rms | b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487

Analysis

max time kernel
143s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe
Size

4.6MB
MD5

87bdfe9befe36281af36711d388f2542
SHA1

4220df7d519a41ec14ea111f2c870139a3d21483
SHA256

b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487
SHA512

7eed2fbc6bdaefec9e5360ffb3d12a06a558d54514c47068afc71d44b52e4d02192b54a048819630feb6267634cfa3a3c325337ff8938d305bd8cbb26b072e45
SSDEEP

98304:7JYu9iIvfphKBdpRqzjoA699dvl3tqZ0hkoyvQZM4BZKmMHGcilF:7JvfpYdfWT699dvjZVOGcYF

Score

10^/10

rms collection discovery evasion rat spyware stealer trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 9 IoCs

pid	Process
760	rutserv.exe
1144	rutserv.exe
980	rutserv.exe
1672	rutserv.exe
1320	rfusclient.exe
576	rfusclient.exe
1464	mpr.exe
1808	rfusclient.exe
112	realip.exe

Modifies Windows Firewall 1 TTPs 9 IoCs

evasion

Modify Existing Service

T1031

pid	Process
992	netsh.exe
1736	netsh.exe
1536	netsh.exe
1212	netsh.exe
1100	netsh.exe
900	netsh.exe
1976	netsh.exe
1768	netsh.exe
1000	netsh.exe

Sets file to hidden 1 TTPs 13 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1072	attrib.exe
860	attrib.exe
1488	attrib.exe
2012	attrib.exe
1812	attrib.exe
1100	attrib.exe
1308	attrib.exe
1552	attrib.exe
1680	attrib.exe
1640	attrib.exe
1480	attrib.exe
1832	attrib.exe
364	attrib.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001411b-70.dat	upx

Deletes itself 1 IoCs

pid	Process
1572	cmd.exe

Loads dropped DLL 8 IoCs

pid	Process
1740	cmd.exe
1740	cmd.exe
1740	cmd.exe
1672	rutserv.exe
1672	rutserv.exe
1740	cmd.exe
1740	cmd.exe
1740	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mpr.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	mpr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 34 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\catroot3\set.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\set.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\Microsoft.VC90.CRT.manifest	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\RIPCServer.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\rutserv.exe	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\RWLN.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\ldr.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ldr.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\Microsoft.VC90.CRT.manifest	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\msvcr90.dll	cmd.exe
File created	C:\Windows\SysWOW64\de.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\vp8encoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.dll	cmd.exe
File created	C:\Windows\SysWOW64\vp8encoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\msvcp90.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\rutserv.exe	cmd.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\msvcr90.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\RIPCServer.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\RWLN.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3	attrib.exe
File created	C:\Windows\SysWOW64\gdiplus.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\msvcp90.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de.exe	attrib.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1708	sc.exe
520	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 5 IoCs

