rms | b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0

Analysis

max time kernel
147s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe
Size

2.3MB
MD5

1c325867a3bc061416ecbd299cfe3bea
SHA1

ddbaf9c99638552618f07766fb2874c6cb9c689d
SHA256

b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0
SHA512

80e5621f29f4bf9642a8fa4b10310eb62f52d27fcbce2d79886a1448e04082d42d5a3e2dfc333149c73bbd60024e24f530f5e90855f8f662276c06ad2597bdb6
SSDEEP

49152:QAJYZmA562y6sq82PQyN8XEPkNVGsbYGDEPwRk33O8RQRhBrTG0yXeF1F/8gfaoE:7JYYA562yn4OVeMswRkfqFTG0UI/xfaF

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 6 IoCs

pid	Process
1380	svchoct.exe
1520	svchoct.exe
1368	svchoct.exe
1000	svchoct.exe
2016	Explorernt.exe
1996	Explorernt.exe

Modifies Windows Firewall 1 TTPs 8 IoCs

evasion

Modify Existing Service

T1031

pid	Process
532	netsh.exe
1964	netsh.exe
1608	netsh.exe
656	netsh.exe
1708	netsh.exe
1164	netsh.exe
1944	netsh.exe
676	netsh.exe

Sets file to hidden 1 TTPs 12 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1068	attrib.exe
1040	attrib.exe
1032	attrib.exe
2016	attrib.exe
532	attrib.exe
1996	attrib.exe
1880	attrib.exe
1120	attrib.exe
1544	attrib.exe
1176	attrib.exe
1452	attrib.exe
316	attrib.exe

Deletes itself 1 IoCs

pid	Process
1184	cmd.exe

Loads dropped DLL 10 IoCs

pid	Process
1740	cmd.exe
1380	svchoct.exe
1740	cmd.exe
1520	svchoct.exe
1740	cmd.exe
1368	svchoct.exe
1000	svchoct.exe
1000	svchoct.exe
2016	Explorernt.exe
1996	Explorernt.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\catroot3\HookDrv.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfTheoraEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\RIPCServer.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\rversionlib.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\dsfTheoraEncoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\Explorernt.exe	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\rversionlib.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\Explorernt.exe	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\Microsoft.VC80.CRT.manifest	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\RIPCServer.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\set.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfOggMux.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\HookDrv.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\msvcr80.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\svchoct.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\msvcr80.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\dsfOggMux.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\Microsoft.VC80.CRT.manifest	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\msvcp80.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\msvcp80.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3	attrib.exe
File created	C:\Windows\SysWOW64\catroot3\PushSource.ax	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\svchoct.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\set.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\PushSource.ax	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1312	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 5 IoCs

