rurat | 42751b51dda214051e76da0bdcd07d05a0ea06a7e5f8e1ff6972cbd20a5d6dfd

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
03-05-2021 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289B352912C056D7BD1D91559077AC10.exe
Size

20.4MB
MD5

289b352912c056d7bd1d91559077ac10
SHA1

a02168ec4b6c33b0752efa78789e129f0df695ed
SHA256

42751b51dda214051e76da0bdcd07d05a0ea06a7e5f8e1ff6972cbd20a5d6dfd
SHA512

89fff63fa5bb3d12dfe9bbe6f39bc71ad444c13dee7037bb0fa991f9eac425316d7ee0866cacd5b02f260a395e30136c997c89081ba806c3d2801e1213b7b38a

Score

10^/10

rurat backdoor discovery trojan

Malware Config

Signatures

RuRAT
RuRAT is a remote admin tool sold as legitimate software but regularly abused in malicious phishing campaigns.
trojan backdoor rurat
Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

13 3512 msiexec.exe
15 3512 msiexec.exe
Executes dropped EXE 8 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

2172 rfusclient.exe
2736 rutserv.exe
1000 rutserv.exe
2504 rutserv.exe
3952 rutserv.exe
3464 rfusclient.exe
3032 rfusclient.exe
3760 rfusclient.exe

flow	pid	process
13	3512	msiexec.exe
15	3512	msiexec.exe

pid	process
2172	rfusclient.exe
2736	rutserv.exe
1000	rutserv.exe
2504	rutserv.exe
3952	rutserv.exe
3464	rfusclient.exe
3032	rfusclient.exe
3760	rfusclient.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rfusclient.exerfusclient.exerfusclient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Loads dropped DLL 9 IoCs

Processes:

MsiExec.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid process

776 MsiExec.exe
2736 rutserv.exe
2736 rutserv.exe
1000 rutserv.exe
1000 rutserv.exe
2504 rutserv.exe
2504 rutserv.exe
3952 rutserv.exe
3952 rutserv.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
776	MsiExec.exe
2736	rutserv.exe
2736	rutserv.exe
1000	rutserv.exe
1000	rutserv.exe
2504	rutserv.exe
2504	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in System32 directory 8 IoCs

Processes:

rutserv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_BAD82B1A5AB5DF40D46B113C64F92CEC	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_BAD82B1A5AB5DF40D46B113C64F92CEC	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rutserv.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exerutserv.exe

description	ioc	process
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Portuguese, Brazilian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Portuguese.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Norwegian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Chinese Simplified.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Logs\rut_log_2021-05.html	rutserv.exe
File opened for modification	C:\Program Files (x86)\Remote Utilities - Host\Logs\rut_log_2021-05.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Chinese Traditional.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Italian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\eventmsg.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\French.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Korean.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrv_rupd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrvui_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Swedish.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\properties.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrv_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\vpd_sdk.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\emf2pdf.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Czech.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Danish.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\MessageBox.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\German.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Arabic.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrvui_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Spanish.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrv_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\progressbar.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Japanese.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Dutch.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Polish.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrv_rupd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupdpm.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f745387.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\en_server_settings_E3BFC76BE38F4CF79D2ED7163B7DECEE.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI57DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\en_server_stop_B603677802D142C98E7A415B72132E14.exe	msiexec.exe
File created	C:\Windows\Installer\f745384.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5624.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\en_server_start_85DB64512C79429FA70AC6C0611579DD.exe	msiexec.exe
File created	C:\Windows\Installer\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\en_server_settings_E3BFC76BE38F4CF79D2ED7163B7DECEE.exe	msiexec.exe
File created	C:\Windows\Installer\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\en_server_start_85DB64512C79429FA70AC6C0611579DD.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f745384.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}	msiexec.exe
File created	C:\Windows\Installer\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\en_server_stop_B603677802D142C98E7A415B72132E14.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 51 IoCs

Processes:

rutserv.exemsiexec.exerutserv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rutserv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F0BCB7C1AA28134BAD7A86F26368881	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\9F0BCB7C1AA28134BAD7A86F26368881	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\SourceList\PackageName = "host6.12.b4_unsigned.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUT_{BCD43185-536B-4C2B-9C6A-07007C101637}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RUT_{BCD43185-536B-4C2B-9C6A-07007C101637}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\ProductName = "Remote Utilities - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\AuthorizedLUAApp = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F0BCB7C1AA28134BAD7A86F26368881\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\PackageCode = "779CBC77E5038C64ABDB9F6FC3B3C092"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\Version = "117436476"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F0BCB7C1AA28134BAD7A86F26368881\ProductIcon = "C:\\Windows\\Installer\\{C7BCB0F9-2AA1-4318-AB7D-8AF662638818}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rutserv.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0400000001000000100000001b31b0714036cc143691adc43efdec180f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb419000000010000001000000082218ffb91733e64136be5719f57c3a12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 5c00000001000000040000000010000019000000010000001000000082218ffb91733e64136be5719f57c3a1030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b402340b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df10400000001000000100000001b31b0714036cc143691adc43efdec182000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4	rutserv.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