evasion

pid	Process
1720	taskkill.exe
452	taskkill.exe
1592	taskkill.exe
764	taskkill.exe
760	taskkill.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mpr.exe \"%1\""	mpr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\MediaPackageFile\ShellNew	mpr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf	mpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\BrowserFlags = "8"	mpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\EditFlags = "0"	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mpr.exe,0"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler\Clsid	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "mpr.DocHostUIHandler"	mpr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\MediaPackageFile	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mpr.exe"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler\ = "Implements DocHostUIHandler"	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\ = "mprf"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	mpr.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1112	reg.exe
1764	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
432	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
760	rutserv.exe
760	rutserv.exe
1144	rutserv.exe
1144	rutserv.exe
980	rutserv.exe
980	rutserv.exe
1672	rutserv.exe
1672	rutserv.exe
1672	rutserv.exe
1672	rutserv.exe
1320	rfusclient.exe
1464	mpr.exe
1464	mpr.exe
1464	mpr.exe
1464	mpr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1808	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	452	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	760	rutserv.exe
Token: SeDebugPrivilege	980	rutserv.exe
Token: SeTakeOwnershipPrivilege	1672	rutserv.exe
Token: SeTcbPrivilege	1672	rutserv.exe
Token: SeDebugPrivilege	1464	mpr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1464	mpr.exe
1464	mpr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 112	1388	b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe	26
PID 1388 wrote to memory of 112	1388	b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe	26
PID 1388 wrote to memory of 112	1388	b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe	26
PID 1388 wrote to memory of 112	1388	b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe	26
PID 112 wrote to memory of 1740	112	WScript.exe	27
PID 112 wrote to memory of 1740	112	WScript.exe	27
PID 112 wrote to memory of 1740	112	WScript.exe	27
PID 112 wrote to memory of 1740	112	WScript.exe	27
PID 112 wrote to memory of 1740	112	WScript.exe	27
PID 112 wrote to memory of 1740	112	WScript.exe	27
PID 112 wrote to memory of 1740	112	WScript.exe	27
PID 1740 wrote to memory of 992	1740	cmd.exe	29
PID 1740 wrote to memory of 992	1740	cmd.exe	29
PID 1740 wrote to memory of 992	1740	cmd.exe	29
PID 1740 wrote to memory of 992	1740	cmd.exe	29
PID 1388 wrote to memory of 1572	1388	b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe	30
PID 1388 wrote to memory of 1572	1388	b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe	30
PID 1388 wrote to memory of 1572	1388	b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe	30
PID 1388 wrote to memory of 1572	1388	b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe	30
PID 1740 wrote to memory of 1708	1740	cmd.exe	32
PID 1740 wrote to memory of 1708	1740	cmd.exe	32
PID 1740 wrote to memory of 1708	1740	cmd.exe	32
PID 1740 wrote to memory of 1708	1740	cmd.exe	32
PID 1740 wrote to memory of 1720	1740	cmd.exe	33
PID 1740 wrote to memory of 1720	1740	cmd.exe	33
PID 1740 wrote to memory of 1720	1740	cmd.exe	33
PID 1740 wrote to memory of 1720	1740	cmd.exe	33
PID 1740 wrote to memory of 452	1740	cmd.exe	35
PID 1740 wrote to memory of 452	1740	cmd.exe	35
PID 1740 wrote to memory of 452	1740	cmd.exe	35
PID 1740 wrote to memory of 452	1740	cmd.exe	35
PID 1740 wrote to memory of 740	1740	cmd.exe	36
PID 1740 wrote to memory of 740	1740	cmd.exe	36
PID 1740 wrote to memory of 740	1740	cmd.exe	36
PID 1740 wrote to memory of 740	1740	cmd.exe	36
PID 1740 wrote to memory of 1552	1740	cmd.exe	37
PID 1740 wrote to memory of 1552	1740	cmd.exe	37
PID 1740 wrote to memory of 1552	1740	cmd.exe	37
PID 1740 wrote to memory of 1552	1740	cmd.exe	37
PID 1740 wrote to memory of 1680	1740	cmd.exe	38
PID 1740 wrote to memory of 1680	1740	cmd.exe	38
PID 1740 wrote to memory of 1680	1740	cmd.exe	38
PID 1740 wrote to memory of 1680	1740	cmd.exe	38
PID 1740 wrote to memory of 364	1740	cmd.exe	52
PID 1740 wrote to memory of 364	1740	cmd.exe	52
PID 1740 wrote to memory of 364	1740	cmd.exe	52
PID 1740 wrote to memory of 364	1740	cmd.exe	52
PID 1740 wrote to memory of 1640	1740	cmd.exe	39
PID 1740 wrote to memory of 1640	1740	cmd.exe	39
PID 1740 wrote to memory of 1640	1740	cmd.exe	39
PID 1740 wrote to memory of 1640	1740	cmd.exe	39
PID 1740 wrote to memory of 1308	1740	cmd.exe	50
PID 1740 wrote to memory of 1308	1740	cmd.exe	50
PID 1740 wrote to memory of 1308	1740	cmd.exe	50
PID 1740 wrote to memory of 1308	1740	cmd.exe	50
PID 1740 wrote to memory of 1480	1740	cmd.exe	40
PID 1740 wrote to memory of 1480	1740	cmd.exe	40
PID 1740 wrote to memory of 1480	1740	cmd.exe	40
PID 1740 wrote to memory of 1480	1740	cmd.exe	40
PID 1740 wrote to memory of 1832	1740	cmd.exe	41
PID 1740 wrote to memory of 1832	1740	cmd.exe	41
PID 1740 wrote to memory of 1832	1740	cmd.exe	41
PID 1740 wrote to memory of 1832	1740	cmd.exe	41
PID 1740 wrote to memory of 1072	1740	cmd.exe	42

Views/modifies file attributes 1 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
364	attrib.exe
1108	attrib.exe
1336	attrib.exe
1640	attrib.exe
1812	attrib.exe
2012	attrib.exe
1480	attrib.exe
1100	attrib.exe
1308	attrib.exe
792	attrib.exe
1388	attrib.exe
1680	attrib.exe
1832	attrib.exe
1072	attrib.exe
1352	attrib.exe
1696	attrib.exe
1552	attrib.exe
860	attrib.exe
1488	attrib.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	mpr.exe

