Malware Analysis Report

2024-11-30 19:36

Sample ID 220213-q1pewsadd4
Target 5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e
SHA256 5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e
Tags
rms evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e

Threat Level: Known bad

The file 5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e was found to be: Known bad.

Malicious Activity Summary

rms evasion rat trojan

RMS

Sets file to hidden

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Checks processor information in registry

Modifies registry class

Runs .reg file with regedit

Suspicious behavior: SetClipboardViewer

Modifies data under HKEY_USERS

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-13 13:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-13 13:43

Reported

2022-02-13 13:46

Platform

win7-en-20211208

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Server\ROMFUSClient.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Catroot\vp8decoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\ROMServer.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Server\AledensoftIpcServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\AledensoftIpcServer.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Server\ROMServer.map C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\Server\ROMServer.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Catroot\vp8decoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Server\English.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\English.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\English.lg C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Server\ROMFUSClient.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Catroot\rfusclient.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Server\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\ROMServer.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\Catroot\Logs\rms_log_2022-02.html C:\Program Files\Catroot\rutserv.exe N/A
File created C:\Program Files\Catroot\rutserv.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Catroot\Logs\rms_log_2022-02.html C:\Program Files\Catroot\rutserv.exe N/A
File created C:\Program Files\Catroot\vp8encoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\AledensoftIpcServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\ROMServer.map C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Catroot\rfusclient.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Catroot\rutserv.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Catroot\vp8encoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Server\Russian.lg C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\Server\ROMFUSClient.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Catroot\vp8decoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\Catroot\rfusclient.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Catroot\rutserv.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Catroot\vp8encoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Server\ROMServer.map C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files\Catroot\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Server\ROMServer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Catroot\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Server\ROMServer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Catroot\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\Server\ROMServer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Catroot\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\Catroot\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\Catroot\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Catroot\rutserv.exe N/A
N/A N/A C:\Program Files\Catroot\rutserv.exe N/A
N/A N/A C:\Program Files\Catroot\rutserv.exe N/A
N/A N/A C:\Program Files\Catroot\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 612 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe C:\Windows\SysWOW64\WScript.exe
PID 612 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe C:\Windows\SysWOW64\WScript.exe
PID 612 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe C:\Windows\SysWOW64\WScript.exe
PID 612 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe C:\Windows\SysWOW64\WScript.exe
PID 612 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe C:\Windows\SysWOW64\WScript.exe
PID 612 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe C:\Windows\SysWOW64\WScript.exe
PID 612 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe C:\Windows\SysWOW64\WScript.exe
PID 656 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1372 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 560 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe

"C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Hex\install.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Hex\instal.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Hex\install.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ROMServer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ROMFUSClient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\LiteManager" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg.reg"

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\Catroot\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\Server\*.*"

C:\Program Files\Server\ROMServer.exe

ROMServer.exe /silentinstall

C:\Program Files\Catroot\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files\Server\ROMServer.exe

ROMServer.exe /firewall

C:\Program Files\Server\ROMServer.exe

ROMServer.exe /start

C:\Program Files\Catroot\rutserv.exe

rutserv.exe /firewall

C:\Program Files\Server\ROMServer.exe

"C:\Program Files\Server\ROMServer.exe"

C:\Program Files\Catroot\rutserv.exe

rutserv.exe /start

C:\Program Files\Server\ROMFUSClient.exe

"C:\Program Files\Server\ROMFUSClient.exe"

C:\Program Files\Server\ROMFUSClient.exe

"C:\Program Files\Server\ROMFUSClient.exe" /tray

C:\Program Files\Catroot\rutserv.exe

"C:\Program Files\Catroot\rutserv.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Program Files\Catroot\rfusclient.exe

"C:\Program Files\Catroot\rfusclient.exe"

C:\Program Files\Catroot\rfusclient.exe

"C:\Program Files\Catroot\rfusclient.exe" /tray

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Program Files\Catroot\rfusclient.exe

"C:\Program Files\Catroot\rfusclient.exe" /tray

Network

Country Destination Domain Proto
RU 89.108.101.61:5651 tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
RU 89.108.101.61:5651 tcp
RU 89.108.101.61:5651 tcp