evasion

pid	Process
320	taskkill.exe
1704	taskkill.exe
1716	taskkill.exe
932	taskkill.exe
1592	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
908	reg.exe
1616	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1508	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1000	svchoct.exe
1000	svchoct.exe
2016	Explorernt.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1380	svchoct.exe
Token: SeDebugPrivilege	1368	svchoct.exe
Token: SeTakeOwnershipPrivilege	1000	svchoct.exe
Token: SeTcbPrivilege	1000	svchoct.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 856	880	b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe	28
PID 880 wrote to memory of 856	880	b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe	28
PID 880 wrote to memory of 856	880	b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe	28
PID 880 wrote to memory of 856	880	b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe	28
PID 856 wrote to memory of 1740	856	WScript.exe	29
PID 856 wrote to memory of 1740	856	WScript.exe	29
PID 856 wrote to memory of 1740	856	WScript.exe	29
PID 856 wrote to memory of 1740	856	WScript.exe	29
PID 856 wrote to memory of 1740	856	WScript.exe	29
PID 856 wrote to memory of 1740	856	WScript.exe	29
PID 856 wrote to memory of 1740	856	WScript.exe	29
PID 880 wrote to memory of 1184	880	b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe	31
PID 880 wrote to memory of 1184	880	b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe	31
PID 880 wrote to memory of 1184	880	b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe	31
PID 880 wrote to memory of 1184	880	b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe	31
PID 1740 wrote to memory of 320	1740	cmd.exe	33
PID 1740 wrote to memory of 320	1740	cmd.exe	33
PID 1740 wrote to memory of 320	1740	cmd.exe	33
PID 1740 wrote to memory of 320	1740	cmd.exe	33
PID 1740 wrote to memory of 1704	1740	cmd.exe	35
PID 1740 wrote to memory of 1704	1740	cmd.exe	35
PID 1740 wrote to memory of 1704	1740	cmd.exe	35
PID 1740 wrote to memory of 1704	1740	cmd.exe	35
PID 1740 wrote to memory of 1504	1740	cmd.exe	36
PID 1740 wrote to memory of 1504	1740	cmd.exe	36
PID 1740 wrote to memory of 1504	1740	cmd.exe	36
PID 1740 wrote to memory of 1504	1740	cmd.exe	36
PID 1740 wrote to memory of 1040	1740	cmd.exe	37
PID 1740 wrote to memory of 1040	1740	cmd.exe	37
PID 1740 wrote to memory of 1040	1740	cmd.exe	37
PID 1740 wrote to memory of 1040	1740	cmd.exe	37
PID 1740 wrote to memory of 1032	1740	cmd.exe	38
PID 1740 wrote to memory of 1032	1740	cmd.exe	38
PID 1740 wrote to memory of 1032	1740	cmd.exe	38
PID 1740 wrote to memory of 1032	1740	cmd.exe	38
PID 1740 wrote to memory of 2016	1740	cmd.exe	39
PID 1740 wrote to memory of 2016	1740	cmd.exe	39
PID 1740 wrote to memory of 2016	1740	cmd.exe	39
PID 1740 wrote to memory of 2016	1740	cmd.exe	39
PID 1740 wrote to memory of 532	1740	cmd.exe	40
PID 1740 wrote to memory of 532	1740	cmd.exe	40
PID 1740 wrote to memory of 532	1740	cmd.exe	40
PID 1740 wrote to memory of 532	1740	cmd.exe	40
PID 1740 wrote to memory of 1996	1740	cmd.exe	41
PID 1740 wrote to memory of 1996	1740	cmd.exe	41
PID 1740 wrote to memory of 1996	1740	cmd.exe	41
PID 1740 wrote to memory of 1996	1740	cmd.exe	41
PID 1740 wrote to memory of 1120	1740	cmd.exe	42
PID 1740 wrote to memory of 1120	1740	cmd.exe	42
PID 1740 wrote to memory of 1120	1740	cmd.exe	42
PID 1740 wrote to memory of 1120	1740	cmd.exe	42
PID 1740 wrote to memory of 1544	1740	cmd.exe	43
PID 1740 wrote to memory of 1544	1740	cmd.exe	43
PID 1740 wrote to memory of 1544	1740	cmd.exe	43
PID 1740 wrote to memory of 1544	1740	cmd.exe	43
PID 1740 wrote to memory of 1880	1740	cmd.exe	44
PID 1740 wrote to memory of 1880	1740	cmd.exe	44
PID 1740 wrote to memory of 1880	1740	cmd.exe	44
PID 1740 wrote to memory of 1880	1740	cmd.exe	44
PID 1740 wrote to memory of 1176	1740	cmd.exe	45
PID 1740 wrote to memory of 1176	1740	cmd.exe	45
PID 1740 wrote to memory of 1176	1740	cmd.exe	45
PID 1740 wrote to memory of 1176	1740	cmd.exe	45
PID 1740 wrote to memory of 1068	1740	cmd.exe	46

