rms | 909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe
Size

3.3MB
MD5

524ee4b4df67328653740a764f86a94e
SHA1

cdd5153de9b9090b1e5c271a0d0fdb8374746162
SHA256

909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20
SHA512

72bdb65abb69e1de05fe7be012f28d4fdb4e3842329c497216624908e3e7e1b50d7aa6f4540e991b6fc59a594931d2315192d0e0dafcd666a68caa020a00579f
SSDEEP

98304:7JYC4BP0AwP4unYP+0O8NPKDUDpQCOfCJ+N4dP5CVSu2:7JYBP0Oo8DDpS6Y4c32

Score

10^/10

rms collection discovery evasion rat spyware stealer trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 8 IoCs

pid	Process
1892	rutserv.exe
1236	rutserv.exe
1620	rutserv.exe
944	rutserv.exe
1480	rfusclient.exe
1160	rfusclient.exe
1916	mpr.exe
1648	realip.exe

Modifies Windows Firewall 1 TTPs 8 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1612	netsh.exe
1776	netsh.exe
568	netsh.exe
1604	netsh.exe
432	netsh.exe
1220	netsh.exe
1872	netsh.exe
692	netsh.exe

Sets file to hidden 1 TTPs 12 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1436	attrib.exe
1856	attrib.exe
1428	attrib.exe
1996	attrib.exe
1612	attrib.exe
2000	attrib.exe
1484	attrib.exe
1596	attrib.exe
868	attrib.exe
1248	attrib.exe
1916	attrib.exe
1696	attrib.exe

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Loads dropped DLL 12 IoCs

pid	Process
1260	cmd.exe
1892	rutserv.exe
1260	cmd.exe
1236	rutserv.exe
1260	cmd.exe
1620	rutserv.exe
944	rutserv.exe
944	rutserv.exe
1160	rfusclient.exe
1260	cmd.exe
1260	cmd.exe
1260	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mpr.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	mpr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfOggMux.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\HookDrv.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\set.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de.exe	cmd.exe
File created	C:\Windows\SysWOW64\de.exe	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\dsfTheoraEncoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\rversionlib.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\set.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3	attrib.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\msvcr80.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\rversionlib.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\Microsoft.VC80.CRT.manifest	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\rfusclient.exe	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\RWLN.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\msvcp80.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de.exe	attrib.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\PushSource.ax	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\msvcr80.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\HookDrv.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfTheoraEncoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\Microsoft.VC80.CRT.manifest	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\msvcp80.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\PushSource.ax	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\RWLN.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\dsfOggMux.dll	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1852	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 5 IoCs