Files

memory/612-53-0x0000000075891000-0x0000000075893000-memory.dmp

C:\Hex\install.vbs

MD5 6f0164098cf026677170879ca2ff7d91
SHA1 bad8cd5b8c3872dd8335409ca454e9bbb929f7bd
SHA256 3e36f240528fdd517c5c22fa54bf5a47b00ca9c7f2c8eedaf052eaf66b95fd41
SHA512 97c4c81602ba8d3b798fe1573e04f9eb738524aac4d480e0646317c5a6849b168646167454f321110c004fcad4cda7e91c3019dec20df4c0b97d0acf7758cb60

C:\Hex\instal.bat

MD5 dea82a13a724d1a117c5c41acb8f736e
SHA1 b3b04d8499c4e8993e6b810f6ef63d5b147a15ba
SHA256 62b04fc1c9a2b9b31e1146e7102f9c0b0233ef66d5ed0d62a36d23e17da29402
SHA512 222c3cc7154b0194360a3204ca9f7ed263390431f6f3842f777322b28d11be06d82a1e1036e4142b5e832722a0ce781d764570f49f76e637ae3e8aca2eb8ab7f

C:\Hex\install.bat

MD5 b6c6c41c8dbdb704efe47bad8332cf56
SHA1 36752de0da3b63ad62a6f9fcb035ca35db735abe
SHA256 d88b4adbec02925b8c039847e12b51e1ca74c76c4ef3ccd94440668f6bb76699
SHA512 a330a915973e8f73b1da4c7a91416324c337ccb4b40ed6276d8e45981b4a8c15c548fd8ac5c280739cb3b065b11e550c8e962f603c9b8948f42d1e2a2e53bb13

C:\Hex\regedit.reg

MD5 5d2461d46392e5c18130244374822692
SHA1 f9aadf7a382dc62f5cdcd7c787a9d007d01b602c
SHA256 57b05f04f6d51fbe03f720c298bcce35f5a85ca6a3a1fc1d3bd1d7de6462cc53
SHA512 f8f9281768824bdac309c5e27e0c6c925ccea74de5c02d5d77bf5a90aedbd2be4abe0bc98b72fafd81ba5de5e095dbadd1015a533f97d7ade0b0beb699052205

C:\Hex\reg.reg

MD5 71e6133acd9ece2d5930f0cf15b0488d
SHA1 1d622b711de489afc883e8de61be0c19eedd3b9a
SHA256 cd2369d823af6296c6a3ef02cffae7b0089cfdbd6f19c7ba1aaf3523f2f929a3
SHA512 3cdb85fd815de2e445c247bf9759bab264c0a09775434a1ea0d974755910baa392e82ae4341f32b6040d82ef0f0b68b4592ac0fb65f1f2aa1529bafa8a717632

C:\Hex\ROMFUSClient.exe

MD5 df1189957441951400c963c299ad11ee
SHA1 77fb93b8c85438c80a2e85be13df801f6c892582
SHA256 28ca6f4ddd31340f0c27318a04979e2381ed17847d50178b11422b3bdd4e3ff1
SHA512 b77cf84a4bf100790106e65efdfa0e76572f09224103a7fe544d5e36a7eb82f41b71369b485f2e3a0794280147824763b85d9aaf6cc7bf1d5af63a88bcd19746

C:\Hex\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Hex\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

C:\Hex\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

C:\Hex\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Hex\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Hex\AledensoftIpcServer.dll

MD5 425a2f519cf5d07f90519cc44c51f2c6
SHA1 04b2c252d961f5c05a8abf0df07d835bdc88f351
SHA256 d6af24a340fe1a0c6265399bfb2823ac01782e17fc0f966554e01b6a1110473f
SHA512 2dbb81ca3ef3a4c34b8b453eba23aa5d319105a264384e2a3cb9518065a4ae0cf4e5f55c4ccf94b0bff5908e804eb35eda6817141827536cbea530375363ac6b

C:\Hex\ROMServer.map

MD5 1bcca67dc14062e0f9d394447229ef6f
SHA1 28776d8ab4310e5cbd2ac433f4187704ba9a315e
SHA256 fdcea823f88b4b6e26d8fecb384fcc5a566ccb36896f0b4a2c89232cc67462fd
SHA512 42ebb5971974fdd3ae2c7d0184658895c46cf435ed88b71fb958950409f877025470b7722228527649901d1168fab0b7c05bbdc21709faa271d5df16c7e5ec35