C:\Users\Admin\AppData\Local\Temp\b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe
"C:\Users\Admin\AppData\Local\Temp\b7faffb4a5459c440aa3a4e312c3690650b66922ca72c8b9655744ef5cbf4487.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:992
  - - C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= disabled
      4⤵
      Launches sc.exe
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im RManServer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:452
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\System32\catroot3"
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:1552
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/blat.dll"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/block_reader.sys"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1640
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/blat.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/ldr.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/mpr.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1072
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/realip.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/mpr.ini"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\stop.js"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1488
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\install.bat"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Windows\System32\de.exe"
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:2012
  - - C:\Windows\SysWOW64\net.exe
      net stop rserver3
      4⤵
      PID:1120
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop rserver3
        5⤵
        
        PID:1588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/HookLib.dll"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rserver3.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/blat.lib"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im r_server.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im cam_server.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\system32\cam_server.exe"
      4⤵
      Views/modifies file attributes
      PID:1108
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"
      4⤵
      Views/modifies file attributes
      PID:792
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Windows\system32\rserver30"
      4⤵
      Views/modifies file attributes
      PID:1352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Windows\SysWOW64\rserver30"
      4⤵
      Views/modifies file attributes
      PID:1336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\system32\r_server.exe"
      4⤵
      Views/modifies file attributes
      PID:1388
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"
      4⤵
      Views/modifies file attributes
      PID:1696
  - - C:\Windows\SysWOW64\net.exe
      net stop Telnet
      4⤵
      PID:1732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Telnet
        5⤵
        
        PID:1188
  - - C:\Windows\SysWOW64\sc.exe
      sc config tlntsvr start= disabled
      4⤵
      Launches sc.exe
      PID:520
  - - C:\Windows\SysWOW64\net.exe
      net stop "Service Host Controller"
      4⤵
      PID:588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Service Host Controller"
        5⤵
        
        PID:1704
  - - C:\Windows\SysWOW64\net.exe
      net user HelpAssistant /delete
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user HelpAssistant /delete
        5⤵
        
        PID:1876
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn security /f
      4⤵
      PID:908
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="RealIP"
      4⤵
      Modifies Windows Firewall
      PID:900
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="Microsoft Outlook Express"
      4⤵
      Modifies Windows Firewall
      PID:1976
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="Service Host Controller"
      4⤵
      Modifies Windows Firewall
      PID:1736
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"
      4⤵
      Modifies Windows Firewall
      PID:1768
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"
      4⤵
      Modifies Windows Firewall
      PID:1000
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete portopening tcp 57009
      4⤵
      Modifies Windows Firewall
      PID:1212
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="cam_server"
      4⤵
      Modifies Windows Firewall
      PID:1100
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete portopening tcp 57011 all
      4⤵
      Modifies Windows Firewall
      PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαáµ¿«¡¡á∩ ß¿ßΓÑ¼á Microsoft Windows" /f
      4⤵
      Modifies registry key
      PID:1112
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f
      4⤵
      Modifies registry key
      PID:1764
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\catroot3\rutserv.exe
      "rutserv.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:760
  - - C:\Windows\SysWOW64\catroot3\rutserv.exe
      "rutserv.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1144
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s set.reg
      4⤵
      Runs .reg file with regedit
      PID:432
  - - C:\Windows\SysWOW64\catroot3\rutserv.exe
      "rutserv.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:980
  - - C:\Users\Admin\AppData\Local\Temp\mpr.exe
      C:\Users\Admin\AppData\Local\Temp\mpr.exe /export
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_win_path
      PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\realip.exe
      realip.exe
      4⤵
      Executes dropped EXE
      PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:1572

C:\Windows\SysWOW64\catroot3\rutserv.exe
C:\Windows\SysWOW64\catroot3\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
- C:\Windows\SysWOW64\catroot3\rfusclient.exe
  C:\Windows\SysWOW64\catroot3\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\SysWOW64\catroot3\rfusclient.exe
  C:\Windows\SysWOW64\catroot3\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1320
- - C:\Windows\SysWOW64\catroot3\rfusclient.exe
    C:\Windows\SysWOW64\catroot3\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
dc2d67ad4c4725d7a71138a1fb470c9f