Views/modifies file attributes 1 TTPs 28 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
904	attrib.exe
1120	attrib.exe
1360	attrib.exe
1716	attrib.exe
1376	attrib.exe
1708	attrib.exe
1040	attrib.exe
1880	attrib.exe
1176	attrib.exe
316	attrib.exe
2016	attrib.exe
1544	attrib.exe
1456	attrib.exe
284	attrib.exe
1560	attrib.exe
280	attrib.exe
1032	attrib.exe
1068	attrib.exe
968	attrib.exe
1792	attrib.exe
976	attrib.exe
1452	attrib.exe
1452	attrib.exe
1364	attrib.exe
1100	attrib.exe
532	attrib.exe
1996	attrib.exe
696	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe
"C:\Users\Admin\AppData\Local\Temp\b572ab61e1dff278bb02d448a0d71c6b4e1802e206d3a6edd0fab6ad86e83eb0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im RManServer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svchoct.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\System32\catroot3"
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:1040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/blat.dll"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/blat.lib"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/block_reader.sys"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:532
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/HookLib.dll"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1996
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/blat.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/mpr.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/realip.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1880
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/mpr.ini"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1176
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\stop.js"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1068
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\install.bat"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1452
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Windows\System32\de.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:316
  - - C:\Windows\SysWOW64\net.exe
      net stop rserver3
      4⤵
      PID:1748
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop rserver3
        5⤵
        
        PID:1744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rserver3.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im r_server.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im cam_server.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\system32\cam_server.exe"
      4⤵
      Views/modifies file attributes
      PID:968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"
      4⤵
      Views/modifies file attributes
      PID:696
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Windows\system32\rserver30"
      4⤵
      Views/modifies file attributes
      PID:1364
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Windows\SysWOW64\rserver30"
      4⤵
      Views/modifies file attributes
      PID:1792
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\system32\r_server.exe"
      4⤵
      Views/modifies file attributes
      PID:976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"
      4⤵
      Views/modifies file attributes
      PID:1360
  - - C:\Windows\SysWOW64\net.exe
      net stop Telnet
      4⤵
      PID:856
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Telnet
        5⤵
        
        PID:1776
  - - C:\Windows\SysWOW64\sc.exe
      sc config tlntsvr start= disabled
      4⤵
      Launches sc.exe
      PID:1312
  - - C:\Windows\SysWOW64\net.exe
      net stop "Service Host Controller"
      4⤵
      PID:644
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Service Host Controller"
        5⤵
        
        PID:1184
  - - C:\Windows\SysWOW64\net.exe
      net user HelpAssistant /delete
      4⤵
      PID:1368
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user HelpAssistant /delete
        5⤵
        
        PID:276
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn security /f
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="RealIP"
      4⤵
      Modifies Windows Firewall
      PID:1164
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="Microsoft Outlook Express"
      4⤵
      Modifies Windows Firewall
      PID:1944
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="Service Host Controller"
      4⤵
      Modifies Windows Firewall
      PID:676
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"
      4⤵
      Modifies Windows Firewall
      PID:532
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"
      4⤵
      Modifies Windows Firewall
      PID:1964
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete portopening tcp 57009
      4⤵
      Modifies Windows Firewall
      PID:1608
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="cam_server"
      4⤵
      Modifies Windows Firewall
      PID:656
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete portopening tcp 57011 all
      4⤵
      Modifies Windows Firewall
      PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαáµ¿«¡¡á∩ ß¿ßΓÑ¼á Microsoft Windows" /f
      4⤵
      Modifies registry key
      PID:908
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f
      4⤵
      Modifies registry key
      PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\catroot3\svchoct.exe
      "svchoct.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1380
  - - C:\Windows\SysWOW64\catroot3\svchoct.exe
      "svchoct.exe" /firewall
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1520
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s set.reg
      4⤵
      Runs .reg file with regedit
      PID:1508
  - - C:\Windows\SysWOW64\catroot3\svchoct.exe
      "svchoct.exe" /start
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/blat.dll"
      4⤵
      Views/modifies file attributes
      PID:904
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/blat.lib"
      4⤵
      Views/modifies file attributes
      PID:1456
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/block_reader.sys"
      4⤵
      Views/modifies file attributes
      PID:1452
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/HookLib.dll"
      4⤵
      Views/modifies file attributes
      PID:1100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/blat.exe"
      4⤵
      Views/modifies file attributes
      PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/mpr.exe"
      4⤵
      Views/modifies file attributes
      PID:284
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/realip.exe"
      4⤵
      Views/modifies file attributes
      PID:1560
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/mpr.ini"
      4⤵
      Views/modifies file attributes
      PID:1376
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\stop.js"
      4⤵
      Views/modifies file attributes
      PID:280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\install.bat"
      4⤵
      Views/modifies file attributes
      PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:1184