C:\Hex\English.lg

MD5 d52e431f3c29affcc2bb3259e4c62f36
SHA1 9a5ff641a1530bd9984a23cb50a55177da2fe7ac
SHA256 675f9023d635afb509065c03d70a1a94dcdfabbd347c537ff12a89d22a00da8f
SHA512 a619a7b32c1553a2ef88c0c7336100dd1e37c594802642e6102617b570ad9ad52b57082699239f5d158e629146008a94725311510a1fe5acd89838c34d3b5da3

C:\Hex\Russian.lg

MD5 05e7f43b8137f98a3bf45cb27a7dc318
SHA1 35c83ec551c5bbef9c24034131ce8cf53a2e6284
SHA256 f93bbe59c419c408a39cf94d9de53cf4f6a27e12b818e3047e153ca810d2123c
SHA512 16f97d4e2023e40d222385868ef24cb7e557e7512803b34beaad2479d73cf00c2d4055fcd994a81b456d0eb0b60ff59f32c8463d607bcb487102f1503eb312a1

C:\Program Files\Catroot\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Program Files\Server\ROMServer.map

MD5 1bcca67dc14062e0f9d394447229ef6f
SHA1 28776d8ab4310e5cbd2ac433f4187704ba9a315e
SHA256 fdcea823f88b4b6e26d8fecb384fcc5a566ccb36896f0b4a2c89232cc67462fd
SHA512 42ebb5971974fdd3ae2c7d0184658895c46cf435ed88b71fb958950409f877025470b7722228527649901d1168fab0b7c05bbdc21709faa271d5df16c7e5ec35

C:\Program Files\Server\Russian.lg

MD5 05e7f43b8137f98a3bf45cb27a7dc318
SHA1 35c83ec551c5bbef9c24034131ce8cf53a2e6284
SHA256 f93bbe59c419c408a39cf94d9de53cf4f6a27e12b818e3047e153ca810d2123c
SHA512 16f97d4e2023e40d222385868ef24cb7e557e7512803b34beaad2479d73cf00c2d4055fcd994a81b456d0eb0b60ff59f32c8463d607bcb487102f1503eb312a1

C:\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

C:\Program Files\Server\ROMFUSClient.exe

MD5 df1189957441951400c963c299ad11ee
SHA1 77fb93b8c85438c80a2e85be13df801f6c892582
SHA256 28ca6f4ddd31340f0c27318a04979e2381ed17847d50178b11422b3bdd4e3ff1
SHA512 b77cf84a4bf100790106e65efdfa0e76572f09224103a7fe544d5e36a7eb82f41b71369b485f2e3a0794280147824763b85d9aaf6cc7bf1d5af63a88bcd19746

C:\Program Files\Catroot\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Program Files\Server\English.lg

MD5 d52e431f3c29affcc2bb3259e4c62f36
SHA1 9a5ff641a1530bd9984a23cb50a55177da2fe7ac
SHA256 675f9023d635afb509065c03d70a1a94dcdfabbd347c537ff12a89d22a00da8f
SHA512 a619a7b32c1553a2ef88c0c7336100dd1e37c594802642e6102617b570ad9ad52b57082699239f5d158e629146008a94725311510a1fe5acd89838c34d3b5da3

C:\Program Files\Catroot\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Program Files\Server\AledensoftIpcServer.dll

MD5 425a2f519cf5d07f90519cc44c51f2c6
SHA1 04b2c252d961f5c05a8abf0df07d835bdc88f351
SHA256 d6af24a340fe1a0c6265399bfb2823ac01782e17fc0f966554e01b6a1110473f
SHA512 2dbb81ca3ef3a4c34b8b453eba23aa5d319105a264384e2a3cb9518065a4ae0cf4e5f55c4ccf94b0bff5908e804eb35eda6817141827536cbea530375363ac6b

C:\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

C:\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

C:\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

memory/1848-102-0x0000000000270000-0x0000000000271000-memory.dmp

\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

C:\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

memory/1724-106-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/1488-107-0x0000000000270000-0x0000000000271000-memory.dmp

C:\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

C:\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

memory/672-114-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/860-115-0x0000000000280000-0x0000000000281000-memory.dmp

C:\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

C:\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

memory/1852-121-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1700-122-0x0000000000240000-0x0000000000241000-memory.dmp