289B352912C056D7BD1D91559077AC10.exerfusclient.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid	process
2116	289B352912C056D7BD1D91559077AC10.exe
2116	289B352912C056D7BD1D91559077AC10.exe
2116	289B352912C056D7BD1D91559077AC10.exe
2116	289B352912C056D7BD1D91559077AC10.exe
2172	rfusclient.exe
2172	rfusclient.exe
2736	rutserv.exe
2736	rutserv.exe
2736	rutserv.exe
2736	rutserv.exe
2736	rutserv.exe
2736	rutserv.exe
2736	rutserv.exe
2736	rutserv.exe
2736	rutserv.exe
2736	rutserv.exe
1000	rutserv.exe
1000	rutserv.exe
1000	rutserv.exe
1000	rutserv.exe
1000	rutserv.exe
1000	rutserv.exe
2504	rutserv.exe
2504	rutserv.exe
2504	rutserv.exe
2504	rutserv.exe
2504	rutserv.exe
2504	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3032	rfusclient.exe
3032	rfusclient.exe
3464	rfusclient.exe
3464	rfusclient.exe
3032	rfusclient.exe
3032	rfusclient.exe
3760	rfusclient.exe
3760	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

3760 rfusclient.exe

pid	process
3760	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1464	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1464	msiexec.exe
Token: SeSecurityPrivilege	3512	msiexec.exe
Token: SeCreateTokenPrivilege	1464	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1464	msiexec.exe
Token: SeLockMemoryPrivilege	1464	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1464	msiexec.exe
Token: SeMachineAccountPrivilege	1464	msiexec.exe
Token: SeTcbPrivilege	1464	msiexec.exe
Token: SeSecurityPrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeLoadDriverPrivilege	1464	msiexec.exe
Token: SeSystemProfilePrivilege	1464	msiexec.exe
Token: SeSystemtimePrivilege	1464	msiexec.exe
Token: SeProfSingleProcessPrivilege	1464	msiexec.exe
Token: SeIncBasePriorityPrivilege	1464	msiexec.exe
Token: SeCreatePagefilePrivilege	1464	msiexec.exe
Token: SeCreatePermanentPrivilege	1464	msiexec.exe
Token: SeBackupPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeShutdownPrivilege	1464	msiexec.exe
Token: SeDebugPrivilege	1464	msiexec.exe
Token: SeAuditPrivilege	1464	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1464	msiexec.exe
Token: SeChangeNotifyPrivilege	1464	msiexec.exe
Token: SeRemoteShutdownPrivilege	1464	msiexec.exe
Token: SeUndockPrivilege	1464	msiexec.exe
Token: SeSyncAgentPrivilege	1464	msiexec.exe
Token: SeEnableDelegationPrivilege	1464	msiexec.exe
Token: SeManageVolumePrivilege	1464	msiexec.exe
Token: SeImpersonatePrivilege	1464	msiexec.exe
Token: SeCreateGlobalPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rfusclient.exe

pid process

3464 rfusclient.exe
3464 rfusclient.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

rfusclient.exe

pid process

3464 rfusclient.exe
3464 rfusclient.exe

pid	process
3464	rfusclient.exe
3464	rfusclient.exe

pid	process
3464	rfusclient.exe
3464	rfusclient.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exe

pid	process
2736	rutserv.exe
2736	rutserv.exe
2736	rutserv.exe
2736	rutserv.exe
1000	rutserv.exe
1000	rutserv.exe
1000	rutserv.exe
1000	rutserv.exe
2504	rutserv.exe
2504	rutserv.exe
2504	rutserv.exe
2504	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

289B352912C056D7BD1D91559077AC10.exemsiexec.exerutserv.exerfusclient.exe

description	pid	process	target process
PID 2116 wrote to memory of 1464	2116	289B352912C056D7BD1D91559077AC10.exe	msiexec.exe
PID 2116 wrote to memory of 1464	2116	289B352912C056D7BD1D91559077AC10.exe	msiexec.exe
PID 2116 wrote to memory of 1464	2116	289B352912C056D7BD1D91559077AC10.exe	msiexec.exe
PID 3512 wrote to memory of 776	3512	msiexec.exe	MsiExec.exe
PID 3512 wrote to memory of 776	3512	msiexec.exe	MsiExec.exe
PID 3512 wrote to memory of 776	3512	msiexec.exe	MsiExec.exe
PID 3512 wrote to memory of 2172	3512	msiexec.exe	rfusclient.exe
PID 3512 wrote to memory of 2172	3512	msiexec.exe	rfusclient.exe
PID 3512 wrote to memory of 2172	3512	msiexec.exe	rfusclient.exe
PID 3512 wrote to memory of 2736	3512	msiexec.exe	rutserv.exe
PID 3512 wrote to memory of 2736	3512	msiexec.exe	rutserv.exe
PID 3512 wrote to memory of 2736	3512	msiexec.exe	rutserv.exe
PID 3512 wrote to memory of 1000	3512	msiexec.exe	rutserv.exe
PID 3512 wrote to memory of 1000	3512	msiexec.exe	rutserv.exe
PID 3512 wrote to memory of 1000	3512	msiexec.exe	rutserv.exe
PID 3512 wrote to memory of 2504	3512	msiexec.exe	rutserv.exe
PID 3512 wrote to memory of 2504	3512	msiexec.exe	rutserv.exe
PID 3512 wrote to memory of 2504	3512	msiexec.exe	rutserv.exe
PID 3952 wrote to memory of 3032	3952	rutserv.exe	rfusclient.exe
PID 3952 wrote to memory of 3032	3952	rutserv.exe	rfusclient.exe
PID 3952 wrote to memory of 3032	3952	rutserv.exe	rfusclient.exe
PID 3952 wrote to memory of 3464	3952	rutserv.exe	rfusclient.exe
PID 3952 wrote to memory of 3464	3952	rutserv.exe	rfusclient.exe
PID 3952 wrote to memory of 3464	3952	rutserv.exe	rfusclient.exe
PID 3032 wrote to memory of 3760	3032	rfusclient.exe	rfusclient.exe
PID 3032 wrote to memory of 3760	3032	rfusclient.exe	rfusclient.exe
PID 3032 wrote to memory of 3760	3032	rfusclient.exe	rfusclient.exe