C:\Windows\SysWOW64\catroot3\svchoct.exe
C:\Windows\SysWOW64\catroot3\svchoct.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
- C:\Windows\SysWOW64\catroot3\Explorernt.exe
  C:\Windows\SysWOW64\catroot3\Explorernt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Windows\SysWOW64\catroot3\Explorernt.exe
  C:\Windows\SysWOW64\catroot3\Explorernt.exe /tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
467c6718f6df5c8c072cda4b7e1de52c

SHA1
3344ea283a3be16f69380b84ef61803e218c3671

SHA256
e1679431c1fc5289c6912e0a704eda7d845337b77313433612b05eae3babe971

SHA512
f116bf2f81124fa1a9798ea359a3772bdfd1ce57f3d47a67815c80336602968728ee36533a65a6795e545812baa6bc501aba28e7e5e1991c506dea7eb761a543

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explorernt.exe

Filesize
2.8MB

MD5
a0924820769909ca25e9eea948b7d8ad

SHA1
e70e1a1662a4fe966e38218beb777516c3db4e37

SHA256
74fe2a1e6116c5a199dcc6aa738d546bfc55b41edc1b7c5459019e7d18ae5e36

SHA512
e3d5b963b0358b08301eaed387d1d206da408096ca895b6262b2eb79a026314821885477a07fce78b9107b8c8169cc6c4d52e404c4b01b3a8bb33569929b8073

Download Submit
C:\Users\Admin\AppData\Local\Temp\HookDrv.dll

Filesize
144KB

MD5
513066a38057079e232f5f99baef2b94

SHA1
a6da9e87415b8918447ec361ba98703d12b4ee76

SHA256
02dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e

SHA512
83a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.CRT.manifest

Filesize
1KB

MD5
d34b3da03c59f38a510eaa8ccc151ec7

SHA1
41b978588a9902f5e14b2b693973cb210ed900b2

SHA256
a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc

SHA512
231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PushSource.ax

Filesize
448KB

MD5
d7eb741be9c97a6d1063102f0e4ca44d

SHA1
bf8bdca7f56ed39fb96141ae9593dec497f4e2c8

SHA256
0914ab04bfd258008fec4605c3fa0e23c0d5111b9cfc374cfa4eaa1b4208dff7

SHA512
cbcaedf5aca641313ba2708e4be3ea0d18dd63e4543f2c2fdcbd31964a2c01ff42724ec666da24bf7bf7b8faaa5eceae761edf82c71919753d42695c9588e65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIPCServer.dll

Filesize
96KB

MD5
329354f10504d225384e19c8c1c575db

SHA1
9ef0b6256f3c5bbeb444cb00ee4b278847e8aa66

SHA256
24735b40df2cdac4da4e3201fc597eed5566c5c662aa312fa491b7a24e244844

SHA512
876585dd23f799f1b7cef365d3030213338b3c88bc2b20174e7c109248319bb5a3feaef43c0b962f459b2f4d90ff252c4704d6f1a0908b087e24b4f03eba9c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfOggMux.dll

Filesize
84KB

MD5
65889701199e41ae2abee652a232af6e

SHA1
3f76c39fde130b550013a4f13bfea2862b5628cf

SHA256
ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e

SHA512
edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfTheoraEncoder.dll

Filesize
240KB

MD5
5f2fc8a0d96a1e796a4daae9465f5dd6

SHA1
224f13f3cbaa441c0cb6d6300715fda7136408ea

SHA256
f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f

SHA512
da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
086a9fd9179aad7911561eeff08cf7e2

