserv.exe" /start
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
- Deletes itself
PID:1420

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: SetClipboardViewer
PID:364

C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
300B

MD5
1c61a20454f5adf8554302116638b48a

SHA1
b15603ab31317b6bcfe6791f85a7273e7bdaa0ff

SHA256
074d26c82290e6fdeae6d46bafcc41c86750ef97e92a250fa420825b516212e3

SHA512
6fbc1eaac4216a6f22d7e3fe5d6253c5f2b11202d36e5b8ab2c15e3a3a5e6c1e3dea0df38c16f3ff3ddccb885a6c5f8ae284335367dc7c73b11667af9a642f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ID.txt
Filesize
20B

MD5
d08c0e3891707b0f1ffc8fa02e733429

SHA1
8f3d0c529fe4aaa408f9343898b6457d149093f9

SHA256
547fb8eca27cc5176dabd75aa51e2626523b441b3bd4b1afe4295a5fb9adff9a

SHA512
b91764e97f806de63d53abc522b25a3363deff3aa96eb450ad502cd1ddf907e460fa4f5250d2802d03534ff216fd833f850e3ea17cfecad69f023d80ed504d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC90.CRT.manifest
Filesize
1KB

MD5
53213fc8c2cb0d6f77ca6cbd40fff22c

SHA1
d8ba81ed6586825835b76e9d566077466ee41a85

SHA256
03d0776812368478ce60e8160ec3c6938782db1832f5cb53b7842e5840f9dbc5

SHA512
e3ced32a2eabfd0028ec16e62687573d86c0112b2b1d965f1f9d0bb5557cef5fdf5233e87fe73be621a52affe4ce53bedf958558aa899646fa390f4541cf11eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIPCServer.dll
Filesize
145KB

MD5
501d1108baff017b9c7d7054995082e3

SHA1
ce7408993f25d615785835067bfc7c6731cb7d85

SHA256
be88c1319f8741842f3ce7b7606615efb96f0f46fad9321a2b995239ccf826e3

SHA512
8dd404d56cf9285e32069c1b774a565269223d30089f0d5b3a100f316cdfd96ff7246d8cc1337dc74b9f970dddc9023fa21c7059185af972d3fcda2204c0a9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWLN.dll
Filesize
359KB

MD5
6d692f1ae8653afb6e478427cacefe1e

SHA1
de53d27feeedf1c08e0dc911905c57a383da2626

SHA256
fe1aa78691da4a8a944ee9e922e49a1712d620fb728faab135dabe081c088834

SHA512
0bbb21f5515eec44aea414d17123eb2275b78db788e927878652fe876bb17f706c395f6a20309c4c7aaef6bce9c280890bce38693a9a1858f7bac9665759af6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\de.exe
Filesize
98KB

MD5
b8622a3042d7fa48b2e6de433007c870

SHA1
6399b9d115c3f1d3c5469f81b1a821bf75b75ae8

SHA256
cdb8330b9a36462dad63fb5c98520c4dd1cecf8a20d071bb0eff15ecf9fe0c98

SHA512
19450e826c78cc9526bf9ccba356fa63c8282ae3093db9ad71c1f21bcd80b3850b3aabbd2221fd6ddc293378df3d52ac0484c8882aeee517145d018ce3b4ed73

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfVorbisDecoder.dll
Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfVorbisEncoder.dll
Filesize
1.6MB

MD5
ff622a8812d8b1eff8f8d1a32087f9d2

SHA1
910615c9374b8734794ac885707ff5370db42ef1

SHA256
1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

SHA512
1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiplus.dll
Filesize
1.6MB

MD5
871c903a90c45ca08a9d42803916c3f7

SHA1
d962a12bc15bfb4c505bb63f603ca211588958db

SHA256
f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645

SHA512
985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

Download Submit
C:\Users\Admin\AppData\Local\Temp\msimg32.dll
Filesize
3KB

MD5
6448b4e0f7a74d8df1cef93b65bd684a

SHA1
e7a7f686280b2bd2573b6c3deefd410d922ccd4f

SHA256
7f64eaba96352a4ba7c5fc65b76eb5d4e8ac9726dfd10ffa50b87d467d0a6435

SHA512
15fc2a2165937767720a7276125a05fb81d3b6be6144f60e9bbded8c2bdc213714840a496393d09283807a7e3c534ea7fbbe355cecab66f161f79868f7512e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp90.dll
Filesize
556KB