C:\Users\Admin\AppData\Local\Temp\289B352912C056D7BD1D91559077AC10.exe
"C:\Users\Admin\AppData\Local\Temp\289B352912C056D7BD1D91559077AC10.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RUT_{BCD43185-536B-4C2B-9C6A-07007C101637}\host6.12.b4_unsigned.msi" /qn
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DECC25430B1A586FD6C25445A3B78B47
2⤵
- Loads dropped DLL
PID:776

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\Admin\AppData\Local\Temp\RUT_{BCD43185-536B-4C2B-9C6A-07007C101637}\host6.12.b4_unsigned.msi"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3464

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
PID:3760

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Remote Utilities - Host\Arabic.lg
MD5
f6ea3881bd23cb0ee957993fee23c6b4

SHA1
fdd6e4cc3ed79e7ee06a6bb5095cbf2904684e81

SHA256
e6f350f2cb7dd59c3806b346af9be54f490641d06e573b3ea7ddf7ce5c529078

SHA512
a34840f3e4543228891f086d4416d3da538e7a9ee6182843bffe4bd0522c8090e2f87a5bdae194c8e3cf0cf0e8cef004ea39c0685b25012ea406868dce0d61b0

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Chinese Simplified.lg
MD5
6d995e848c199a5c0c4128a28b07affe

SHA1
6de6724ba2b5ddb85c86abe353b421786daf89f1

SHA256
09db4c31bede5f3a1000f32158c6f71f0380fcb73941e6826f4a3f5a36e868ff

SHA512
d85a56df1729abff7cee06d42ae524432af3cbfe60fb841d198a9da896443ec342a06eea8fae06912378ec64551897d4eba3df4b086fb46272df90d26d80f5d9

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Chinese Traditional.lg
MD5
0ed6a1984e883d26c3f04b7701ffa436

SHA1
b06c8b34e7ed3f1cbec177da7c669c074c89a1f9

SHA256
fafcd673fdaec9eb1631849d68cb08d807a340279eb0221b544ead71f5b2dc69

SHA512
01326032709cee18b681c169c686a035293f80835500e46e277a5897ce8474ca937597a7a15323bb75dddce3bfafae4c4f9b872154f54779ecd7cd464cc4d06f

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Czech.lg
MD5
8b0bfc75787bae7f7dc55e720e1a1472

SHA1
63c8d42de2526551fb8fd9f31f30e52ee92a13a2

SHA256
81a15eae890f2051fea1f04c031dedba11b2b7cfc04a81223b1adac895033a0f

SHA512
f348dee9e9c7e62556a0c111d1fa019120375f099f5d593144765be57fd196b05d6d3e06359cc15e7b181d0cb457b7d623892af5da915108e7a71cd29a08f956

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Danish.lg
MD5
f621aa5d8a4d8bb667e73e1c05d6fe18

SHA1
2319c0afdbcd5d0c208581c05056b145e5d910d0

SHA256
cbde3517ad89a72dbcb7a693be55cbc07f5d46e88bb28128624e21d400c02408

SHA512
adc6ae4bb16c21f46a830d73d084a5ac7509aede6e86dbd1d424048d5ed431d3eb6f2158f627981ca432735c62f79f8023e3798c1f0e112f3ad8e67ef596d596

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Dutch.lg
MD5
7c8f08d575e4a7cfa11a4ad6ddbe58ba

SHA1
902a838ff647321ca5405dd95ef8e2374b0b4388

SHA256
d4f47f4bf74574243afcf501eab3d4e9d0d5f7a624ac1139afd5db90615d9f9f

SHA512
a020f88914628847d5e61c9999ee26fd01fafd5e87388130848d67be04d8a3603e64fd42320684196459510fa55c85a30d175538e1a24153be407271237b827a

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\English.lg
MD5
c86aa7df24bc4f4aaeefc4d83dab28fc