evasion

pid	Process
1892	taskkill.exe
2028	taskkill.exe
316	taskkill.exe
1048	taskkill.exe
1900	taskkill.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler\Clsid	mpr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf	mpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\EditFlags = "0"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mpr.exe"	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	mpr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\MediaPackageFile	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf	mpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\BrowserFlags = "8"	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mpr.exe,0"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler	mpr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\MediaPackageFile\ShellNew	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mpr.exe \"%1\""	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "mpr.DocHostUIHandler"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\ = "mprf"	mpr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command	mpr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler\ = "Implements DocHostUIHandler"	mpr.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1048	reg.exe
864	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
980	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
944	rutserv.exe
944	rutserv.exe
1916	mpr.exe
1916	mpr.exe
1916	mpr.exe
1916	mpr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1892	rutserv.exe
Token: SeDebugPrivilege	1620	rutserv.exe
Token: SeTakeOwnershipPrivilege	944	rutserv.exe
Token: SeTcbPrivilege	944	rutserv.exe
Token: SeDebugPrivilege	1916	mpr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1916	mpr.exe
1916	mpr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1684	944	909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe	27
PID 944 wrote to memory of 1684	944	909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe	27
PID 944 wrote to memory of 1684	944	909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe	27
PID 944 wrote to memory of 1684	944	909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe	27
PID 1684 wrote to memory of 1260	1684	WScript.exe	28
PID 1684 wrote to memory of 1260	1684	WScript.exe	28
PID 1684 wrote to memory of 1260	1684	WScript.exe	28
PID 1684 wrote to memory of 1260	1684	WScript.exe	28
PID 1684 wrote to memory of 1260	1684	WScript.exe	28
PID 1684 wrote to memory of 1260	1684	WScript.exe	28
PID 1684 wrote to memory of 1260	1684	WScript.exe	28
PID 944 wrote to memory of 2032	944	909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe	30
PID 944 wrote to memory of 2032	944	909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe	30
PID 944 wrote to memory of 2032	944	909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe	30
PID 944 wrote to memory of 2032	944	909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe	30
PID 1260 wrote to memory of 2028	1260	cmd.exe	31
PID 1260 wrote to memory of 2028	1260	cmd.exe	31
PID 1260 wrote to memory of 2028	1260	cmd.exe	31
PID 1260 wrote to memory of 2028	1260	cmd.exe	31
PID 1260 wrote to memory of 316	1260	cmd.exe	34
PID 1260 wrote to memory of 316	1260	cmd.exe	34
PID 1260 wrote to memory of 316	1260	cmd.exe	34
PID 1260 wrote to memory of 316	1260	cmd.exe	34
PID 1260 wrote to memory of 432	1260	cmd.exe	35
PID 1260 wrote to memory of 432	1260	cmd.exe	35
PID 1260 wrote to memory of 432	1260	cmd.exe	35
PID 1260 wrote to memory of 432	1260	cmd.exe	35
PID 1260 wrote to memory of 1428	1260	cmd.exe	36
PID 1260 wrote to memory of 1428	1260	cmd.exe	36
PID 1260 wrote to memory of 1428	1260	cmd.exe	36
PID 1260 wrote to memory of 1428	1260	cmd.exe	36
PID 1260 wrote to memory of 1248	1260	cmd.exe	37
PID 1260 wrote to memory of 1248	1260	cmd.exe	37
PID 1260 wrote to memory of 1248	1260	cmd.exe	37
PID 1260 wrote to memory of 1248	1260	cmd.exe	37
PID 1260 wrote to memory of 1916	1260	cmd.exe	38
PID 1260 wrote to memory of 1916	1260	cmd.exe	38
PID 1260 wrote to memory of 1916	1260	cmd.exe	38
PID 1260 wrote to memory of 1916	1260	cmd.exe	38
PID 1260 wrote to memory of 1856	1260	cmd.exe	48
PID 1260 wrote to memory of 1856	1260	cmd.exe	48
PID 1260 wrote to memory of 1856	1260	cmd.exe	48
PID 1260 wrote to memory of 1856	1260	cmd.exe	48
PID 1260 wrote to memory of 1996	1260	cmd.exe	39
PID 1260 wrote to memory of 1996	1260	cmd.exe	39
PID 1260 wrote to memory of 1996	1260	cmd.exe	39
PID 1260 wrote to memory of 1996	1260	cmd.exe	39
PID 1260 wrote to memory of 1696	1260	cmd.exe	40
PID 1260 wrote to memory of 1696	1260	cmd.exe	40
PID 1260 wrote to memory of 1696	1260	cmd.exe	40
PID 1260 wrote to memory of 1696	1260	cmd.exe	40
PID 1260 wrote to memory of 2000	1260	cmd.exe	41
PID 1260 wrote to memory of 2000	1260	cmd.exe	41
PID 1260 wrote to memory of 2000	1260	cmd.exe	41
PID 1260 wrote to memory of 2000	1260	cmd.exe	41
PID 1260 wrote to memory of 1596	1260	cmd.exe	45
PID 1260 wrote to memory of 1596	1260	cmd.exe	45
PID 1260 wrote to memory of 1596	1260	cmd.exe	45
PID 1260 wrote to memory of 1596	1260	cmd.exe	45
PID 1260 wrote to memory of 1612	1260	cmd.exe	42
PID 1260 wrote to memory of 1612	1260	cmd.exe	42
PID 1260 wrote to memory of 1612	1260	cmd.exe	42
PID 1260 wrote to memory of 1612	1260	cmd.exe	42
PID 1260 wrote to memory of 1484	1260	cmd.exe	43

Views/modifies file attributes 1 TTPs 18 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1996	attrib.exe
868	attrib.exe
1472	attrib.exe
1428	attrib.exe
1916	attrib.exe
1696	attrib.exe
1612	attrib.exe
1484	attrib.exe
1856	attrib.exe
2004	attrib.exe
1248	attrib.exe
1668	attrib.exe
2020	attrib.exe
2000	attrib.exe
1436	attrib.exe
1596	attrib.exe
1240	attrib.exe
1232	attrib.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	mpr.exe