MD5
b2eee3dee31f50e082e9c720a6d7757d

SHA1
3322840fef43c92fb55dc31e682d19970daf159d

SHA256
4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01

SHA512
8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcr90.dll
Filesize
637KB

MD5
7538050656fe5d63cb4b80349dd1cfe3

SHA1
f825c40fee87cc9952a61c8c34e9f6eee8da742d

SHA256
e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099

SHA512
843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
3.9MB

MD5
6b00ef267e590b8aec937d4fbaa7c54b

SHA1
238f121a3dba5d3a5492cda9010d3f4fb8419a04

SHA256
ec893dc3e9f74479844b104fd403488abe224f4f0816f4ca2e57802814d5118a

SHA512
bd747aadcc762c62db00d2304132e75f41fc4ec40a85f87b014a2b0fba2f11c3bc22abd10a24bbe73cfbad573431b3376ce1377966e39dbff2b482b7fe9f49ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
3.9MB

MD5
6b00ef267e590b8aec937d4fbaa7c54b

SHA1
238f121a3dba5d3a5492cda9010d3f4fb8419a04

SHA256
ec893dc3e9f74479844b104fd403488abe224f4f0816f4ca2e57802814d5118a

SHA512
bd747aadcc762c62db00d2304132e75f41fc4ec40a85f87b014a2b0fba2f11c3bc22abd10a24bbe73cfbad573431b3376ce1377966e39dbff2b482b7fe9f49ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
3.9MB

MD5
6b00ef267e590b8aec937d4fbaa7c54b

SHA1
238f121a3dba5d3a5492cda9010d3f4fb8419a04

SHA256
ec893dc3e9f74479844b104fd403488abe224f4f0816f4ca2e57802814d5118a

SHA512
bd747aadcc762c62db00d2304132e75f41fc4ec40a85f87b014a2b0fba2f11c3bc22abd10a24bbe73cfbad573431b3376ce1377966e39dbff2b482b7fe9f49ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
3.9MB

MD5
6b00ef267e590b8aec937d4fbaa7c54b

SHA1
238f121a3dba5d3a5492cda9010d3f4fb8419a04

SHA256
ec893dc3e9f74479844b104fd403488abe224f4f0816f4ca2e57802814d5118a

SHA512
bd747aadcc762c62db00d2304132e75f41fc4ec40a85f87b014a2b0fba2f11c3bc22abd10a24bbe73cfbad573431b3376ce1377966e39dbff2b482b7fe9f49ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\rms.exe
Filesize
361KB

MD5
47de6cbe483b94672ea76a4c0244e35c

SHA1
b66b8380542801c0c13350ddb2f8d45ab18d1e0d

SHA256
ad45e23138876ceb5ab5ffe86db4e2cc28974c20194e1f5457c12fc0a4cab4ad

SHA512
e7c0af7d7b6c33abe0e9d6888b91428fecca1ef0a5656717c68c7550d5cca4e5220ceebee674f284d158eb6c83020cbec339dbbee980f5eb37fdad5910218dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rms.exe
Filesize
361KB

MD5
47de6cbe483b94672ea76a4c0244e35c

SHA1
b66b8380542801c0c13350ddb2f8d45ab18d1e0d

SHA256
ad45e23138876ceb5ab5ffe86db4e2cc28974c20194e1f5457c12fc0a4cab4ad

SHA512
e7c0af7d7b6c33abe0e9d6888b91428fecca1ef0a5656717c68c7550d5cca4e5220ceebee674f284d158eb6c83020cbec339dbbee980f5eb37fdad5910218dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.1MB