SHA1
bb9ac5fb2aaff4706fc74ca1c66bf2311ad63118

SHA256
56c561ea9866895ad89967a0e7018f98495162d8b64f1a4bf7b6fc7fc74daf8b

SHA512
f982f2bccd84d719c61cb24ecbb2d488779935ec188b52016d0c283e8976a3b81cf4fd6cbc25344dc0f9bb3acf9a6de7cc4b82c227b278d50e642a8cc32884a0

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\French.lg
MD5
2849bda8e859811129f91ef911a8c34c

SHA1
6d01aed37e3fe26b9c4bc2eedc5ca9e2b116649f

SHA256
520968397ed6f5c0eab760dc33b0c0d8a13381f66d240810cfe58f07a6ee5cb5

SHA512
f7568d9e79ccfa6231b066cef3f6ca8e8dea56ac9286662000dcccd5de0026b3637482e4222b4212a911d87c244377c265b139bead685d0ddf1b86dad40a1b13

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\German.lg
MD5
e3e6c94329a75d7197d283976d50ed29

SHA1
6a2c3ca6f6db2f5c1da2c454eb88a192cace4090

SHA256
23e1a930e42edd46efbf49bae2cb6562e3da6e2b553b39cc2aee62ac24cdc844

SHA512
fc07fd8985764c74c02b79053bc48ac5f19ecd240b17ef5297c9d6ce677981bacef39a0b9fcb9b9ef9832eb8d2ab6638e35c2428b14d41101732c3c27e4e1d38

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Hebrew.lg
MD5
00e28c3cd7737b444cd9fbde21bd4164

SHA1
0d80ced7c9818d07c29508538e463f7a36ccef33

SHA256
a7e5178ebb640a20d9f3691b5c1bf13ef08d4d5d1ddc2322bda0bc99ec18dc0e

SHA512
be6f06c1f2a52c7aa615cd3faf07f5b79db3a94d28e82e20598cfec5cb704b7db12448d2fdfc1c2716faa84379fd690f59a22d3ae9ca139f291e5d24007a8ab3

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Italian.lg
MD5
9f2fb43c9393cef888ca546138db3391

SHA1
24a499e0109f07ab57f8e8de02621de6519ddea0

SHA256
ba6d0413ceb84bc4e9a677472fe8f18599e3ab83c81c45179109f27d8b2d99aa

SHA512
c523f0053128dceae4893151c93cd5c3d00554bab3ff00829e5b91b83edc0ebbd2f7439368a8387873c7d3e35f22ec682c44eb22f6c2fb08e6b534086c8d54b4

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Japanese.lg
MD5
7683e967f436194a77c6c1fdd1b59b0f

SHA1
9eab3d831de2f6b970c144b88ead1bd720333db1

SHA256
9e9bcecba94dcf8ce3ff9de9d0ffa77dddc37ff0f4b910761c9cd506c2e1030b

SHA512
4e896d3d9368fdd8619eebd9d36405942b1441cf02d3f907ea3fb7641fe2ca11bf68782e2e72d19f498e5ec3ae5748435b1028bfbd9fc25161dc5e21b85f8e14

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Korean.lg
MD5
915f8dbc7448f3bfb8354589ad2fc3cb

SHA1
8dc225137ba636edd312ad7b1b5397ff128adf41

SHA256
692899e2cf25e6c8c358d3d3a63662970cb1aa7e63aac2cdee8ab1efcc6dbc55

SHA512
aa3963655bc08c20efcb75a005f9c3d45e20785e13e803f59a25194f6656e3965e47e0ee6c68bda7ffb51be30676b4b5be7d388379a6d75c8fd0125eb512ef52

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Norwegian.lg
MD5
8b9a680cd0e581c35624f870f083b2da

SHA1
c37417a00c0dedee94c57f6dc05a2c7f755ec600

SHA256
1f8dc472a0105547f913a84c34192b078fdf0ca6da2e9a3125e3770090de6b49

SHA512
b5f93428cfcfd3882b54c666df2ef695fa4e3baecb677bfdddc20a8c28fc635f1249e581e0f75069a49e64426825acab63124c009ce78407b01157730f85c983

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Polish.lg
MD5
baaefbe6e3758c5b8d79fc5513b9f63a

SHA1
c35716d506fe5b6bac4bd45d7e7be104c00a6833

SHA256
2e3f5398fcf716600c72258de408392d3cee5901ccf30885042a3c2d3d3d9c74

SHA512
df2bb8cf9972266ef5280d2e4beec5e122914c48f266442070a5cfb898610b6fb0f417941961d742269c243315662ae181981525bbb04aebabc583dd0f5d44dd

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Portuguese, Brazilian.lg
MD5
c3778e1dcb95065f7c2cba53d490d6b8

SHA1
bf08a8a0eb47dcc5e848e955daa112c82c4519a5

SHA256
38af7f5d7233b51adcbeca92ab28b146302ea6ad61bcfa4cdc765c2b60759f04

SHA512
1edefb2cb065f836e4767e02b70c0a9ea080ba9b7a7f938b805be221eb516dbdb20e601aa28131517bf8125dd8966d55ec3a164d2be2a1f38e4b2fedffd17a6f