SHA1
d390c28376e08769a06a4a8b46609b3a668f728b

SHA256
2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282

SHA512
a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
5KB

MD5
0bc7d3a303e0c6d7d84f1db5d5efef43

SHA1
93bc6ca6f770ec2c6f99a5bb3d482fd029bc2c63

SHA256
e61b80f090c29a367f6ab31602da917a9d67a1be5ef0d758f258b792e219913c

SHA512
b5e801510b8464fc387521853fb09174ce16d54e70bd0d145d717f965e6df04fcfea4a6687c2ae8ac3f95d59ed6027fb7a337b50d962f0aaeed71d85219b8d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp80.dll

Filesize
541KB

MD5
8c53ccd787c381cd535d8dcca12584d8

SHA1
bc7ce60270a58450596aa3e3e5d0a99f731333d9

SHA256
384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528

SHA512
e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcr80.dll

Filesize
617KB

MD5
1169436ee42f860c7db37a4692b38f0e

SHA1
4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3

SHA256
9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46

SHA512
e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.reg

Filesize
12KB

MD5
26554b7c1085b248da68c14d6437ba18

SHA1
0c55725c7f9295c2c4b69719fb98736e66658606

SHA256
564f9a4cf6581b38bc0360fff19c26df062344444b8b60ddfe86eb0194269e74

SHA512
99b110a73875ffa59b56f50e4e10e6c28c390fcdd285f19bc7b238329b870eca322b47619f4e1181c3737f011df738fdddee01b1b654266405b2a31003075135

Download Submit
C:\Users\Admin\AppData\Local\Temp\stop.js

Filesize
215B

MD5
804b35ef108ec9839eb6a9335add8ca1

SHA1
bf91e6645c4a1c8cab2d20388469da9ed0a82d56

SHA256
fe111b7ea4e14ab7ba5004aea52b10030e0282bb5c40d4ba55761a2c5be59406

SHA512
822a3ec5e0e353058d4355bc01a44440dafe8d16c57744a3dcbc962eb110ed3f6843556568616bfc5dc7fad5f5832cd27d6591dc50105f2c79fc16c33919936d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchoct.exe

Filesize
3.2MB

MD5
8ae3deecb2b1f16a7adcf3aeaffb487d

SHA1
0370c0e6b81dea9df7737923cfe36aebdd1623b6

SHA256
502092b56790f889fe210b67da27dfe32c434c7e5e8d3e9625dc13381853fbac

SHA512
59534db91aecdd9ee65fad026fdd719a22f9d6dad2682cfa97776fe75b4bd9807acb41a2589229c418b77caabcb7f538d168207e2f6f5adaf64a7b13930db1f5

Download Submit
C:\Windows\SysWOW64\catroot3\Explorernt.exe

Filesize
2.8MB

MD5
a0924820769909ca25e9eea948b7d8ad

SHA1
e70e1a1662a4fe966e38218beb777516c3db4e37

SHA256
74fe2a1e6116c5a199dcc6aa738d546bfc55b41edc1b7c5459019e7d18ae5e36

SHA512
e3d5b963b0358b08301eaed387d1d206da408096ca895b6262b2eb79a026314821885477a07fce78b9107b8c8169cc6c4d52e404c4b01b3a8bb33569929b8073

Download Submit
C:\Windows\SysWOW64\catroot3\Explorernt.exe

Filesize
2.8MB

MD5
a0924820769909ca25e9eea948b7d8ad

SHA1
e70e1a1662a4fe966e38218beb777516c3db4e37

SHA256
74fe2a1e6116c5a199dcc6aa738d546bfc55b41edc1b7c5459019e7d18ae5e36

SHA512
e3d5b963b0358b08301eaed387d1d206da408096ca895b6262b2eb79a026314821885477a07fce78b9107b8c8169cc6c4d52e404c4b01b3a8bb33569929b8073

Download Submit
C:\Windows\SysWOW64\catroot3\Explorernt.exe

Filesize
2.8MB

MD5
a0924820769909ca25e9eea948b7d8ad

SHA1
e70e1a1662a4fe966e38218beb777516c3db4e37

SHA256
74fe2a1e6116c5a199dcc6aa738d546bfc55b41edc1b7c5459019e7d18ae5e36

SHA512
e3d5b963b0358b08301eaed387d1d206da408096ca895b6262b2eb79a026314821885477a07fce78b9107b8c8169cc6c4d52e404c4b01b3a8bb33569929b8073