C:\Users\Admin\AppData\Local\Temp\909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe
"C:\Users\Admin\AppData\Local\Temp\909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im RManServer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\System32\catroot3"
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:1428
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/blat.dll"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1248
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/blat.lib"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/HookLib.dll"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1996
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/blat.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1696
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/mpr.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/mpr.ini"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\stop.js"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\install.bat"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/realip.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Windows\System32\de.exe"
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:868
  - - C:\Windows\SysWOW64\net.exe
      net stop rserver3
      4⤵
      PID:308
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop rserver3
        5⤵
        
        PID:568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/block_reader.sys"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rserver3.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im r_server.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im cam_server.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\system32\cam_server.exe"
      4⤵
      Views/modifies file attributes
      PID:2004
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"
      4⤵
      Views/modifies file attributes
      PID:1472
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Windows\system32\rserver30"
      4⤵
      Views/modifies file attributes
      PID:1240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Windows\SysWOW64\rserver30"
      4⤵
      Views/modifies file attributes
      PID:1668
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\system32\r_server.exe"
      4⤵
      Views/modifies file attributes
      PID:2020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"
      4⤵
      Views/modifies file attributes
      PID:1232
  - - C:\Windows\SysWOW64\net.exe
      net stop Telnet
      4⤵
      PID:1388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Telnet
        5⤵
        
        PID:980
  - - C:\Windows\SysWOW64\sc.exe
      sc config tlntsvr start= disabled
      4⤵
      Launches sc.exe
      PID:1852
  - - C:\Windows\SysWOW64\net.exe
      net stop "Service Host Controller"
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Service Host Controller"
        5⤵
        
        PID:2036
  - - C:\Windows\SysWOW64\net.exe
      net user HelpAssistant /delete
      4⤵
      PID:1920
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user HelpAssistant /delete
        5⤵
        
        PID:1040
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn security /f
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="RealIP"
      4⤵
      Modifies Windows Firewall
      PID:1604
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="Microsoft Outlook Express"
      4⤵
      Modifies Windows Firewall
      PID:432
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="Service Host Controller"
      4⤵
      Modifies Windows Firewall
      PID:1220
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"
      4⤵
      Modifies Windows Firewall
      PID:1872
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"
      4⤵
      Modifies Windows Firewall
      PID:692
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete portopening tcp 57009
      4⤵
      Modifies Windows Firewall
      PID:1612
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="cam_server"
      4⤵
      Modifies Windows Firewall
      PID:1776
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete portopening tcp 57011 all
      4⤵
      Modifies Windows Firewall
      PID:568
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαáµ¿«¡¡á∩ ß¿ßΓÑ¼á Microsoft Windows" /f
      4⤵
      Modifies registry key
      PID:1048
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f
      4⤵
      Modifies registry key
      PID:864
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\catroot3\rutserv.exe
      "rutserv.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:1892
  - - C:\Windows\SysWOW64\catroot3\rutserv.exe
      "rutserv.exe" /firewall
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1236
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s set.reg
      4⤵
      Runs .reg file with regedit
      PID:980
  - - C:\Windows\SysWOW64\catroot3\rutserv.exe
      "rutserv.exe" /start
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\mpr.exe
      C:\Users\Admin\AppData\Local\Temp\mpr.exe /export
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_win_path
      PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\realip.exe
      realip.exe
      4⤵
      Executes dropped EXE
      PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:2032

C:\Windows\SysWOW64\catroot3\rutserv.exe
C:\Windows\SysWOW64\catroot3\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
- C:\Windows\SysWOW64\catroot3\rfusclient.exe
  C:\Windows\SysWOW64\catroot3\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\SysWOW64\catroot3\rfusclient.exe
  C:\Windows\SysWOW64\catroot3\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
84138df8e40fdb45ee4e09e5bc17146b

SHA1
13e8462f16a7362e6d5454b50136c43422486c2b

SHA256
f2d45c2eecf2a6b59073f344d18808ede9e01da90c42371b7eee6ee465a748ed

SHA512
ed57c65f88a16b8b87cb127be92308cd6ec45975e3fa3f822e08a7cb6b204fa11df3216ee07b8b543e1e4e17e69a19ed8b89e1ce73b487eb4bb768bed8a1f479