SHA1
7737b59981ddc60f4d467778618c3b12505c1e31

SHA256
1cb55cf120d16fc6dc0c5ebd18440eb0431fd35ddb1772a4696a7bd128778e91

SHA512
4723d883727d8261f44b4071fd924145ef7b9f4f8098bc3a16fcc6bb88811eb8b63f2d4ea04103eeb72d4616b3fdcf396fae0e0224279cc4183f86f1c38e4a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\HookLib.dll

Filesize
42KB

MD5
9b2e0db7547afab728ec31b7288705d6

SHA1
cedd09c5fda6c9445d191f97034e23e960361074

SHA256
ff44a0fe9d27fc3c1f455b2b9e989235ea55be4b95ed569be4b15129e624214b

SHA512
1c4c5eb672541a0fd39ed1174bdd3533e136233bd904c2e8bc7ffcab4f3e9835cbc357a66c6704619795ce983ce57a6a8a206aa922addfcc771dd14c277cdf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC90.CRT.manifest

Filesize
1KB

MD5
53213fc8c2cb0d6f77ca6cbd40fff22c

SHA1
d8ba81ed6586825835b76e9d566077466ee41a85

SHA256
03d0776812368478ce60e8160ec3c6938782db1832f5cb53b7842e5840f9dbc5

SHA512
e3ced32a2eabfd0028ec16e62687573d86c0112b2b1d965f1f9d0bb5557cef5fdf5233e87fe73be621a52affe4ce53bedf958558aa899646fa390f4541cf11eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIPCServer.dll

Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWLN.dll

Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\blat.dll

Filesize
120KB

MD5
724cae63522f6e5f7565a3bf4b2a719b

SHA1
18620dbd4357d85918070f669ff4b61755290757

SHA256
b87814eaf1cd5268e797f1119b58e3fd79381af3f530be9a90993198cbce1779

SHA512
af68749cadf9920a8bed455a2557b1faf475d30fdd62f45da6757fbc5a59341fffeccca4ff646b334da95cf673deeeea74bdbb27a16f510a4e3309055f89817d

Download Submit
C:\Users\Admin\AppData\Local\Temp\blat.exe

Filesize
112KB

MD5
31f84e433e8d1865e322998a41e6d90e

SHA1
cbea6cda10db869636f57b1cffad39b22e6f7f17

SHA256
aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e

SHA512
7ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\blat.lib

Filesize
2KB

MD5
3cd3cffda2b5108e2778f94429c624d6

SHA1
3e4d218d1b8eb4fa1ab5152b126951892aff3dc9

SHA256
b545194041588fc0a6f57e7eb5a93d2418aaa263d246e3c696a79ee5859770ff

SHA512
c80080afcc982c4e950876756fb32c7f24fbe45bfbbe78afe144be1ede86dc9ef1e57db95d3df7f4c6011fd226f23684b929781b55d1be659cfa75d14f8d0c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\block_reader.sys

Filesize
1KB

MD5
b5a0cfd3e6cb42a29255faa1546f420c

SHA1
c55cb0f7b5a04231607498b83629e70105113ee3

SHA256
a2d200514887c6f05c9e6150b57cf4541c4923b857cf15723454885b9353dff0

SHA512
274a7371f1d75803926380fd10c60c9aa1bb1088594e3e0be5db255bb9f31ae178e8f79ba4b2deb49c24289dea5b17d1244c873e038d0a94159252ab62f4342e

Download Submit
C:\Users\Admin\AppData\Local\Temp\de.exe

Filesize
98KB

MD5
b8622a3042d7fa48b2e6de433007c870

SHA1
6399b9d115c3f1d3c5469f81b1a821bf75b75ae8

SHA256
cdb8330b9a36462dad63fb5c98520c4dd1cecf8a20d071bb0eff15ecf9fe0c98

SHA512
19450e826c78cc9526bf9ccba356fa63c8282ae3093db9ad71c1f21bcd80b3850b3aabbd2221fd6ddc293378df3d52ac0484c8882aeee517145d018ce3b4ed73

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfVorbisDecoder.dll

Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
ff622a8812d8b1eff8f8d1a32087f9d2

SHA1
910615c9374b8734794ac885707ff5370db42ef1

SHA256
1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

SHA512
1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiplus.dll

Filesize
1.6MB

MD5
871c903a90c45ca08a9d42803916c3f7

SHA1
d962a12bc15bfb4c505bb63f603ca211588958db

SHA256
f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645

SHA512
985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
5KB

MD5
3de1e7cc5903bc1b4d64b2969f3c80cc

SHA1
c8f693549bfc59a3e5f5fe22a23781d2bd1282e7

SHA256
7d5372a56067fa9fda859c3800f35b57c06c782d262ca39c739d7e5748356718

SHA512
7ee0a78a9eaa2c7799eaa7d67cc2aee6103eb1755b9bb40d200894d020486016d5f3ccccd204b0dea0102488271f138dddd24c7ec18a1031a5a092fbedce6997