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Portuguese.lg
MD5
10f4324b24a9bd1b6c04cfc60f3f6405

SHA1
4e4c0fd79fec57a03211ee46028f7b0dd6a2978c

SHA256
57a6b2490e64471a555015f5f32b544833aacd0cd53cb67e65d7081fee644d73

SHA512
f7285f68baef6b987bb7c99c4221a26be488274750f8eccab12b4049ee07be9d8d7d0c7abb24bc6e42efa50697213be7e4350e964fe3281687a548c2690d924d

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Spanish.lg
MD5
c9f142a80f4552867e8c87b680e90ba7

SHA1
072df48fc1d5ed50db04f4bec9c4a3ed32d8db37

SHA256
5c242b2a08d7ea452c6468c11e2b7a0882fb45caafa608e5e8c7661819539ec2

SHA512
fe0671aa76c0682e95683a3b4482e1a63a894bdfe9a4a6735ae463e2c30df861377f67e48699859fe7c50d5cb7ed88ec4fd2f6622ac2d2b126550a8696765ab3

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Swedish.lg
MD5
01583be353cff2a0b67803f4a43f394d

SHA1
7a924df31d9720a0bc5a40a501daa11ad83675a7

SHA256
01b1a41beb45a4b31657ae347c6958527fe23866274e6432a027fd888c9df57d

SHA512
4c715cbfe804afc1802981506b58ac714668d8afc9f7b9be4c8869f7300a0281090b21fcb4ffe6efc455d3a42da37d866139490fd604c2318ab46b02b3722d2f

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Turkish.lg
MD5
5c8be08e6573e844677c918f843fc58d

SHA1
29959ebd91532107c8d4524238b3bb54d927e2c6

SHA256
309003bd06b36380a7f53d92f2e8a3083cce6c01ed9b773a558ed2298d4a45a4

SHA512
13affbf0d90b85043475d28f4346d8f4fd21ab2f1c64b8ee56a96e817786cfca7c42b46a7b1c11364e2ffd4148337dcb1cd108215055637ae78c2b27018f8ba0

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\eventmsg.dll
MD5
43b294d9bf08840e69e986716f6b2014

SHA1
beb600fe74a8f2f9b534a3789ba71db5c1e601ae

SHA256
19dc55aed1b1b7dd69a92637bae23454f9bbd3040a1859a7c9dffd2b1c0f23a0

SHA512
3467797403cb0dcee96c192f72f1786e71ce0486507c3e74e968896418b8f42a6d00405997911df960cb2f6e540ea9dcb2c8a5a1a04702c719eb42c60139b909

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll
MD5
146dfe563aeab6edb51eb24c37494251

SHA1
f54a31a9211f4a7506fdecb5121e79e7cdc1022e

SHA256
23b0ded7bf70d07d04c3ec04f3f7380b693e395bdb9fb62ff1d5b0684b9dd42d

SHA512
7df4636bcc10f09b00525069a39092ba19a9203b60f5f0fa5e254dbadc826e74642474262959ea9c88c00d97ca4abec8905fb8c2d50a963cf410012cfdeccc90

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
MD5
5169aff3ecdf7cfcb1b6b8bb375c5e1c

SHA1
e100c72a079087119c8cd4a456160dcfd73e3c21

SHA256
c295bd2653d6d8752ff5805b4114eee8e4370a0f16e922d81aecc5f49fa8c9c9

SHA512
ff68ede51d0a0f3d84adf017eccc67513a232d50e29a688fcdea8f781e7f3c3d5b0f9d91075473c7b775b56f3f15a8c6496088961b2185a3c86bfc062c2a2919

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
MD5
5169aff3ecdf7cfcb1b6b8bb375c5e1c

SHA1
e100c72a079087119c8cd4a456160dcfd73e3c21

SHA256
c295bd2653d6d8752ff5805b4114eee8e4370a0f16e922d81aecc5f49fa8c9c9

SHA512
ff68ede51d0a0f3d84adf017eccc67513a232d50e29a688fcdea8f781e7f3c3d5b0f9d91075473c7b775b56f3f15a8c6496088961b2185a3c86bfc062c2a2919

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
MD5
5169aff3ecdf7cfcb1b6b8bb375c5e1c

SHA1
e100c72a079087119c8cd4a456160dcfd73e3c21

SHA256
c295bd2653d6d8752ff5805b4114eee8e4370a0f16e922d81aecc5f49fa8c9c9

SHA512
ff68ede51d0a0f3d84adf017eccc67513a232d50e29a688fcdea8f781e7f3c3d5b0f9d91075473c7b775b56f3f15a8c6496088961b2185a3c86bfc062c2a2919

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
MD5
5169aff3ecdf7cfcb1b6b8bb375c5e1c

SHA1
e100c72a079087119c8cd4a456160dcfd73e3c21

SHA256
c295bd2653d6d8752ff5805b4114eee8e4370a0f16e922d81aecc5f49fa8c9c9

SHA512
ff68ede51d0a0f3d84adf017eccc67513a232d50e29a688fcdea8f781e7f3c3d5b0f9d91075473c7b775b56f3f15a8c6496088961b2185a3c86bfc062c2a2919