Download Submit
C:\Users\Admin\AppData\Local\Temp\HookDrv.dll

Filesize
144KB

MD5
513066a38057079e232f5f99baef2b94

SHA1
a6da9e87415b8918447ec361ba98703d12b4ee76

SHA256
02dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e

SHA512
83a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HookLib.dll

Filesize
42KB

MD5
9b2e0db7547afab728ec31b7288705d6

SHA1
cedd09c5fda6c9445d191f97034e23e960361074

SHA256
ff44a0fe9d27fc3c1f455b2b9e989235ea55be4b95ed569be4b15129e624214b

SHA512
1c4c5eb672541a0fd39ed1174bdd3533e136233bd904c2e8bc7ffcab4f3e9835cbc357a66c6704619795ce983ce57a6a8a206aa922addfcc771dd14c277cdf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.CRT.manifest

Filesize
1KB

MD5
d34b3da03c59f38a510eaa8ccc151ec7

SHA1
41b978588a9902f5e14b2b693973cb210ed900b2

SHA256
a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc

SHA512
231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PushSource.ax

Filesize
448KB

MD5
d7eb741be9c97a6d1063102f0e4ca44d

SHA1
bf8bdca7f56ed39fb96141ae9593dec497f4e2c8

SHA256
0914ab04bfd258008fec4605c3fa0e23c0d5111b9cfc374cfa4eaa1b4208dff7

SHA512
cbcaedf5aca641313ba2708e4be3ea0d18dd63e4543f2c2fdcbd31964a2c01ff42724ec666da24bf7bf7b8faaa5eceae761edf82c71919753d42695c9588e65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWLN.dll

Filesize
325KB

MD5
cf6ce6b13673dd11f0cd4b597ac56edb

SHA1
2017888be6edbea723b9b888ac548db5115df09e

SHA256
7bda291b7f50049088ea418b5695929b9be11cc014f6ec0f43f495285d1d6f74

SHA512
e5b69b4ee2ff8d9682913a2f846dc2eca8223d3100d626aea9763653fe7b8b35b8e6dc918f4c32e8ae2fc1761611dcd0b16d623ede954f173db33216b33f49dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\blat.dll

Filesize
120KB

MD5
724cae63522f6e5f7565a3bf4b2a719b

SHA1
18620dbd4357d85918070f669ff4b61755290757

SHA256
b87814eaf1cd5268e797f1119b58e3fd79381af3f530be9a90993198cbce1779

SHA512
af68749cadf9920a8bed455a2557b1faf475d30fdd62f45da6757fbc5a59341fffeccca4ff646b334da95cf673deeeea74bdbb27a16f510a4e3309055f89817d

Download Submit
C:\Users\Admin\AppData\Local\Temp\blat.exe

Filesize
112KB

MD5
31f84e433e8d1865e322998a41e6d90e

SHA1
cbea6cda10db869636f57b1cffad39b22e6f7f17

SHA256
aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e

SHA512
7ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\blat.lib

Filesize
2KB

MD5
3cd3cffda2b5108e2778f94429c624d6

SHA1
3e4d218d1b8eb4fa1ab5152b126951892aff3dc9

SHA256
b545194041588fc0a6f57e7eb5a93d2418aaa263d246e3c696a79ee5859770ff

SHA512
c80080afcc982c4e950876756fb32c7f24fbe45bfbbe78afe144be1ede86dc9ef1e57db95d3df7f4c6011fd226f23684b929781b55d1be659cfa75d14f8d0c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\block_reader.sys

Filesize
1KB

MD5
b5a0cfd3e6cb42a29255faa1546f420c

SHA1
c55cb0f7b5a04231607498b83629e70105113ee3

SHA256
a2d200514887c6f05c9e6150b57cf4541c4923b857cf15723454885b9353dff0

SHA512
274a7371f1d75803926380fd10c60c9aa1bb1088594e3e0be5db255bb9f31ae178e8f79ba4b2deb49c24289dea5b17d1244c873e038d0a94159252ab62f4342e