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldr.exe

Filesize
22KB

MD5
3311cc6550c3909a5bb9b5de95a36e2a

SHA1
240efc85a3ebd54fd6b05bf6870cbd4b976a35ac

SHA256
3dbc8917f92031cc16c320df25c7adc4d52b075d41b0f813a462c652b9219bbb

SHA512
de424689c70f77cb9183ca03c81e5771e3a9b0061b3be36920f3c3ead9f9a71785f0622adc49ea88c7e8a5677ef8bdf8529db562470578a4e3844bd81072068d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr.exe

Filesize
3.2MB

MD5
4e92ba65478f7178d64b27fff889c27a

SHA1
46f40f8de8c7df06b35cf2136aae5c541085154d

SHA256
23b14703b23dd44c77a47a846c05aebb466d32d0f52de819e2a2aa002314f085

SHA512
50787831327a18f126860ace5d8b75acd27cc06fb76fb06ca42f90796c72e3574f656573ea64334ee825dfdfe20ba5f4def867f158a41887a7adb24714b93467

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr.exe

Filesize
3.2MB

MD5
4e92ba65478f7178d64b27fff889c27a

SHA1
46f40f8de8c7df06b35cf2136aae5c541085154d

SHA256
23b14703b23dd44c77a47a846c05aebb466d32d0f52de819e2a2aa002314f085

SHA512
50787831327a18f126860ace5d8b75acd27cc06fb76fb06ca42f90796c72e3574f656573ea64334ee825dfdfe20ba5f4def867f158a41887a7adb24714b93467

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr.ini

Filesize
238B

MD5
2a80d7e3da38d8a0fa315e4d20978273

SHA1
6d8b8605d525b228b516f03be767414573f4e6a0

SHA256
fd003e9bb9ea10372149f723685837d68ddd0c717323ca1d90c129d32daffeac

SHA512
cb21f9a8a562ba47767916b5105d1421ee07c6420280298be134bd7a9b9ff41eee2f6af4b1423bf83591ffd768e3fccaa5b2a388f34b4e61f8d620b8ce98d699

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp90.dll

Filesize
556KB

MD5
b2eee3dee31f50e082e9c720a6d7757d

SHA1
3322840fef43c92fb55dc31e682d19970daf159d

SHA256
4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01

SHA512
8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcr90.dll

Filesize
637KB

MD5
7538050656fe5d63cb4b80349dd1cfe3

SHA1
f825c40fee87cc9952a61c8c34e9f6eee8da742d

SHA256
e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099

SHA512
843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\realip.exe

Filesize
40KB

MD5
effa4a5a70423867665d2a46348ecb26

SHA1
8596bef191ed40ade5980abf0158dfd3d193c352

SHA256
03b86eeff30d769e062a3228a0fb3ce6f0f8911093cd2a4a70cade34896f568d

SHA512
d94e48e1722d4814862d78f35800b4d8eff8f17be4902cbe0d2f0355fd3279faa9a403f3e4bb7ed70b44ace8dbb76b65b7c9f6e9ccf17c69e4d17e0895b8dfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\realip.exe

Filesize
40KB

MD5
effa4a5a70423867665d2a46348ecb26

SHA1
8596bef191ed40ade5980abf0158dfd3d193c352

SHA256
03b86eeff30d769e062a3228a0fb3ce6f0f8911093cd2a4a70cade34896f568d

SHA512
d94e48e1722d4814862d78f35800b4d8eff8f17be4902cbe0d2f0355fd3279faa9a403f3e4bb7ed70b44ace8dbb76b65b7c9f6e9ccf17c69e4d17e0895b8dfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
3.9MB

MD5
90eacd586dd68ea1ec9b1dc5ae95b194

SHA1
83f684ca1bf003b2c4a687bfffdedbdc08cf9b6b

SHA256
aeee34caaccd42d5558666adcd8400c064a8efcdaaf8df080b68f76ac4608cd3

SHA512
63fd0a9f4f39c5ae27e42dc12b9e05bee60c645828e0a698c937d6033bcf8d09281c59ea9c9384043cc1fe68d767c7f2675da2c0a4b5dbd7783a4bb0ba90904a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.0MB