MD5
a9201bd8618bdc4795a95b1755fb93b6

SHA1
93eabe79096041e08ad0306a5edb9746bcc7ec50

SHA256
923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8

SHA512
f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.1MB

MD5
a9201bd8618bdc4795a95b1755fb93b6

SHA1
93eabe79096041e08ad0306a5edb9746bcc7ec50

SHA256
923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8

SHA512
f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.1MB

MD5
a9201bd8618bdc4795a95b1755fb93b6

SHA1
93eabe79096041e08ad0306a5edb9746bcc7ec50

SHA256
923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8

SHA512
f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.1MB

MD5
a9201bd8618bdc4795a95b1755fb93b6

SHA1
93eabe79096041e08ad0306a5edb9746bcc7ec50

SHA256
923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8

SHA512
f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.1MB

MD5
a9201bd8618bdc4795a95b1755fb93b6

SHA1
93eabe79096041e08ad0306a5edb9746bcc7ec50

SHA256
923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8

SHA512
f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.reg
Filesize
19KB

MD5
fc4bbaec6770de03e6a046c0485c7b26

SHA1
62690541b903f9637ddffe464f3fc4604232fa70

SHA256
3dd8098f1264c60afcdebff0f4dff3560ffdc247d1cf6017eec668739d7fdf76

SHA512
9361f50fba099bbb18960edbd04883d393490f56c243cadcccaa197f8038d9a938e49d37b5f6eee90a6c50457a6e04ae9a98976a594773da9aa7a23992a46aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\stop.js
Filesize
211B

MD5
fb5b62a32e853a51359fb598a4d5008f

SHA1
f3cc4663189878044c956c1f84b9c32f3d29d2b2

SHA256
b1b1b8f753e130e463f02527541389295f9b7d28c331085a2a03d83f8587550f

SHA512
9304880a49bf479f8322f19089109b36cf1104fb0b581357560e3fe1c1f31ca379607797d7a757e1e85a9fbde40094b99b4a3c5830172998102d041435ccded8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosts.exe
Filesize
708KB

MD5
3b5e40b584904d9beebeea1e4a94ef7e

SHA1
88de849817a4b93b83ccb95a1f37f698cee197d9

SHA256
73ce0e5045ba4b7bd2f7f2f5a1c3bb1dfd2a9a1c2c48d76dfc529d8a3e217f12

SHA512
1125a94d2673105d40a45b0f8c6088bf8f9fff89cdf3d5231e73d1a15ece23bfd8e564fad63707bb4c3a559310666aedf784d78418be27953b22296d89a5faa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8decoder.dll
Filesize
403KB

MD5
6f6bfe02e84a595a56b456f72debd4ee

SHA1
90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

SHA256
5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

SHA512
ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8encoder.dll
Filesize
685KB

MD5
c638bca1a67911af7f9ed67e7b501154

SHA1
0fd74d2f1bd78f678b897a776d8bce36742c39b7

SHA256
519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

SHA512
ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

Download Submit
\Users\Admin\AppData\Local\Temp\msimg32.dll
Filesize
3KB

MD5
6448b4e0f7a74d8df1cef93b65bd684a

SHA1
e7a7f686280b2bd2573b6c3deefd410d922ccd4f

SHA256
7f64eaba96352a4ba7c5fc65b76eb5d4e8ac9726dfd10ffa50b87d467d0a6435

SHA512
15fc2a2165937767720a7276125a05fb81d3b6be6144f60e9bbded8c2bdc213714840a496393d09283807a7e3c534ea7fbbe355cecab66f161f79868f7512e86

Download Submit
\Users\Admin\AppData\Local\Temp\msimg32.dll
Filesize
3KB

MD5
6448b4e0f7a74d8df1cef93b65bd684a

SHA1
e7a7f686280b2bd2573b6c3deefd410d922ccd4f

SHA256
7f64eaba96352a4ba7c5fc65b76eb5d4e8ac9726dfd10ffa50b87d467d0a6435

SHA512
15fc2a2165937767720a7276125a05fb81d3b6be6144f60e9bbded8c2bdc213714840a496393d09283807a7e3c534ea7fbbe355cecab66f161f79868f7512e86