Download Submit
C:\Users\Admin\AppData\Local\Temp\de.exe

Filesize
98KB

MD5
b8622a3042d7fa48b2e6de433007c870

SHA1
6399b9d115c3f1d3c5469f81b1a821bf75b75ae8

SHA256
cdb8330b9a36462dad63fb5c98520c4dd1cecf8a20d071bb0eff15ecf9fe0c98

SHA512
19450e826c78cc9526bf9ccba356fa63c8282ae3093db9ad71c1f21bcd80b3850b3aabbd2221fd6ddc293378df3d52ac0484c8882aeee517145d018ce3b4ed73

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfOggMux.dll

Filesize
84KB

MD5
65889701199e41ae2abee652a232af6e

SHA1
3f76c39fde130b550013a4f13bfea2862b5628cf

SHA256
ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e

SHA512
edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfTheoraEncoder.dll

Filesize
240KB

MD5
5f2fc8a0d96a1e796a4daae9465f5dd6

SHA1
224f13f3cbaa441c0cb6d6300715fda7136408ea

SHA256
f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f

SHA512
da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
086a9fd9179aad7911561eeff08cf7e2

SHA1
d390c28376e08769a06a4a8b46609b3a668f728b

SHA256
2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282

SHA512
a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
5KB

MD5
2e15db8b648b7c98549b47e23d631791

SHA1
6b94c1d47589eb380e3dad267a42e595300b9364

SHA256
1e6ae121feb3aa8a7bf0e8f8400646e7fa3ca1149c1c0a2c4aa6a97ea001eb3e

SHA512
64875ad5a667bf3f1d47be0388fe7660eee19069290f93eb4d29a522ed8900a8f1d3137d454e66f1c09324814b322fe0fd5472335a6882bcf0e4cb06595c5e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr.exe

Filesize
3.3MB

MD5
8dba37604bf06ebcef07dd1085865a6a

SHA1
1202eb0ea461c502daa7da9d7d75fff226bf57bd

SHA256
038ab25642a1220c27028d0b559062b43764c66541ec07a96b2a99d25d9638b0

SHA512
0f286677e964d733ea3270f0f196769d8ddddb4a6bb3007187eae56e9abb5e22ee984703df5356b5d9049e5ad3b24c567ae13773684113a4440b2cce5d0132fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr.exe

Filesize
3.3MB

MD5
8dba37604bf06ebcef07dd1085865a6a

SHA1
1202eb0ea461c502daa7da9d7d75fff226bf57bd

SHA256
038ab25642a1220c27028d0b559062b43764c66541ec07a96b2a99d25d9638b0

SHA512
0f286677e964d733ea3270f0f196769d8ddddb4a6bb3007187eae56e9abb5e22ee984703df5356b5d9049e5ad3b24c567ae13773684113a4440b2cce5d0132fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr.ini

Filesize
273B

MD5
ea47283e2219d636d6429068140003a0

SHA1
db9bfafe8d680730813cdb547caabddaec0bfc4a

SHA256
92fbb197da99a1c0d5e2f83057f81cd5a2fc65e0f763218cff931b574c07bc61

SHA512
5c434feffefe2c92f4fdbcae8b316b752a1b5ea4bfc7bda65a3882990b4767c453f97ce3f8238879e24d871aa616fb91dce6b1175c9ef8489eef992935a34ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp80.dll

Filesize
541KB

MD5
8c53ccd787c381cd535d8dcca12584d8

SHA1
bc7ce60270a58450596aa3e3e5d0a99f731333d9

SHA256
384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528

SHA512
e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcr80.dll

Filesize
617KB

MD5
1169436ee42f860c7db37a4692b38f0e

SHA1
4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3

SHA256
9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46

SHA512
e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\realip.exe

Filesize
40KB

MD5
effa4a5a70423867665d2a46348ecb26

SHA1
8596bef191ed40ade5980abf0158dfd3d193c352

SHA256
03b86eeff30d769e062a3228a0fb3ce6f0f8911093cd2a4a70cade34896f568d

SHA512
d94e48e1722d4814862d78f35800b4d8eff8f17be4902cbe0d2f0355fd3279faa9a403f3e4bb7ed70b44ace8dbb76b65b7c9f6e9ccf17c69e4d17e0895b8dfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\realip.exe