MD5
963e45ab300bb8d5265935459e2515ff

SHA1
a7983b5d3e70ce8b9e444bfd16a8bb9e025a894d

SHA256
a4e95c77f749356fcf9782a3af590ebf5737005eeb143fe8ea2972d2d60a7da8

SHA512
fb231beb0654af04d6ad04b3935f8574044b1deb68cdab8e2df4b76ec34f7ad4c193e9221be090f636580357b66437af69c922832bbd034d60589e56c11c5590

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.reg

Filesize
11KB

MD5
de3c0d745fcb814eff30254f21313967

SHA1
a26661c3c034751fdac45b46cf3e643c3b4f1999

SHA256
6b531173a3221ad1fbd02fa7e60a41bb8ea573d270cde93e9f18bd747aa2ae7c

SHA512
dd928ebf6ab0ddab536662c635ca420b19101c8a9f884447f725e0c82481ea514b81bb56e53a41dfe64cd9f949cb2e38a83863dacb5f6e7dd47f8d53ff67813a

Download Submit
C:\Users\Admin\AppData\Local\Temp\stop.js

Filesize
215B

MD5
804b35ef108ec9839eb6a9335add8ca1

SHA1
bf91e6645c4a1c8cab2d20388469da9ed0a82d56

SHA256
fe111b7ea4e14ab7ba5004aea52b10030e0282bb5c40d4ba55761a2c5be59406

SHA512
822a3ec5e0e353058d4355bc01a44440dafe8d16c57744a3dcbc962eb110ed3f6843556568616bfc5dc7fad5f5832cd27d6591dc50105f2c79fc16c33919936d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8decoder.dll

Filesize
403KB

MD5
6f6bfe02e84a595a56b456f72debd4ee

SHA1
90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

SHA256
5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

SHA512
ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8encoder.dll

Filesize
685KB

MD5
c638bca1a67911af7f9ed67e7b501154

SHA1
0fd74d2f1bd78f678b897a776d8bce36742c39b7

SHA256
519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

SHA512
ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

Download Submit
C:\Windows\SysWOW64\catroot3\RIPCServer.dll

Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Windows\SysWOW64\catroot3\RWLN.dll

Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll

Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
ff622a8812d8b1eff8f8d1a32087f9d2

SHA1
910615c9374b8734794ac885707ff5370db42ef1

SHA256
1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

SHA512
1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

Download Submit
C:\Windows\SysWOW64\catroot3\msvcp90.dll

Filesize
556KB

MD5
b2eee3dee31f50e082e9c720a6d7757d

SHA1
3322840fef43c92fb55dc31e682d19970daf159d

SHA256
4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01

SHA512
8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

Download Submit
C:\Windows\SysWOW64\catroot3\msvcr90.dll

Filesize
637KB

MD5
7538050656fe5d63cb4b80349dd1cfe3

SHA1
f825c40fee87cc9952a61c8c34e9f6eee8da742d

SHA256
e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099

SHA512
843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe

Filesize
3.9MB

MD5
90eacd586dd68ea1ec9b1dc5ae95b194

SHA1
83f684ca1bf003b2c4a687bfffdedbdc08cf9b6b

SHA256
aeee34caaccd42d5558666adcd8400c064a8efcdaaf8df080b68f76ac4608cd3

SHA512
63fd0a9f4f39c5ae27e42dc12b9e05bee60c645828e0a698c937d6033bcf8d09281c59ea9c9384043cc1fe68d767c7f2675da2c0a4b5dbd7783a4bb0ba90904a

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe

Filesize
3.9MB

MD5
90eacd586dd68ea1ec9b1dc5ae95b194

SHA1
83f684ca1bf003b2c4a687bfffdedbdc08cf9b6b

SHA256
aeee34caaccd42d5558666adcd8400c064a8efcdaaf8df080b68f76ac4608cd3

SHA512
63fd0a9f4f39c5ae27e42dc12b9e05bee60c645828e0a698c937d6033bcf8d09281c59ea9c9384043cc1fe68d767c7f2675da2c0a4b5dbd7783a4bb0ba90904a

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe

Filesize
3.9MB

MD5
90eacd586dd68ea1ec9b1dc5ae95b194

SHA1
83f684ca1bf003b2c4a687bfffdedbdc08cf9b6b

SHA256
aeee34caaccd42d5558666adcd8400c064a8efcdaaf8df080b68f76ac4608cd3

SHA512
63fd0a9f4f39c5ae27e42dc12b9e05bee60c645828e0a698c937d6033bcf8d09281c59ea9c9384043cc1fe68d767c7f2675da2c0a4b5dbd7783a4bb0ba90904a