Download Submit
\Users\Admin\AppData\Local\Temp\msimg32.dll
Filesize
3KB

MD5
6448b4e0f7a74d8df1cef93b65bd684a

SHA1
e7a7f686280b2bd2573b6c3deefd410d922ccd4f

SHA256
7f64eaba96352a4ba7c5fc65b76eb5d4e8ac9726dfd10ffa50b87d467d0a6435

SHA512
15fc2a2165937767720a7276125a05fb81d3b6be6144f60e9bbded8c2bdc213714840a496393d09283807a7e3c534ea7fbbe355cecab66f161f79868f7512e86

Download Submit
\Users\Admin\AppData\Local\Temp\msimg32.dll
Filesize
3KB

MD5
6448b4e0f7a74d8df1cef93b65bd684a

SHA1
e7a7f686280b2bd2573b6c3deefd410d922ccd4f

SHA256
7f64eaba96352a4ba7c5fc65b76eb5d4e8ac9726dfd10ffa50b87d467d0a6435

SHA512
15fc2a2165937767720a7276125a05fb81d3b6be6144f60e9bbded8c2bdc213714840a496393d09283807a7e3c534ea7fbbe355cecab66f161f79868f7512e86

Download Submit
\Users\Admin\AppData\Local\Temp\msimg32.dll
Filesize
3KB

MD5
6448b4e0f7a74d8df1cef93b65bd684a

SHA1
e7a7f686280b2bd2573b6c3deefd410d922ccd4f

SHA256
7f64eaba96352a4ba7c5fc65b76eb5d4e8ac9726dfd10ffa50b87d467d0a6435

SHA512
15fc2a2165937767720a7276125a05fb81d3b6be6144f60e9bbded8c2bdc213714840a496393d09283807a7e3c534ea7fbbe355cecab66f161f79868f7512e86

Download Submit
\Users\Admin\AppData\Local\Temp\msimg32.dll
Filesize
3KB

MD5
6448b4e0f7a74d8df1cef93b65bd684a

SHA1
e7a7f686280b2bd2573b6c3deefd410d922ccd4f

SHA256
7f64eaba96352a4ba7c5fc65b76eb5d4e8ac9726dfd10ffa50b87d467d0a6435

SHA512
15fc2a2165937767720a7276125a05fb81d3b6be6144f60e9bbded8c2bdc213714840a496393d09283807a7e3c534ea7fbbe355cecab66f161f79868f7512e86

Download Submit
\Users\Admin\AppData\Local\Temp\msimg32.dll
Filesize
3KB

MD5
6448b4e0f7a74d8df1cef93b65bd684a

SHA1
e7a7f686280b2bd2573b6c3deefd410d922ccd4f

SHA256
7f64eaba96352a4ba7c5fc65b76eb5d4e8ac9726dfd10ffa50b87d467d0a6435

SHA512
15fc2a2165937767720a7276125a05fb81d3b6be6144f60e9bbded8c2bdc213714840a496393d09283807a7e3c534ea7fbbe355cecab66f161f79868f7512e86

Download Submit
\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
3.9MB

MD5
6b00ef267e590b8aec937d4fbaa7c54b

SHA1
238f121a3dba5d3a5492cda9010d3f4fb8419a04

SHA256
ec893dc3e9f74479844b104fd403488abe224f4f0816f4ca2e57802814d5118a

SHA512
bd747aadcc762c62db00d2304132e75f41fc4ec40a85f87b014a2b0fba2f11c3bc22abd10a24bbe73cfbad573431b3376ce1377966e39dbff2b482b7fe9f49ee

Download Submit
\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
3.9MB

MD5
6b00ef267e590b8aec937d4fbaa7c54b

SHA1
238f121a3dba5d3a5492cda9010d3f4fb8419a04

SHA256
ec893dc3e9f74479844b104fd403488abe224f4f0816f4ca2e57802814d5118a

SHA512
bd747aadcc762c62db00d2304132e75f41fc4ec40a85f87b014a2b0fba2f11c3bc22abd10a24bbe73cfbad573431b3376ce1377966e39dbff2b482b7fe9f49ee