Filesize
40KB

MD5
effa4a5a70423867665d2a46348ecb26

SHA1
8596bef191ed40ade5980abf0158dfd3d193c352

SHA256
03b86eeff30d769e062a3228a0fb3ce6f0f8911093cd2a4a70cade34896f568d

SHA512
d94e48e1722d4814862d78f35800b4d8eff8f17be4902cbe0d2f0355fd3279faa9a403f3e4bb7ed70b44ace8dbb76b65b7c9f6e9ccf17c69e4d17e0895b8dfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
2.8MB

MD5
a90c6e72a9e2602560c521a1647664ad

SHA1
22f7f0ddb0af04df7109c3ddbb7027909041fa73

SHA256
579e5984ad5eb6e5e4b004acd01c95f609a1330f3900cd9851562eb4ac879197

SHA512
fbba623cab28c0648e8bdd03c99df9e2a84180d72ea8e63367e943f8b432ebc36a7e10a8bfce11ad1803e54a8514f1ded4fec72e680ee04386965b5eb6a5d6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
3.2MB

MD5
62dbd11dc36780e35af1aafaa6a8f0f1

SHA1
dc6aaac7171b351be3397c3e0e1769dffa848723

SHA256
b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

SHA512
b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.reg

Filesize
14KB

MD5
cad5bea003e597319e443f212d2359fc

SHA1
5fd2441f20dc27a4db66e4f0f349f5d96f5a0cdc

SHA256
81987bc5d9a571dcfb571b0f8c238c807b3a34ff1b3bc75c68aa6ee78c853409

SHA512
d0a280c73750be3ebc9db607d0559697c923cc114bdd105211fd82077e40a9c75ac0ba43d3e4a73f6dd3559ea0895179a4b2c53f69883eb8e0b3adb7fbd2e374

Download Submit
C:\Users\Admin\AppData\Local\Temp\stop.js

Filesize
215B

MD5
804b35ef108ec9839eb6a9335add8ca1

SHA1
bf91e6645c4a1c8cab2d20388469da9ed0a82d56

SHA256
fe111b7ea4e14ab7ba5004aea52b10030e0282bb5c40d4ba55761a2c5be59406

SHA512
822a3ec5e0e353058d4355bc01a44440dafe8d16c57744a3dcbc962eb110ed3f6843556568616bfc5dc7fad5f5832cd27d6591dc50105f2c79fc16c33919936d

Download Submit
C:\Windows\SysWOW64\catroot3\HookDrv.dll

Filesize
144KB

MD5
513066a38057079e232f5f99baef2b94

SHA1
a6da9e87415b8918447ec361ba98703d12b4ee76

SHA256
02dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e

SHA512
83a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5

Download Submit
C:\Windows\SysWOW64\catroot3\RWLN.dll

Filesize
325KB

MD5
cf6ce6b13673dd11f0cd4b597ac56edb

SHA1
2017888be6edbea723b9b888ac548db5115df09e

SHA256
7bda291b7f50049088ea418b5695929b9be11cc014f6ec0f43f495285d1d6f74

SHA512
e5b69b4ee2ff8d9682913a2f846dc2eca8223d3100d626aea9763653fe7b8b35b8e6dc918f4c32e8ae2fc1761611dcd0b16d623ede954f173db33216b33f49dc

Download Submit
C:\Windows\SysWOW64\catroot3\dsfOggMux.dll

Filesize
84KB

MD5
65889701199e41ae2abee652a232af6e

SHA1
3f76c39fde130b550013a4f13bfea2862b5628cf

SHA256
ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e

SHA512
edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5

Download Submit
C:\Windows\SysWOW64\catroot3\dsfTheoraEncoder.dll

Filesize
240KB

MD5
5f2fc8a0d96a1e796a4daae9465f5dd6

SHA1
224f13f3cbaa441c0cb6d6300715fda7136408ea

SHA256
f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f

SHA512
da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad

Download Submit
C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
086a9fd9179aad7911561eeff08cf7e2