Download Submit
C:\Windows\SysWOW64\catroot3\HookDrv.dll

Filesize
144KB

MD5
513066a38057079e232f5f99baef2b94

SHA1
a6da9e87415b8918447ec361ba98703d12b4ee76

SHA256
02dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e

SHA512
83a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5

Download Submit
C:\Windows\SysWOW64\catroot3\RIPCServer.dll

Filesize
96KB

MD5
329354f10504d225384e19c8c1c575db

SHA1
9ef0b6256f3c5bbeb444cb00ee4b278847e8aa66

SHA256
24735b40df2cdac4da4e3201fc597eed5566c5c662aa312fa491b7a24e244844

SHA512
876585dd23f799f1b7cef365d3030213338b3c88bc2b20174e7c109248319bb5a3feaef43c0b962f459b2f4d90ff252c4704d6f1a0908b087e24b4f03eba9c0e

Download Submit
C:\Windows\SysWOW64\catroot3\dsfOggMux.dll

Filesize
84KB

MD5
65889701199e41ae2abee652a232af6e

SHA1
3f76c39fde130b550013a4f13bfea2862b5628cf

SHA256
ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e

SHA512
edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5

Download Submit
C:\Windows\SysWOW64\catroot3\dsfTheoraEncoder.dll

Filesize
240KB

MD5
5f2fc8a0d96a1e796a4daae9465f5dd6

SHA1
224f13f3cbaa441c0cb6d6300715fda7136408ea

SHA256
f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f

SHA512
da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad

Download Submit
C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
086a9fd9179aad7911561eeff08cf7e2

SHA1
d390c28376e08769a06a4a8b46609b3a668f728b

SHA256
2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282

SHA512
a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193

Download Submit
C:\Windows\SysWOW64\catroot3\msvcp80.dll

Filesize
541KB

MD5
8c53ccd787c381cd535d8dcca12584d8

SHA1
bc7ce60270a58450596aa3e3e5d0a99f731333d9

SHA256
384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528

SHA512
e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

Download Submit
C:\Windows\SysWOW64\catroot3\msvcr80.dll

Filesize
617KB

MD5
1169436ee42f860c7db37a4692b38f0e

SHA1
4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3

SHA256
9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46

SHA512
e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

Download Submit
C:\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
C:\Windows\SysWOW64\catroot3\set.reg

Filesize
12KB

MD5
26554b7c1085b248da68c14d6437ba18

SHA1
0c55725c7f9295c2c4b69719fb98736e66658606

SHA256
564f9a4cf6581b38bc0360fff19c26df062344444b8b60ddfe86eb0194269e74

SHA512
99b110a73875ffa59b56f50e4e10e6c28c390fcdd285f19bc7b238329b870eca322b47619f4e1181c3737f011df738fdddee01b1b654266405b2a31003075135

Download Submit
C:\Windows\SysWOW64\catroot3\svchoct.exe

Filesize
3.2MB

MD5
8ae3deecb2b1f16a7adcf3aeaffb487d

SHA1
0370c0e6b81dea9df7737923cfe36aebdd1623b6

SHA256
502092b56790f889fe210b67da27dfe32c434c7e5e8d3e9625dc13381853fbac

SHA512
59534db91aecdd9ee65fad026fdd719a22f9d6dad2682cfa97776fe75b4bd9807acb41a2589229c418b77caabcb7f538d168207e2f6f5adaf64a7b13930db1f5

Download Submit
C:\Windows\SysWOW64\catroot3\svchoct.exe

Filesize
3.2MB

MD5
8ae3deecb2b1f16a7adcf3aeaffb487d

SHA1
0370c0e6b81dea9df7737923cfe36aebdd1623b6

SHA256
502092b56790f889fe210b67da27dfe32c434c7e5e8d3e9625dc13381853fbac

SHA512
59534db91aecdd9ee65fad026fdd719a22f9d6dad2682cfa97776fe75b4bd9807acb41a2589229c418b77caabcb7f538d168207e2f6f5adaf64a7b13930db1f5