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe

Filesize
3.9MB

MD5
90eacd586dd68ea1ec9b1dc5ae95b194

SHA1
83f684ca1bf003b2c4a687bfffdedbdc08cf9b6b

SHA256
aeee34caaccd42d5558666adcd8400c064a8efcdaaf8df080b68f76ac4608cd3

SHA512
63fd0a9f4f39c5ae27e42dc12b9e05bee60c645828e0a698c937d6033bcf8d09281c59ea9c9384043cc1fe68d767c7f2675da2c0a4b5dbd7783a4bb0ba90904a

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
5.0MB

MD5
963e45ab300bb8d5265935459e2515ff

SHA1
a7983b5d3e70ce8b9e444bfd16a8bb9e025a894d

SHA256
a4e95c77f749356fcf9782a3af590ebf5737005eeb143fe8ea2972d2d60a7da8

SHA512
fb231beb0654af04d6ad04b3935f8574044b1deb68cdab8e2df4b76ec34f7ad4c193e9221be090f636580357b66437af69c922832bbd034d60589e56c11c5590

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
5.0MB

MD5
963e45ab300bb8d5265935459e2515ff

SHA1
a7983b5d3e70ce8b9e444bfd16a8bb9e025a894d

SHA256
a4e95c77f749356fcf9782a3af590ebf5737005eeb143fe8ea2972d2d60a7da8

SHA512
fb231beb0654af04d6ad04b3935f8574044b1deb68cdab8e2df4b76ec34f7ad4c193e9221be090f636580357b66437af69c922832bbd034d60589e56c11c5590

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
5.0MB

MD5
963e45ab300bb8d5265935459e2515ff

SHA1
a7983b5d3e70ce8b9e444bfd16a8bb9e025a894d

SHA256
a4e95c77f749356fcf9782a3af590ebf5737005eeb143fe8ea2972d2d60a7da8

SHA512
fb231beb0654af04d6ad04b3935f8574044b1deb68cdab8e2df4b76ec34f7ad4c193e9221be090f636580357b66437af69c922832bbd034d60589e56c11c5590

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
5.0MB

MD5
963e45ab300bb8d5265935459e2515ff

SHA1
a7983b5d3e70ce8b9e444bfd16a8bb9e025a894d

SHA256
a4e95c77f749356fcf9782a3af590ebf5737005eeb143fe8ea2972d2d60a7da8

SHA512
fb231beb0654af04d6ad04b3935f8574044b1deb68cdab8e2df4b76ec34f7ad4c193e9221be090f636580357b66437af69c922832bbd034d60589e56c11c5590

Download Submit
C:\Windows\SysWOW64\catroot3\set.reg

Filesize
11KB

MD5
de3c0d745fcb814eff30254f21313967

SHA1
a26661c3c034751fdac45b46cf3e643c3b4f1999

SHA256
6b531173a3221ad1fbd02fa7e60a41bb8ea573d270cde93e9f18bd747aa2ae7c

SHA512
dd928ebf6ab0ddab536662c635ca420b19101c8a9f884447f725e0c82481ea514b81bb56e53a41dfe64cd9f949cb2e38a83863dacb5f6e7dd47f8d53ff67813a

Download Submit
C:\Windows\SysWOW64\de.exe

Filesize
98KB

MD5
b8622a3042d7fa48b2e6de433007c870

SHA1
6399b9d115c3f1d3c5469f81b1a821bf75b75ae8

SHA256
cdb8330b9a36462dad63fb5c98520c4dd1cecf8a20d071bb0eff15ecf9fe0c98

SHA512
19450e826c78cc9526bf9ccba356fa63c8282ae3093db9ad71c1f21bcd80b3850b3aabbd2221fd6ddc293378df3d52ac0484c8882aeee517145d018ce3b4ed73

Download Submit
\Users\Admin\AppData\Local\Temp\mpr.exe

Filesize
3.2MB

MD5
4e92ba65478f7178d64b27fff889c27a

SHA1
46f40f8de8c7df06b35cf2136aae5c541085154d

SHA256
23b14703b23dd44c77a47a846c05aebb466d32d0f52de819e2a2aa002314f085

SHA512
50787831327a18f126860ace5d8b75acd27cc06fb76fb06ca42f90796c72e3574f656573ea64334ee825dfdfe20ba5f4def867f158a41887a7adb24714b93467