SHA1
d390c28376e08769a06a4a8b46609b3a668f728b

SHA256
2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282

SHA512
a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193

Download Submit
C:\Windows\SysWOW64\catroot3\msvcp80.dll

Filesize
541KB

MD5
8c53ccd787c381cd535d8dcca12584d8

SHA1
bc7ce60270a58450596aa3e3e5d0a99f731333d9

SHA256
384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528

SHA512
e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

Download Submit
C:\Windows\SysWOW64\catroot3\msvcr80.dll

Filesize
617KB

MD5
1169436ee42f860c7db37a4692b38f0e

SHA1
4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3

SHA256
9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46

SHA512
e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe

Filesize
2.8MB

MD5
a90c6e72a9e2602560c521a1647664ad

SHA1
22f7f0ddb0af04df7109c3ddbb7027909041fa73

SHA256
579e5984ad5eb6e5e4b004acd01c95f609a1330f3900cd9851562eb4ac879197

SHA512
fbba623cab28c0648e8bdd03c99df9e2a84180d72ea8e63367e943f8b432ebc36a7e10a8bfce11ad1803e54a8514f1ded4fec72e680ee04386965b5eb6a5d6c2

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe

Filesize
2.8MB

MD5
a90c6e72a9e2602560c521a1647664ad

SHA1
22f7f0ddb0af04df7109c3ddbb7027909041fa73

SHA256
579e5984ad5eb6e5e4b004acd01c95f609a1330f3900cd9851562eb4ac879197

SHA512
fbba623cab28c0648e8bdd03c99df9e2a84180d72ea8e63367e943f8b432ebc36a7e10a8bfce11ad1803e54a8514f1ded4fec72e680ee04386965b5eb6a5d6c2

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe

Filesize
2.8MB

MD5
a90c6e72a9e2602560c521a1647664ad

SHA1
22f7f0ddb0af04df7109c3ddbb7027909041fa73

SHA256
579e5984ad5eb6e5e4b004acd01c95f609a1330f3900cd9851562eb4ac879197

SHA512
fbba623cab28c0648e8bdd03c99df9e2a84180d72ea8e63367e943f8b432ebc36a7e10a8bfce11ad1803e54a8514f1ded4fec72e680ee04386965b5eb6a5d6c2

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
3.2MB

MD5
62dbd11dc36780e35af1aafaa6a8f0f1

SHA1
dc6aaac7171b351be3397c3e0e1769dffa848723

SHA256
b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

SHA512
b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
3.2MB

MD5
62dbd11dc36780e35af1aafaa6a8f0f1

SHA1
dc6aaac7171b351be3397c3e0e1769dffa848723

SHA256
b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

SHA512
b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
3.2MB

MD5
62dbd11dc36780e35af1aafaa6a8f0f1

SHA1
dc6aaac7171b351be3397c3e0e1769dffa848723

SHA256
b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

SHA512
b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
3.2MB

MD5
62dbd11dc36780e35af1aafaa6a8f0f1

SHA1
dc6aaac7171b351be3397c3e0e1769dffa848723

SHA256
b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

SHA512
b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
3.2MB

MD5
62dbd11dc36780e35af1aafaa6a8f0f1

SHA1
dc6aaac7171b351be3397c3e0e1769dffa848723

SHA256
b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

SHA512
b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

Download Submit
C:\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
C:\Windows\SysWOW64\catroot3\set.reg

Filesize
14KB

MD5
cad5bea003e597319e443f212d2359fc

SHA1
5fd2441f20dc27a4db66e4f0f349f5d96f5a0cdc

SHA256
81987bc5d9a571dcfb571b0f8c238c807b3a34ff1b3bc75c68aa6ee78c853409

SHA512
d0a280c73750be3ebc9db607d0559697c923cc114bdd105211fd82077e40a9c75ac0ba43d3e4a73f6dd3559ea0895179a4b2c53f69883eb8e0b3adb7fbd2e374

Download Submit
C:\Windows\SysWOW64\de.exe

Filesize
98KB

MD5
b8622a3042d7fa48b2e6de433007c870

SHA1
6399b9d115c3f1d3c5469f81b1a821bf75b75ae8

SHA256
cdb8330b9a36462dad63fb5c98520c4dd1cecf8a20d071bb0eff15ecf9fe0c98

SHA512
19450e826c78cc9526bf9ccba356fa63c8282ae3093db9ad71c1f21bcd80b3850b3aabbd2221fd6ddc293378df3d52ac0484c8882aeee517145d018ce3b4ed73