\Program Files\Server\ROMFUSClient.exe

MD5 df1189957441951400c963c299ad11ee
SHA1 77fb93b8c85438c80a2e85be13df801f6c892582
SHA256 28ca6f4ddd31340f0c27318a04979e2381ed17847d50178b11422b3bdd4e3ff1
SHA512 b77cf84a4bf100790106e65efdfa0e76572f09224103a7fe544d5e36a7eb82f41b71369b485f2e3a0794280147824763b85d9aaf6cc7bf1d5af63a88bcd19746

C:\Program Files\Server\ROMFUSClient.exe

MD5 df1189957441951400c963c299ad11ee
SHA1 77fb93b8c85438c80a2e85be13df801f6c892582
SHA256 28ca6f4ddd31340f0c27318a04979e2381ed17847d50178b11422b3bdd4e3ff1
SHA512 b77cf84a4bf100790106e65efdfa0e76572f09224103a7fe544d5e36a7eb82f41b71369b485f2e3a0794280147824763b85d9aaf6cc7bf1d5af63a88bcd19746

\Program Files\Server\ROMFUSClient.exe

MD5 df1189957441951400c963c299ad11ee
SHA1 77fb93b8c85438c80a2e85be13df801f6c892582
SHA256 28ca6f4ddd31340f0c27318a04979e2381ed17847d50178b11422b3bdd4e3ff1
SHA512 b77cf84a4bf100790106e65efdfa0e76572f09224103a7fe544d5e36a7eb82f41b71369b485f2e3a0794280147824763b85d9aaf6cc7bf1d5af63a88bcd19746

C:\Program Files\Server\ROMFUSClient.exe

MD5 df1189957441951400c963c299ad11ee
SHA1 77fb93b8c85438c80a2e85be13df801f6c892582
SHA256 28ca6f4ddd31340f0c27318a04979e2381ed17847d50178b11422b3bdd4e3ff1
SHA512 b77cf84a4bf100790106e65efdfa0e76572f09224103a7fe544d5e36a7eb82f41b71369b485f2e3a0794280147824763b85d9aaf6cc7bf1d5af63a88bcd19746

C:\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

memory/1800-132-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1604-134-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/1692-133-0x0000000000260000-0x0000000000261000-memory.dmp

\Program Files\Catroot\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

\Program Files\Catroot\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Program Files\Catroot\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Program Files\Catroot\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

memory/1252-142-0x0000000000230000-0x0000000000231000-memory.dmp

memory/968-143-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Program Files\Catroot\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-13 13:43

Reported

2022-02-13 13:46

Platform

win10v2004-en-20220112

Max time kernel

164s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Catroot\rfusclient.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\Catroot\rfusclient.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Catroot\rutserv.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Catroot\vp8decoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Server\ROMServer.map C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Server\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\ROMServer.map C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Server\ROMServer.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Catroot\rutserv.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\Server\ROMServer.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Catroot\rutserv.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Server\AledensoftIpcServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Server\English.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\English.lg C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Catroot\vp8encoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Catroot\rfusclient.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Catroot\Logs\rms_log_2022-02.html C:\Program Files\Catroot\rutserv.exe N/A
File opened for modification C:\Program Files\Catroot\Logs\rms_log_2022-02.html C:\Program Files\Catroot\rutserv.exe N/A
File created C:\Program Files\Catroot\vp8decoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\ROMServer.map C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Catroot\vp8encoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Catroot\vp8encoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\ROMFUSClient.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\Server\ROMFUSClient.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\English.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\AledensoftIpcServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Catroot\vp8decoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Server\ROMFUSClient.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Server\AledensoftIpcServer.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Server\Russian.lg C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Server\ROMServer.exe C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.521362" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.334818" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4288" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4064" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.069775" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3928" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132894098780556298" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files\Catroot\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Server\ROMServer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Catroot\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Server\ROMServer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Catroot\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Catroot\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\Catroot\rutserv.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Catroot\rutserv.exe N/A
N/A N/A C:\Program Files\Catroot\rutserv.exe N/A
N/A N/A C:\Program Files\Catroot\rutserv.exe N/A
N/A N/A C:\Program Files\Catroot\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe C:\Windows\SysWOW64\WScript.exe
PID 2728 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe C:\Windows\SysWOW64\WScript.exe
PID 2728 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe C:\Windows\SysWOW64\WScript.exe
PID 2752 wrote to memory of 4016 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 4016 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 4016 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1180 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1180 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1180 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1180 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1180 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4016 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4016 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4016 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4016 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4016 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1180 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4016 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1180 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1180 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1180 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1180 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1180 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4016 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4016 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4016 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4016 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4016 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4016 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1180 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1180 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1180 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1180 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1180 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1180 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4016 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4016 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4016 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4016 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4016 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4016 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1180 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1180 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1180 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4016 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4016 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4016 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Catroot\rutserv.exe
PID 1180 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Catroot\rutserv.exe
PID 1180 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Catroot\rutserv.exe
PID 4016 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Server\ROMServer.exe
PID 4016 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Server\ROMServer.exe
PID 4016 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Server\ROMServer.exe
PID 4016 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Server\ROMServer.exe
PID 4016 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Server\ROMServer.exe
PID 4016 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Server\ROMServer.exe
PID 1180 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Catroot\rutserv.exe
PID 1180 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Catroot\rutserv.exe
PID 1180 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Catroot\rutserv.exe
PID 4016 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Server\ROMServer.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe

"C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Hex\install.vbs"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Hex\instal.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Hex\install.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ROMServer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ROMFUSClient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\LiteManager" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg.reg"

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\Server\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\Catroot\*.*"

C:\Program Files\Catroot\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files\Server\ROMServer.exe

ROMServer.exe /silentinstall

C:\Program Files\Server\ROMServer.exe

ROMServer.exe /firewall

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Program Files\Catroot\rutserv.exe

rutserv.exe /firewall

C:\Program Files\Server\ROMServer.exe

ROMServer.exe /start

C:\Program Files\Catroot\rutserv.exe

rutserv.exe /start

C:\Program Files\Server\ROMServer.exe

"C:\Program Files\Server\ROMServer.exe"

C:\Program Files\Catroot\rutserv.exe

"C:\Program Files\Catroot\rutserv.exe"

C:\Program Files\Server\ROMFUSClient.exe

"C:\Program Files\Server\ROMFUSClient.exe"

C:\Program Files\Catroot\rfusclient.exe

"C:\Program Files\Catroot\rfusclient.exe"

C:\Program Files\Catroot\rfusclient.exe

"C:\Program Files\Catroot\rfusclient.exe" /tray

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Program Files\Server\ROMFUSClient.exe

"C:\Program Files\Server\ROMFUSClient.exe" /tray

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Program Files\Catroot\rfusclient.exe

"C:\Program Files\Catroot\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 51.104.167.186:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
RU 89.108.101.61:5651 tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
RU 89.108.101.61:5651 tcp

Files

C:\Hex\install.vbs

MD5 6f0164098cf026677170879ca2ff7d91
SHA1 bad8cd5b8c3872dd8335409ca454e9bbb929f7bd
SHA256 3e36f240528fdd517c5c22fa54bf5a47b00ca9c7f2c8eedaf052eaf66b95fd41
SHA512 97c4c81602ba8d3b798fe1573e04f9eb738524aac4d480e0646317c5a6849b168646167454f321110c004fcad4cda7e91c3019dec20df4c0b97d0acf7758cb60

C:\Hex\instal.bat

MD5 dea82a13a724d1a117c5c41acb8f736e
SHA1 b3b04d8499c4e8993e6b810f6ef63d5b147a15ba
SHA256 62b04fc1c9a2b9b31e1146e7102f9c0b0233ef66d5ed0d62a36d23e17da29402
SHA512 222c3cc7154b0194360a3204ca9f7ed263390431f6f3842f777322b28d11be06d82a1e1036e4142b5e832722a0ce781d764570f49f76e637ae3e8aca2eb8ab7f

C:\Hex\install.bat

MD5 b6c6c41c8dbdb704efe47bad8332cf56
SHA1 36752de0da3b63ad62a6f9fcb035ca35db735abe
SHA256 d88b4adbec02925b8c039847e12b51e1ca74c76c4ef3ccd94440668f6bb76699
SHA512 a330a915973e8f73b1da4c7a91416324c337ccb4b40ed6276d8e45981b4a8c15c548fd8ac5c280739cb3b065b11e550c8e962f603c9b8948f42d1e2a2e53bb13

C:\Hex\regedit.reg

MD5 5d2461d46392e5c18130244374822692
SHA1 f9aadf7a382dc62f5cdcd7c787a9d007d01b602c
SHA256 57b05f04f6d51fbe03f720c298bcce35f5a85ca6a3a1fc1d3bd1d7de6462cc53
SHA512 f8f9281768824bdac309c5e27e0c6c925ccea74de5c02d5d77bf5a90aedbd2be4abe0bc98b72fafd81ba5de5e095dbadd1015a533f97d7ade0b0beb699052205