Download Submit
\Users\Admin\AppData\Local\Temp\realip.exe

Filesize
40KB

MD5
effa4a5a70423867665d2a46348ecb26

SHA1
8596bef191ed40ade5980abf0158dfd3d193c352

SHA256
03b86eeff30d769e062a3228a0fb3ce6f0f8911093cd2a4a70cade34896f568d

SHA512
d94e48e1722d4814862d78f35800b4d8eff8f17be4902cbe0d2f0355fd3279faa9a403f3e4bb7ed70b44ace8dbb76b65b7c9f6e9ccf17c69e4d17e0895b8dfff

Download Submit
\Users\Admin\AppData\Local\Temp\realip.exe

Filesize
40KB

MD5
effa4a5a70423867665d2a46348ecb26

SHA1
8596bef191ed40ade5980abf0158dfd3d193c352

SHA256
03b86eeff30d769e062a3228a0fb3ce6f0f8911093cd2a4a70cade34896f568d

SHA512
d94e48e1722d4814862d78f35800b4d8eff8f17be4902cbe0d2f0355fd3279faa9a403f3e4bb7ed70b44ace8dbb76b65b7c9f6e9ccf17c69e4d17e0895b8dfff

Download Submit
\Windows\SysWOW64\catroot3\rfusclient.exe

Filesize
3.9MB

MD5
90eacd586dd68ea1ec9b1dc5ae95b194

SHA1
83f684ca1bf003b2c4a687bfffdedbdc08cf9b6b

SHA256
aeee34caaccd42d5558666adcd8400c064a8efcdaaf8df080b68f76ac4608cd3

SHA512
63fd0a9f4f39c5ae27e42dc12b9e05bee60c645828e0a698c937d6033bcf8d09281c59ea9c9384043cc1fe68d767c7f2675da2c0a4b5dbd7783a4bb0ba90904a

Download Submit
\Windows\SysWOW64\catroot3\rfusclient.exe

Filesize
3.9MB

MD5
90eacd586dd68ea1ec9b1dc5ae95b194

SHA1
83f684ca1bf003b2c4a687bfffdedbdc08cf9b6b

SHA256
aeee34caaccd42d5558666adcd8400c064a8efcdaaf8df080b68f76ac4608cd3

SHA512
63fd0a9f4f39c5ae27e42dc12b9e05bee60c645828e0a698c937d6033bcf8d09281c59ea9c9384043cc1fe68d767c7f2675da2c0a4b5dbd7783a4bb0ba90904a

Download Submit
\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
5.0MB

MD5
963e45ab300bb8d5265935459e2515ff

SHA1
a7983b5d3e70ce8b9e444bfd16a8bb9e025a894d

SHA256
a4e95c77f749356fcf9782a3af590ebf5737005eeb143fe8ea2972d2d60a7da8

SHA512
fb231beb0654af04d6ad04b3935f8574044b1deb68cdab8e2df4b76ec34f7ad4c193e9221be090f636580357b66437af69c922832bbd034d60589e56c11c5590

Download Submit
\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
5.0MB

MD5
963e45ab300bb8d5265935459e2515ff

SHA1
a7983b5d3e70ce8b9e444bfd16a8bb9e025a894d

SHA256
a4e95c77f749356fcf9782a3af590ebf5737005eeb143fe8ea2972d2d60a7da8

SHA512
fb231beb0654af04d6ad04b3935f8574044b1deb68cdab8e2df4b76ec34f7ad4c193e9221be090f636580357b66437af69c922832bbd034d60589e56c11c5590

Download Submit
\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
5.0MB

MD5
963e45ab300bb8d5265935459e2515ff

SHA1
a7983b5d3e70ce8b9e444bfd16a8bb9e025a894d

SHA256
a4e95c77f749356fcf9782a3af590ebf5737005eeb143fe8ea2972d2d60a7da8

SHA512
fb231beb0654af04d6ad04b3935f8574044b1deb68cdab8e2df4b76ec34f7ad4c193e9221be090f636580357b66437af69c922832bbd034d60589e56c11c5590

Download Submit
memory/112-189-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1740-187-0x0000000000200000-0x0000000000218000-memory.dmp

Filesize
96KB

Download
memory/1740-191-0x0000000000200000-0x0000000000218000-memory.dmp

Filesize
96KB

Download
memory/1740-190-0x0000000000200000-0x0000000000218000-memory.dmp

Filesize
96KB

Download
memory/1740-188-0x0000000000200000-0x0000000000218000-memory.dmp

Filesize
96KB

Download