Download Submit
\Users\Admin\AppData\Local\Temp\mpr.exe

Filesize
3.3MB

MD5
8dba37604bf06ebcef07dd1085865a6a

SHA1
1202eb0ea461c502daa7da9d7d75fff226bf57bd

SHA256
038ab25642a1220c27028d0b559062b43764c66541ec07a96b2a99d25d9638b0

SHA512
0f286677e964d733ea3270f0f196769d8ddddb4a6bb3007187eae56e9abb5e22ee984703df5356b5d9049e5ad3b24c567ae13773684113a4440b2cce5d0132fa

Download Submit
\Users\Admin\AppData\Local\Temp\realip.exe

Filesize
40KB

MD5
effa4a5a70423867665d2a46348ecb26

SHA1
8596bef191ed40ade5980abf0158dfd3d193c352

SHA256
03b86eeff30d769e062a3228a0fb3ce6f0f8911093cd2a4a70cade34896f568d

SHA512
d94e48e1722d4814862d78f35800b4d8eff8f17be4902cbe0d2f0355fd3279faa9a403f3e4bb7ed70b44ace8dbb76b65b7c9f6e9ccf17c69e4d17e0895b8dfff

Download Submit
\Users\Admin\AppData\Local\Temp\realip.exe

Filesize
40KB

MD5
effa4a5a70423867665d2a46348ecb26

SHA1
8596bef191ed40ade5980abf0158dfd3d193c352

SHA256
03b86eeff30d769e062a3228a0fb3ce6f0f8911093cd2a4a70cade34896f568d

SHA512
d94e48e1722d4814862d78f35800b4d8eff8f17be4902cbe0d2f0355fd3279faa9a403f3e4bb7ed70b44ace8dbb76b65b7c9f6e9ccf17c69e4d17e0895b8dfff

Download Submit
\Windows\SysWOW64\catroot3\rfusclient.exe

Filesize
2.8MB

MD5
a90c6e72a9e2602560c521a1647664ad

SHA1
22f7f0ddb0af04df7109c3ddbb7027909041fa73

SHA256
579e5984ad5eb6e5e4b004acd01c95f609a1330f3900cd9851562eb4ac879197

SHA512
fbba623cab28c0648e8bdd03c99df9e2a84180d72ea8e63367e943f8b432ebc36a7e10a8bfce11ad1803e54a8514f1ded4fec72e680ee04386965b5eb6a5d6c2

Download Submit
\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
3.2MB

MD5
62dbd11dc36780e35af1aafaa6a8f0f1

SHA1
dc6aaac7171b351be3397c3e0e1769dffa848723

SHA256
b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

SHA512
b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

Download Submit
\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
3.2MB

MD5
62dbd11dc36780e35af1aafaa6a8f0f1

SHA1
dc6aaac7171b351be3397c3e0e1769dffa848723

SHA256
b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

SHA512
b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

Download Submit
\Windows\SysWOW64\catroot3\rutserv.exe

Filesize
3.2MB

MD5
62dbd11dc36780e35af1aafaa6a8f0f1

SHA1
dc6aaac7171b351be3397c3e0e1769dffa848723

SHA256
b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

SHA512
b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
\Windows\SysWOW64\catroot3\rversionlib.dll

Filesize
310KB

MD5
3f95a06f40eaf51b86cef2bf036ebd7a

SHA1
64009c5f79661eb2f82c9a76a843c0d3a856695d

SHA256
1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

SHA512
6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

Download Submit
memory/944-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1160-182-0x00000000002C0000-0x0000000000318000-memory.dmp

Filesize
352KB

Download
memory/1260-191-0x0000000000180000-0x0000000000198000-memory.dmp

Filesize
96KB

Download
memory/1260-192-0x0000000000180000-0x0000000000198000-memory.dmp

Filesize
96KB

Download
memory/1260-194-0x0000000000180000-0x0000000000198000-memory.dmp

Filesize
96KB

Download
memory/1260-195-0x0000000000180000-0x0000000000198000-memory.dmp

Filesize
96KB

Download
memory/1620-162-0x0000000000840000-0x0000000000898000-memory.dmp

Filesize
352KB

Download
memory/1648-193-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1892-146-0x0000000000230000-0x0000000000288000-memory.dmp

Filesize
352KB

Download