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
MD5
5169aff3ecdf7cfcb1b6b8bb375c5e1c

SHA1
e100c72a079087119c8cd4a456160dcfd73e3c21

SHA256
c295bd2653d6d8752ff5805b4114eee8e4370a0f16e922d81aecc5f49fa8c9c9

SHA512
ff68ede51d0a0f3d84adf017eccc67513a232d50e29a688fcdea8f781e7f3c3d5b0f9d91075473c7b775b56f3f15a8c6496088961b2185a3c86bfc062c2a2919

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
MD5
3432a9f6b7748ac0468052fd067663b3

SHA1
8b8e987de00de147306a9b2081bac113782110d9

SHA256
5ada6d1fd62bb1740ea80a30788e55988758acc2b835e6835d6524af1e7afcbd

SHA512
94348a5e735f7221d0c387f03d236b6419487a909bda1046da13a938eb81a75aed7501d0f747b80b3048d30d411f7053ed6b6334faada56cd3e7c14f5e462310

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
MD5
3432a9f6b7748ac0468052fd067663b3

SHA1
8b8e987de00de147306a9b2081bac113782110d9

SHA256
5ada6d1fd62bb1740ea80a30788e55988758acc2b835e6835d6524af1e7afcbd

SHA512
94348a5e735f7221d0c387f03d236b6419487a909bda1046da13a938eb81a75aed7501d0f747b80b3048d30d411f7053ed6b6334faada56cd3e7c14f5e462310

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
MD5
3432a9f6b7748ac0468052fd067663b3

SHA1
8b8e987de00de147306a9b2081bac113782110d9

SHA256
5ada6d1fd62bb1740ea80a30788e55988758acc2b835e6835d6524af1e7afcbd

SHA512
94348a5e735f7221d0c387f03d236b6419487a909bda1046da13a938eb81a75aed7501d0f747b80b3048d30d411f7053ed6b6334faada56cd3e7c14f5e462310

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
MD5
3432a9f6b7748ac0468052fd067663b3

SHA1
8b8e987de00de147306a9b2081bac113782110d9

SHA256
5ada6d1fd62bb1740ea80a30788e55988758acc2b835e6835d6524af1e7afcbd

SHA512
94348a5e735f7221d0c387f03d236b6419487a909bda1046da13a938eb81a75aed7501d0f747b80b3048d30d411f7053ed6b6334faada56cd3e7c14f5e462310

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
MD5
3432a9f6b7748ac0468052fd067663b3

SHA1
8b8e987de00de147306a9b2081bac113782110d9

SHA256
5ada6d1fd62bb1740ea80a30788e55988758acc2b835e6835d6524af1e7afcbd

SHA512
94348a5e735f7221d0c387f03d236b6419487a909bda1046da13a938eb81a75aed7501d0f747b80b3048d30d411f7053ed6b6334faada56cd3e7c14f5e462310

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\ssleay32.dll
MD5
7450078342329c700f7fef4f84c11cde

SHA1
18ee67c1a9e7b9b82e69040f81b61db9155151ab

SHA256
9f2ebc122d4f51f37877b00b3cad3d639936b2046498a6b05a191f9a9525ac67

SHA512
07c0480ef354d8805f3a0ee6d33eed18d1352a3978cbfb01f4a521300f6a072f29c6f190c138dabef76fbff81625dc5b3e1574f1385d0ab6f8b22ad69122f316

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\vp8decoder.dll
MD5
b734c92aece61a0471984b1fafb2db03

SHA1
17e5ef96d462ebc79e75472dc376ec7b65bfc5ef

SHA256
78b2a0c2b220875d1111efcca49839f56af89ac7d17ab9f4dbbb2af817440a31

SHA512
dd51116862a0434a7300c9532c03bfd07f04582da5d801e45ec41619555ecd0985fd521792cbe3f8ce47e087ed40c3ca2f1c8db0dda0ff0529c81e6452708aec

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\vp8encoder.dll
MD5
afdab890be73c9945d6e96dfafd0c997

SHA1
60e2b20c2ae650d664a820c9b9d799619ef97456

SHA256
ced7a854946fb1a2ce6491c94acba9697d3b360ba4efd0e9e6450802d601c57a

SHA512
8438aae312f344ac09906d9d01e9bb18835f970921e9a58ddec8cd6a20a7ea41820376cf7eee6c8e0068ef2089ff6d6c4bc875fe44331283c91bb5b95a1ea6e1

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmmux.dll
MD5
50784c57f4d034b33150b8dbe9b029ca

SHA1
c393732f929851da135b71cf0b8d065f31a15dd9

SHA256
b287fa75d93e08cad6fe680196a94a3693f9d4f3328e0066b82ca8088472055a

SHA512
feb98808143caa1ab88187d96056ea1011f882799f608e3f59492d34eae1002f258fbbce99171a715545fffb3e2f2fc6a9c1a631f639d474eb074446f3ac7bd7

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmvorbisdecoder.dll
MD5
c7b616d2ad36ed68aef3621b45cd0831