C:\Hex\reg.reg

MD5 71e6133acd9ece2d5930f0cf15b0488d
SHA1 1d622b711de489afc883e8de61be0c19eedd3b9a
SHA256 cd2369d823af6296c6a3ef02cffae7b0089cfdbd6f19c7ba1aaf3523f2f929a3
SHA512 3cdb85fd815de2e445c247bf9759bab264c0a09775434a1ea0d974755910baa392e82ae4341f32b6040d82ef0f0b68b4592ac0fb65f1f2aa1529bafa8a717632

C:\Hex\ROMFUSClient.exe

MD5 df1189957441951400c963c299ad11ee
SHA1 77fb93b8c85438c80a2e85be13df801f6c892582
SHA256 28ca6f4ddd31340f0c27318a04979e2381ed17847d50178b11422b3bdd4e3ff1
SHA512 b77cf84a4bf100790106e65efdfa0e76572f09224103a7fe544d5e36a7eb82f41b71369b485f2e3a0794280147824763b85d9aaf6cc7bf1d5af63a88bcd19746

C:\Hex\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Hex\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

C:\Hex\AledensoftIpcServer.dll

MD5 425a2f519cf5d07f90519cc44c51f2c6
SHA1 04b2c252d961f5c05a8abf0df07d835bdc88f351
SHA256 d6af24a340fe1a0c6265399bfb2823ac01782e17fc0f966554e01b6a1110473f
SHA512 2dbb81ca3ef3a4c34b8b453eba23aa5d319105a264384e2a3cb9518065a4ae0cf4e5f55c4ccf94b0bff5908e804eb35eda6817141827536cbea530375363ac6b

C:\Hex\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

C:\Hex\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Hex\ROMServer.map

MD5 1bcca67dc14062e0f9d394447229ef6f
SHA1 28776d8ab4310e5cbd2ac433f4187704ba9a315e
SHA256 fdcea823f88b4b6e26d8fecb384fcc5a566ccb36896f0b4a2c89232cc67462fd
SHA512 42ebb5971974fdd3ae2c7d0184658895c46cf435ed88b71fb958950409f877025470b7722228527649901d1168fab0b7c05bbdc21709faa271d5df16c7e5ec35

C:\Hex\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Hex\Russian.lg

MD5 05e7f43b8137f98a3bf45cb27a7dc318
SHA1 35c83ec551c5bbef9c24034131ce8cf53a2e6284
SHA256 f93bbe59c419c408a39cf94d9de53cf4f6a27e12b818e3047e153ca810d2123c
SHA512 16f97d4e2023e40d222385868ef24cb7e557e7512803b34beaad2479d73cf00c2d4055fcd994a81b456d0eb0b60ff59f32c8463d607bcb487102f1503eb312a1

C:\Hex\English.lg

MD5 d52e431f3c29affcc2bb3259e4c62f36
SHA1 9a5ff641a1530bd9984a23cb50a55177da2fe7ac
SHA256 675f9023d635afb509065c03d70a1a94dcdfabbd347c537ff12a89d22a00da8f
SHA512 a619a7b32c1553a2ef88c0c7336100dd1e37c594802642e6102617b570ad9ad52b57082699239f5d158e629146008a94725311510a1fe5acd89838c34d3b5da3

C:\Program Files\Catroot\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Program Files\Catroot\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

C:\Program Files\Catroot\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Program Files\Server\Russian.lg

MD5 05e7f43b8137f98a3bf45cb27a7dc318
SHA1 35c83ec551c5bbef9c24034131ce8cf53a2e6284
SHA256 f93bbe59c419c408a39cf94d9de53cf4f6a27e12b818e3047e153ca810d2123c
SHA512 16f97d4e2023e40d222385868ef24cb7e557e7512803b34beaad2479d73cf00c2d4055fcd994a81b456d0eb0b60ff59f32c8463d607bcb487102f1503eb312a1

C:\Program Files\Server\ROMServer.map

MD5 1bcca67dc14062e0f9d394447229ef6f
SHA1 28776d8ab4310e5cbd2ac433f4187704ba9a315e
SHA256 fdcea823f88b4b6e26d8fecb384fcc5a566ccb36896f0b4a2c89232cc67462fd
SHA512 42ebb5971974fdd3ae2c7d0184658895c46cf435ed88b71fb958950409f877025470b7722228527649901d1168fab0b7c05bbdc21709faa271d5df16c7e5ec35