Download Submit
C:\Windows\SysWOW64\catroot3\svchoct.exe

Filesize
3.2MB

MD5
8ae3deecb2b1f16a7adcf3aeaffb487d

SHA1
0370c0e6b81dea9df7737923cfe36aebdd1623b6

SHA256
502092b56790f889fe210b67da27dfe32c434c7e5e8d3e9625dc13381853fbac

SHA512
59534db91aecdd9ee65fad026fdd719a22f9d6dad2682cfa97776fe75b4bd9807acb41a2589229c418b77caabcb7f538d168207e2f6f5adaf64a7b13930db1f5

Download Submit
C:\Windows\SysWOW64\catroot3\svchoct.exe

Filesize
3.2MB

MD5
8ae3deecb2b1f16a7adcf3aeaffb487d

SHA1
0370c0e6b81dea9df7737923cfe36aebdd1623b6

SHA256
502092b56790f889fe210b67da27dfe32c434c7e5e8d3e9625dc13381853fbac

SHA512
59534db91aecdd9ee65fad026fdd719a22f9d6dad2682cfa97776fe75b4bd9807acb41a2589229c418b77caabcb7f538d168207e2f6f5adaf64a7b13930db1f5

Download Submit
\Windows\SysWOW64\catroot3\Explorernt.exe

Filesize
2.8MB

MD5
a0924820769909ca25e9eea948b7d8ad

SHA1
e70e1a1662a4fe966e38218beb777516c3db4e37

SHA256
74fe2a1e6116c5a199dcc6aa738d546bfc55b41edc1b7c5459019e7d18ae5e36

SHA512
e3d5b963b0358b08301eaed387d1d206da408096ca895b6262b2eb79a026314821885477a07fce78b9107b8c8169cc6c4d52e404c4b01b3a8bb33569929b8073

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
\Windows\SysWOW64\catroot3\svchoct.exe

Filesize
3.2MB

MD5
8ae3deecb2b1f16a7adcf3aeaffb487d

SHA1
0370c0e6b81dea9df7737923cfe36aebdd1623b6

SHA256
502092b56790f889fe210b67da27dfe32c434c7e5e8d3e9625dc13381853fbac

SHA512
59534db91aecdd9ee65fad026fdd719a22f9d6dad2682cfa97776fe75b4bd9807acb41a2589229c418b77caabcb7f538d168207e2f6f5adaf64a7b13930db1f5

Download Submit
\Windows\SysWOW64\catroot3\svchoct.exe

Filesize
3.2MB

MD5
8ae3deecb2b1f16a7adcf3aeaffb487d

SHA1
0370c0e6b81dea9df7737923cfe36aebdd1623b6

SHA256
502092b56790f889fe210b67da27dfe32c434c7e5e8d3e9625dc13381853fbac

SHA512
59534db91aecdd9ee65fad026fdd719a22f9d6dad2682cfa97776fe75b4bd9807acb41a2589229c418b77caabcb7f538d168207e2f6f5adaf64a7b13930db1f5

Download Submit
\Windows\SysWOW64\catroot3\svchoct.exe

Filesize
3.2MB

MD5
8ae3deecb2b1f16a7adcf3aeaffb487d

SHA1
0370c0e6b81dea9df7737923cfe36aebdd1623b6

SHA256
502092b56790f889fe210b67da27dfe32c434c7e5e8d3e9625dc13381853fbac

SHA512
59534db91aecdd9ee65fad026fdd719a22f9d6dad2682cfa97776fe75b4bd9807acb41a2589229c418b77caabcb7f538d168207e2f6f5adaf64a7b13930db1f5

Download Submit
memory/880-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1380-136-0x0000000000230000-0x0000000000288000-memory.dmp

Filesize
352KB

Download
memory/1996-174-0x00000000001C0000-0x0000000000218000-memory.dmp

Filesize
352KB

Download