SHA1
ea2da553244d43a60b9ddbedaeb02dcf7185ac5d

SHA256
e609d5253483bafe10baa880a33968c98620ad753a557ef38c2ed4694a118585

SHA512
9bdb3e76fa1533c862226438ba78a9112f41d7b431b8885bebf33ca170190f31cc4d05db641ec02728f08815fac4c1b73c98b04e26ce857bf298cee3ec05b408

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmvorbisencoder.dll
MD5
ff70441f6fd3eeb5a061c117a13da554

SHA1
d8ca8841e636436c4d4c7ef0479c549b404a9983

SHA256
4f8ef46af1591a5906dba229be6866d756f29778d562b503b30d967b1a75339d

SHA512
c54d82d34b5e52097096357471156b8ad4f579b9b679b513fa063c25becc6cb0c54023f2ae5ec61a3a19a5d6b262a961ab3df970e431467488ad3196fd2c2882

Download Submit
C:\ProgramData\Remote Utilities\install.log
MD5
142f332d6c621350454f05a87047be1d

SHA1
7c7c4e51866489bddff51bd4cf190d132873a681

SHA256
4350da38fd3fcde4d13f70af6c54b5c80be23e75da8720c7d8bfba38a887eb20

SHA512
ec0aa5a4d977cd683979d9f1ef0af4d0d6893e9793aa8e89aab53ba9ed04e48a259937e36ab6fd3eb272d1f41988ac6311b1a790baacb40698babbb153a70202

Download Submit
C:\ProgramData\Remote Utilities\install.log
MD5
0ad438ec1765866264fc655980bd8ebb

SHA1
b174a28875bcb7b882742fb84f0c0ae57ddbfc77

SHA256
eeb7ec952af020e18c6da404db122666bbbc7187cb27b992dcb433d5bfe47ff5

SHA512
d6ec53ee940e9e9c66dd67cb9507e76edf37f5224dc01fa263a76eac220f93d84fff9b5151b856d5ce8464654991d6bbc3e7ebc21b1ba118b6694dbf4f2c34a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUT_{BCD43185-536B-4C2B-9C6A-07007C101637}\host6.12.b4_unsigned.msi
MD5
6c9200c6e15006ee501eafa83b555f00

SHA1
43c063041585f499509b1e46d8b0b5fa5b9d0b8e

SHA256
02bf49c142712dacbeeb33fe28d1186f96d62a482ae2a77363e09ffa82dc7e60

SHA512
bb5d9c6bb934fd428eaf382156582ad3527c71741249ab19f6851939b96ffdafb68e84d97fe3ccd16014ce2d3535576b33961dd6f4c8bf15fb814ba38a881a66

Download Submit
C:\Windows\Installer\MSI5624.tmp
MD5
791c89209ece2aaafff0cf28d42763aa

SHA1
862c87e5920640c5c825d54740c15d0cc99e1120

SHA256
d4b028c81ed4d593240afad9db36565ffe2c26d4dc4edf025655dd1d338168eb

SHA512
0e5d037cdd0df3cf5caad2c9f973e57dd70512f9d382beb7ec39aca15aba5f43764b7b075c8a9bbfac3154d274469f18db9dd8f3dd9bc22e03b567873d552e7b

Download Submit
\Program Files (x86)\Remote Utilities - Host\libeay32.dll
MD5
146dfe563aeab6edb51eb24c37494251

SHA1
f54a31a9211f4a7506fdecb5121e79e7cdc1022e

SHA256
23b0ded7bf70d07d04c3ec04f3f7380b693e395bdb9fb62ff1d5b0684b9dd42d

SHA512
7df4636bcc10f09b00525069a39092ba19a9203b60f5f0fa5e254dbadc826e74642474262959ea9c88c00d97ca4abec8905fb8c2d50a963cf410012cfdeccc90

Download Submit
\Program Files (x86)\Remote Utilities - Host\libeay32.dll
MD5
146dfe563aeab6edb51eb24c37494251

SHA1
f54a31a9211f4a7506fdecb5121e79e7cdc1022e

SHA256
23b0ded7bf70d07d04c3ec04f3f7380b693e395bdb9fb62ff1d5b0684b9dd42d

SHA512
7df4636bcc10f09b00525069a39092ba19a9203b60f5f0fa5e254dbadc826e74642474262959ea9c88c00d97ca4abec8905fb8c2d50a963cf410012cfdeccc90

Download Submit
\Program Files (x86)\Remote Utilities - Host\libeay32.dll
MD5
146dfe563aeab6edb51eb24c37494251

SHA1
f54a31a9211f4a7506fdecb5121e79e7cdc1022e

SHA256
23b0ded7bf70d07d04c3ec04f3f7380b693e395bdb9fb62ff1d5b0684b9dd42d

SHA512
7df4636bcc10f09b00525069a39092ba19a9203b60f5f0fa5e254dbadc826e74642474262959ea9c88c00d97ca4abec8905fb8c2d50a963cf410012cfdeccc90

Download Submit
\Program Files (x86)\Remote Utilities - Host\libeay32.dll
MD5
146dfe563aeab6edb51eb24c37494251

