rms | ac525ea998dae61bdbf7bca8b942867a0fc05cb2a01e5fb0f714991c3bea51fa

Analysis

max time kernel
146s
max time network
173s
platform
windows7_x64
resource
win7v20210410
submitted
23-06-2021 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
Size

6.5MB
MD5

2ad5fadef0fb042d289ae31f95422b01
SHA1

a6785f060e178c97b67c1b270af402ef3af549ee
SHA256

ac525ea998dae61bdbf7bca8b942867a0fc05cb2a01e5fb0f714991c3bea51fa
SHA512

ba7ff8fd11d0807e2029482e1542225b33d6511fdd710bd87a01f6b9488b1dba17342c65195a3abbc3dfb45275494818e9d89ae13b85c65f9a1f7678759c0844

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 7 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

1388 rutserv.exe
860 rutserv.exe
1272 rutserv.exe
1648 rutserv.exe
1232 rfusclient.exe
1748 rfusclient.exe
1388 rfusclient.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exerutserv.exe

pid process

1204 cmd.exe
1648 rutserv.exe
1648 rutserv.exe

pid	process
1204	cmd.exe
1648	rutserv.exe
1648	rutserv.exe

Drops file in Windows directory 7 IoCs

Processes:

attrib.exeAC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe

description	ioc	process
File opened for modification	C:\Windows\System64\install.bat	attrib.exe
File created	C:\Windows\System64\rfusclient.exe	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
File created	C:\Windows\System64\rutserv.exe	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
File created	C:\Windows\System64\vp8encoder.dll	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
File created	C:\Windows\System64\vp8decoder.dll	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
File created	C:\Windows\System64\regedit.reg	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
File created	C:\Windows\System64\install.bat	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1552 timeout.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1632 taskkill.exe
576 taskkill.exe
904 taskkill.exe
512 taskkill.exe
924 taskkill.exe
996 taskkill.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

864 regedit.exe

pid	process
1552	timeout.exe

pid	process
1632	taskkill.exe
576	taskkill.exe
904	taskkill.exe
512	taskkill.exe
924	taskkill.exe
996	taskkill.exe

pid	process
864	regedit.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
1388	rutserv.exe
1388	rutserv.exe
1388	rutserv.exe
1388	rutserv.exe
860	rutserv.exe
860	rutserv.exe
1272	rutserv.exe
1272	rutserv.exe
1648	rutserv.exe
1648	rutserv.exe
1648	rutserv.exe
1648	rutserv.exe
1232	rfusclient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe

pid process

1656 AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

1388 rfusclient.exe

pid	process
1388	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerutserv.exerutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	512	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1388	rutserv.exe
Token: SeDebugPrivilege	1272	rutserv.exe
Token: SeTakeOwnershipPrivilege	1648	rutserv.exe
Token: SeTcbPrivilege	1648	rutserv.exe
Token: SeTcbPrivilege	1648	rutserv.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	process
1656	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
1656	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
1388	rutserv.exe
860	rutserv.exe
1272	rutserv.exe
1648	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.execmd.exerutserv.exe

description	pid	process	target process
PID 1656 wrote to memory of 1204	1656	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe	cmd.exe
PID 1656 wrote to memory of 1204	1656	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe	cmd.exe
PID 1656 wrote to memory of 1204	1656	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe	cmd.exe
PID 1656 wrote to memory of 1204	1656	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe	cmd.exe
PID 1656 wrote to memory of 1204	1656	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe	cmd.exe
PID 1656 wrote to memory of 1204	1656	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe	cmd.exe
PID 1656 wrote to memory of 1204	1656	AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe	cmd.exe
PID 1204 wrote to memory of 1588	1204	cmd.exe	attrib.exe
PID 1204 wrote to memory of 1588	1204	cmd.exe	attrib.exe
PID 1204 wrote to memory of 1588	1204	cmd.exe	attrib.exe
PID 1204 wrote to memory of 1588	1204	cmd.exe	attrib.exe
PID 1204 wrote to memory of 1632	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 1632	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 1632	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 1632	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 576	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 576	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 576	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 576	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 904	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 904	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 904	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 904	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 512	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 512	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 512	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 512	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 924	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 924	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 924	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 924	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 996	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 996	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 996	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 996	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 328	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 328	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 328	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 328	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 916	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 916	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 916	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 916	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 864	1204	cmd.exe	regedit.exe
PID 1204 wrote to memory of 864	1204	cmd.exe	regedit.exe
PID 1204 wrote to memory of 864	1204	cmd.exe	regedit.exe
PID 1204 wrote to memory of 864	1204	cmd.exe	regedit.exe
PID 1204 wrote to memory of 1552	1204	cmd.exe	timeout.exe
PID 1204 wrote to memory of 1552	1204	cmd.exe	timeout.exe
PID 1204 wrote to memory of 1552	1204	cmd.exe	timeout.exe
PID 1204 wrote to memory of 1552	1204	cmd.exe	timeout.exe
PID 1204 wrote to memory of 1388	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 1388	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 1388	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 1388	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 860	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 860	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 860	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 860	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 1272	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 1272	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 1272	1204	cmd.exe	rutserv.exe
PID 1204 wrote to memory of 1272	1204	cmd.exe	rutserv.exe
PID 1648 wrote to memory of 1232	1648	rutserv.exe	rfusclient.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1588 attrib.exe

pid	process
1588	attrib.exe

C:\Users\Admin\AppData\Local\Temp\AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
"C:\Users\Admin\AppData\Local\Temp\AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\System64\install.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\attrib.exe
attrib -r -a -s -h "C:\Windows\System64\install.bat" /S /D
3⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
3⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\System Corporation Update" /f
3⤵
PID:916