C:\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

C:\Program Files\Server\ROMFUSClient.exe

MD5 df1189957441951400c963c299ad11ee
SHA1 77fb93b8c85438c80a2e85be13df801f6c892582
SHA256 28ca6f4ddd31340f0c27318a04979e2381ed17847d50178b11422b3bdd4e3ff1
SHA512 b77cf84a4bf100790106e65efdfa0e76572f09224103a7fe544d5e36a7eb82f41b71369b485f2e3a0794280147824763b85d9aaf6cc7bf1d5af63a88bcd19746

C:\Program Files\Server\English.lg

MD5 d52e431f3c29affcc2bb3259e4c62f36
SHA1 9a5ff641a1530bd9984a23cb50a55177da2fe7ac
SHA256 675f9023d635afb509065c03d70a1a94dcdfabbd347c537ff12a89d22a00da8f
SHA512 a619a7b32c1553a2ef88c0c7336100dd1e37c594802642e6102617b570ad9ad52b57082699239f5d158e629146008a94725311510a1fe5acd89838c34d3b5da3

C:\Program Files\Server\AledensoftIpcServer.dll

MD5 425a2f519cf5d07f90519cc44c51f2c6
SHA1 04b2c252d961f5c05a8abf0df07d835bdc88f351
SHA256 d6af24a340fe1a0c6265399bfb2823ac01782e17fc0f966554e01b6a1110473f
SHA512 2dbb81ca3ef3a4c34b8b453eba23aa5d319105a264384e2a3cb9518065a4ae0cf4e5f55c4ccf94b0bff5908e804eb35eda6817141827536cbea530375363ac6b

C:\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

C:\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

C:\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

memory/2280-158-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/2852-159-0x0000000002690000-0x0000000002691000-memory.dmp

C:\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

memory/3656-161-0x0000000000C70000-0x0000000000C71000-memory.dmp

C:\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

C:\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

C:\Program Files\Server\ROMServer.exe

MD5 4558e3b033d5ec8044afbacc83850305
SHA1 5909fd587ab4498671f7bed6e511b57f84e62ab9
SHA256 176565369e5469297a1692bc30e3de02eabbe4d00bbf834440a2392da875b018
SHA512 a0c3479a7ddf0ce5d46bddbc166213fa9c244d654c49ec038518845f48f2b4bf61a3484c89bb86a1150cbde889986793e160aeef0cda32a48c986a5190657530

C:\Program Files\Catroot\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

memory/2772-166-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

memory/1520-167-0x0000000002610000-0x0000000002611000-memory.dmp

memory/3188-168-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/2268-169-0x0000000001500000-0x0000000001501000-memory.dmp

C:\Program Files\Server\ROMFUSClient.exe

MD5 df1189957441951400c963c299ad11ee
SHA1 77fb93b8c85438c80a2e85be13df801f6c892582
SHA256 28ca6f4ddd31340f0c27318a04979e2381ed17847d50178b11422b3bdd4e3ff1
SHA512 b77cf84a4bf100790106e65efdfa0e76572f09224103a7fe544d5e36a7eb82f41b71369b485f2e3a0794280147824763b85d9aaf6cc7bf1d5af63a88bcd19746

C:\Program Files\Catroot\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Program Files\Catroot\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Program Files\Server\ROMFUSClient.exe

MD5 df1189957441951400c963c299ad11ee
SHA1 77fb93b8c85438c80a2e85be13df801f6c892582
SHA256 28ca6f4ddd31340f0c27318a04979e2381ed17847d50178b11422b3bdd4e3ff1
SHA512 b77cf84a4bf100790106e65efdfa0e76572f09224103a7fe544d5e36a7eb82f41b71369b485f2e3a0794280147824763b85d9aaf6cc7bf1d5af63a88bcd19746

memory/3212-174-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3852-175-0x0000000000990000-0x0000000000991000-memory.dmp

memory/3300-176-0x0000000002740000-0x0000000002741000-memory.dmp

memory/3224-177-0x0000000002600000-0x0000000002601000-memory.dmp

C:\Program Files\Catroot\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

memory/2224-179-0x0000000002840000-0x0000000002841000-memory.dmp