SHA1
f54a31a9211f4a7506fdecb5121e79e7cdc1022e

SHA256
23b0ded7bf70d07d04c3ec04f3f7380b693e395bdb9fb62ff1d5b0684b9dd42d

SHA512
7df4636bcc10f09b00525069a39092ba19a9203b60f5f0fa5e254dbadc826e74642474262959ea9c88c00d97ca4abec8905fb8c2d50a963cf410012cfdeccc90

Download Submit
\Program Files (x86)\Remote Utilities - Host\ssleay32.dll
MD5
7450078342329c700f7fef4f84c11cde

SHA1
18ee67c1a9e7b9b82e69040f81b61db9155151ab

SHA256
9f2ebc122d4f51f37877b00b3cad3d639936b2046498a6b05a191f9a9525ac67

SHA512
07c0480ef354d8805f3a0ee6d33eed18d1352a3978cbfb01f4a521300f6a072f29c6f190c138dabef76fbff81625dc5b3e1574f1385d0ab6f8b22ad69122f316

Download Submit
\Program Files (x86)\Remote Utilities - Host\ssleay32.dll
MD5
7450078342329c700f7fef4f84c11cde

SHA1
18ee67c1a9e7b9b82e69040f81b61db9155151ab

SHA256
9f2ebc122d4f51f37877b00b3cad3d639936b2046498a6b05a191f9a9525ac67

SHA512
07c0480ef354d8805f3a0ee6d33eed18d1352a3978cbfb01f4a521300f6a072f29c6f190c138dabef76fbff81625dc5b3e1574f1385d0ab6f8b22ad69122f316

Download Submit
\Program Files (x86)\Remote Utilities - Host\ssleay32.dll
MD5
7450078342329c700f7fef4f84c11cde

SHA1
18ee67c1a9e7b9b82e69040f81b61db9155151ab

SHA256
9f2ebc122d4f51f37877b00b3cad3d639936b2046498a6b05a191f9a9525ac67

SHA512
07c0480ef354d8805f3a0ee6d33eed18d1352a3978cbfb01f4a521300f6a072f29c6f190c138dabef76fbff81625dc5b3e1574f1385d0ab6f8b22ad69122f316

Download Submit
\Program Files (x86)\Remote Utilities - Host\ssleay32.dll
MD5
7450078342329c700f7fef4f84c11cde

SHA1
18ee67c1a9e7b9b82e69040f81b61db9155151ab

SHA256
9f2ebc122d4f51f37877b00b3cad3d639936b2046498a6b05a191f9a9525ac67

SHA512
07c0480ef354d8805f3a0ee6d33eed18d1352a3978cbfb01f4a521300f6a072f29c6f190c138dabef76fbff81625dc5b3e1574f1385d0ab6f8b22ad69122f316

Download Submit
\Windows\Installer\MSI5624.tmp
MD5
791c89209ece2aaafff0cf28d42763aa

SHA1
862c87e5920640c5c825d54740c15d0cc99e1120

SHA256
d4b028c81ed4d593240afad9db36565ffe2c26d4dc4edf025655dd1d338168eb

SHA512
0e5d037cdd0df3cf5caad2c9f973e57dd70512f9d382beb7ec39aca15aba5f43764b7b075c8a9bbfac3154d274469f18db9dd8f3dd9bc22e03b567873d552e7b

Download Submit
memory/776-121-0x0000000000000000-mapping.dmp

Download
memory/1000-141-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/1000-139-0x0000000000000000-mapping.dmp

Download
memory/1464-115-0x0000000000000000-mapping.dmp

Download
memory/2116-114-0x0000000002FF0000-0x000000000313A000-memory.dmp

Filesize
1.3MB

Download
memory/2172-129-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/2172-126-0x0000000000000000-mapping.dmp

Download
memory/2504-144-0x0000000000000000-mapping.dmp

Download
memory/2504-150-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/2736-130-0x0000000000000000-mapping.dmp

Download
memory/2736-137-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

Filesize
4KB

Download
memory/3032-193-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/3032-202-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/3032-203-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3032-183-0x0000000000000000-mapping.dmp

Download
memory/3032-204-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3464-205-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/3464-201-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/3464-206-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3464-184-0x0000000000000000-mapping.dmp

Download
memory/3464-194-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/3760-209-0x0000000000000000-mapping.dmp

Download
memory/3760-211-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/3952-181-0x0000000003B60000-0x0000000003B61000-memory.dmp

Filesize
4KB

Download
memory/3952-196-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/3952-197-0x0000000003B40000-0x0000000003B41000-memory.dmp

Filesize
4KB

Download
memory/3952-198-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/3952-200-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/3952-199-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/3952-195-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3952-192-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/3952-191-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/3952-190-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/3952-189-0x0000000003C70000-0x0000000003C71000-memory.dmp

Filesize
4KB

Download
memory/3952-187-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/3952-207-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3952-208-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/3952-182-0x0000000003BC0000-0x0000000003BC1000-memory.dmp

Filesize
4KB

Download
memory/3952-180-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

Filesize
4KB

Download
memory/3952-179-0x00000000016F0000-0x000000000183A000-memory.dmp

Filesize
1.3MB

Download