C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
3⤵
- Runs .reg file with regedit
PID:864

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1552

C:\Windows\System64\rutserv.exe
rutserv.exe /silentinstall
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Windows\System64\rutserv.exe
rutserv.exe /firewall
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:860

C:\Windows\System64\rutserv.exe
rutserv.exe /start
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1272

C:\Windows\System64\rutserv.exe
C:\Windows\System64\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\System64\rfusclient.exe
C:\Windows\System64\rfusclient.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Windows\System64\rfusclient.exe
C:\Windows\System64\rfusclient.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1388

C:\Windows\System64\rfusclient.exe
C:\Windows\System64\rfusclient.exe /tray
2⤵
- Executes dropped EXE
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\install.bat
MD5
8dc5992eaab9776cdc9b0097c496fd0e

SHA1
e240e584d5d54e580078626dce145b22576f3f26

SHA256
5e85064c53edc3f877c4dcf31b5eca143ada879161070dec4f618c90d3167737

SHA512
5985d65cb24f0d285782fa6c6b6eba87fab4f4094bdb577a61fb52a01e67f3bbe05b1553a4dbd5ca9e49a44b6b55c3c3e6ff72a6b26ff7a72fbe65739b64c58c

Download Submit
C:\Windows\System64\regedit.reg
MD5
c3e1ae3e5d9141ca80a8451ea3ec15d4

SHA1
454e3bbc3e970e0a5d9824dbba039eea82375402

SHA256
3379bac5475a048c38908f671813e67854e4fd8807adc612cd52b1d8ad5c30d2

SHA512
3a064732cceaa95db057bce01cecd75c9d42cf0e659c8da99f1fd649af78f8ed826853ccc7aee81929caa9ccf5a92e2b73ea6ffe0a201a44834b7e1a5237d1cc

Download Submit
C:\Windows\System64\rfusclient.exe
MD5
36a83be43ba5be7c718d59afd372f909

SHA1
a57510a3bb6a8ca6a8842d12230e090e304ce2f9

SHA256
ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb

SHA512
58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61

Download Submit
C:\Windows\System64\rfusclient.exe
MD5
36a83be43ba5be7c718d59afd372f909

SHA1
a57510a3bb6a8ca6a8842d12230e090e304ce2f9

SHA256
ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb

SHA512
58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61

Download Submit
C:\Windows\System64\rfusclient.exe
MD5
36a83be43ba5be7c718d59afd372f909

SHA1
a57510a3bb6a8ca6a8842d12230e090e304ce2f9

SHA256
ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb

SHA512
58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61

Download Submit
C:\Windows\System64\rfusclient.exe
MD5
36a83be43ba5be7c718d59afd372f909

SHA1
a57510a3bb6a8ca6a8842d12230e090e304ce2f9

SHA256
ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb

SHA512
58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61

Download Submit
C:\Windows\System64\rutserv.exe
MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
C:\Windows\System64\rutserv.exe
MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
C:\Windows\System64\rutserv.exe
MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
C:\Windows\System64\rutserv.exe
MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
C:\Windows\System64\rutserv.exe
MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
C:\Windows\System64\vp8decoder.dll
MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll
MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
\Windows\System64\rfusclient.exe
MD5
36a83be43ba5be7c718d59afd372f909

SHA1
a57510a3bb6a8ca6a8842d12230e090e304ce2f9

SHA256
ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb

SHA512
58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61

Download Submit
\Windows\System64\rfusclient.exe
MD5
36a83be43ba5be7c718d59afd372f909

SHA1
a57510a3bb6a8ca6a8842d12230e090e304ce2f9

SHA256
ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb

SHA512
58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61

Download Submit
\Windows\System64\rutserv.exe
MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
memory/328-71-0x0000000000000000-mapping.dmp

Download
memory/512-68-0x0000000000000000-mapping.dmp

Download
memory/576-66-0x0000000000000000-mapping.dmp

Download
memory/860-83-0x0000000000000000-mapping.dmp

Download
memory/860-91-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/864-73-0x0000000000000000-mapping.dmp

Download
memory/904-67-0x0000000000000000-mapping.dmp

Download
memory/916-72-0x0000000000000000-mapping.dmp

Download
memory/924-69-0x0000000000000000-mapping.dmp

Download
memory/996-70-0x0000000000000000-mapping.dmp

Download
memory/1204-62-0x0000000000000000-mapping.dmp

Download
memory/1232-98-0x0000000000000000-mapping.dmp

Download
memory/1232-105-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1272-92-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1272-86-0x0000000000000000-mapping.dmp

Download
memory/1388-79-0x0000000000000000-mapping.dmp

Download
memory/1388-82-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1388-107-0x0000000000000000-mapping.dmp

Download
memory/1388-110-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1552-76-0x0000000000000000-mapping.dmp

Download
memory/1588-64-0x0000000000000000-mapping.dmp

Download
memory/1632-65-0x0000000000000000-mapping.dmp

Download
memory/1648-93-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1656-60-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/1656-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1748-100-0x0000000000000000-mapping.dmp

Download
memory/1748-106-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download