Download Submit
\Users\Admin\AppData\Local\Temp\rms.exe
Filesize
361KB

MD5
47de6cbe483b94672ea76a4c0244e35c

SHA1
b66b8380542801c0c13350ddb2f8d45ab18d1e0d

SHA256
ad45e23138876ceb5ab5ffe86db4e2cc28974c20194e1f5457c12fc0a4cab4ad

SHA512
e7c0af7d7b6c33abe0e9d6888b91428fecca1ef0a5656717c68c7550d5cca4e5220ceebee674f284d158eb6c83020cbec339dbbee980f5eb37fdad5910218dcb

Download Submit
\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.1MB

MD5
a9201bd8618bdc4795a95b1755fb93b6

SHA1
93eabe79096041e08ad0306a5edb9746bcc7ec50

SHA256
923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8

SHA512
f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b

Download Submit
\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.1MB

MD5
a9201bd8618bdc4795a95b1755fb93b6

SHA1
93eabe79096041e08ad0306a5edb9746bcc7ec50

SHA256
923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8

SHA512
f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b

Download Submit
\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.1MB

MD5
a9201bd8618bdc4795a95b1755fb93b6

SHA1
93eabe79096041e08ad0306a5edb9746bcc7ec50

SHA256
923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8

SHA512
f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b

Download Submit
memory/320-104-0x0000000000000000-mapping.dmp

Download
memory/364-67-0x0000000000000000-mapping.dmp

Download
memory/364-146-0x0000000000000000-mapping.dmp

Download
memory/544-87-0x0000000000000000-mapping.dmp

Download
memory/580-95-0x0000000000000000-mapping.dmp

Download
memory/816-126-0x0000000000000000-mapping.dmp

Download
memory/864-65-0x0000000000000000-mapping.dmp

Download
memory/892-102-0x0000000000000000-mapping.dmp

Download
memory/920-89-0x0000000000000000-mapping.dmp

Download
memory/1032-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1156-94-0x0000000000000000-mapping.dmp

Download
memory/1160-93-0x0000000000000000-mapping.dmp

Download
memory/1168-106-0x0000000000000000-mapping.dmp

Download
memory/1264-98-0x0000000000000000-mapping.dmp

Download
memory/1396-145-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1396-73-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1396-60-0x0000000000000000-mapping.dmp

Download
memory/1396-68-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1400-92-0x0000000000000000-mapping.dmp

Download
memory/1420-63-0x0000000000000000-mapping.dmp

Download
memory/1476-88-0x0000000000000000-mapping.dmp

Download
memory/1484-100-0x0000000000000000-mapping.dmp

Download
memory/1524-134-0x0000000000000000-mapping.dmp

Download
memory/1524-140-0x0000000074FC0000-0x0000000074FC3000-memory.dmp

Filesize
12KB

Download
memory/1564-136-0x0000000000000000-mapping.dmp

Download
memory/1564-96-0x0000000000000000-mapping.dmp

Download
memory/1564-144-0x0000000074FC0000-0x0000000074FC3000-memory.dmp

Filesize
12KB

Download
memory/1692-90-0x0000000000000000-mapping.dmp

Download
memory/1696-55-0x0000000000000000-mapping.dmp

Download
memory/1724-91-0x0000000000000000-mapping.dmp

Download
memory/1724-123-0x0000000000000000-mapping.dmp

Download
memory/1728-116-0x0000000074FC0000-0x0000000074FC3000-memory.dmp

Filesize
12KB

Download
memory/1728-111-0x0000000000000000-mapping.dmp

Download
memory/1916-108-0x0000000000000000-mapping.dmp

Download
memory/1928-122-0x0000000074FB0000-0x0000000074FB3000-memory.dmp

Filesize
12KB

Download
memory/1928-118-0x0000000000000000-mapping.dmp

Download
memory/1932-86-0x0000000000000000-mapping.dmp

Download