Malware Analysis Report

2024-11-15 08:39

Sample ID 220415-h2lfmabbek
Target 93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca
SHA256 93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca
Tags
rms rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca

Threat Level: Known bad

The file 93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca was found to be: Known bad.

Malicious Activity Summary

rms rat trojan

RMS

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 07:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 07:13

Reported

2022-04-15 09:49

Platform

win7-20220414-en

Max time kernel

152s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe"

Signatures

RMS

trojan rat rms

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1048 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1048 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1048 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1140 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 1140 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 1140 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 1140 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 872 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe
PID 872 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe
PID 872 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe
PID 872 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe
PID 1068 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 1068 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 1068 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 1068 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe

"C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

rfusclient.exe -deploy

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe"

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe -second

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe /tray /user

Network

N/A

Files

memory/1556-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

memory/1048-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

MD5 9b7ac054975f8f7b6fe9a41a18e2d6e7
SHA1 d820008d3732f37a7e4030c4bd414e3764de1af7
SHA256 815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255
SHA512 806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/1140-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Simplified.lg

MD5 844e2b8e4ad580ff845402a6b3b88846
SHA1 1e76d2008eee1a896d207dd9c3c1a504dc9d06de
SHA256 4d646a6af146c05cdb4644f62605cb40196595e6ed3aabcaf92e7d081c4eebf1
SHA512 01590c09f0cb43e1ccbc27b591a06ee16485a176439512f121a1b29d1fdc8ba9eb216a26c619abdd3ca8b441d80bd23ab165cf9f36e7ade0fb57f60645ff94ed

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

MD5 0ec2151eaa7029a335029aa619a2ac52
SHA1 db84f576b070f9f4128c82c1a17ed21cdd0bc5db
SHA256 8fc26439ed7808f5466fe46a0ddf5e7e93b9f597bcce0d806ac6908dc0b8df83
SHA512 87129b698d5f7becf12dcc13829250c40ebe1a5be20587828299e7c3f0a9fec865c76850135cee95e0fb39758ec70e4a849caec80a01861ba6d2340d7715c1db

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arabic.lg

MD5 e51a34c8198ba9a59e53f0503777e75b
SHA1 83d93b4a520b08efa14b55c80c5db8f85d5ca9e4
SHA256 5810c1f2453156015e43dc8844b8463eaa47be877c07834e67723815aa60c5d3
SHA512 ed8c7684eeb24afae4f8cffccb870192e5ecb918843f2530439398d5cee783cafd375f851c0334ca6f1272196af984e72e3864a388f243cd6d82449151b722bd

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese.lg

MD5 18e6affb3bee46aeaf86efb1977f358b
SHA1 0df0b1fb0e3e59bc2f52d2a2bdadd29bf0adebc7
SHA256 c6e7b98ea6fd6bd60d26c46ba6432000cf4c47c5ba137fb63e905cfc2b3d36ba
SHA512 fb6428024e22b48c0a66f556973fb434a9a33593942541c1a42d175d0335a83152d8247f875138be014c5f9c98167003498717029eb36780cd7a374a3f59e6e4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

MD5 3e6c2703e1c8b6b2b3512aff48099462
SHA1 b17a7f9cce16540b1f0e3dceae9dc7e8e855cb1b
SHA256 616a0047b5f28a071fc26dd9b0fd90d5110c77a3635565cebc24b6362d8c9844
SHA512 70d0c5cb8542ca0600d38aee9030ea3dd9b0951a7d96ac1b8f1af9e71c5357c33f433913ef9d2e3254a9ac95e5678764ab22184fbcec998a9bbb8d75731c9dc8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

MD5 381f1b7d8f7da904827980dae02f77a9
SHA1 81d4d5724533b26391301be2b462f580395d5485
SHA256 f14dab0b9f18aced330729b4a772e6b139817be01783b97b92e9af5fc26615d2
SHA512 44a5eee558c727c9c07301dc0190a00807d1749f83c57f76c4f8cdde4bbdf4b44bb1086cc2fcb7aff0a73949ae7aaa17d33d9cd3b0a70c4f51b724812e1bd6d3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

MD5 74a8ebf5d8e08e284d734fe5feebd67d
SHA1 87fb627c6e63eb41e26f389b38d525ccf0c11590
SHA256 1a9632b9e061b56017d2eb8d15c20e60a9518b4de5faa0399eaba0a17c10045d
SHA512 230f84f3fdb335a6044e6a83154de27e853b66ce6b8963b5f1991c462d69cc702a5cf7ee20717ec9f6e688398579fe18102a48f418b74333f476255b1cdbf8b9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

MD5 2943b9910b1c7cc04024888502885256
SHA1 e2ac697a558fa85ff4c9e2bb114138870a80f146
SHA256 78115050f4e99372fc10b19a14af60e623ddfda224c8e96340cb5d8166507e2b
SHA512 8d9d0d60622b958ab0f7c1f1d050fb53ba11cf19aa513fde9f7b7772fb6949b3e50907ed519fdc89e2bdf0ffb33ff084094af56abd3f9d1d2faef9d27990fe1b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

MD5 026d12b240e081794c730c1ed24a6f33
SHA1 bb6c0544ecc2c8db68b23b8e4feab5b3261b4666
SHA256 d639adb51c6e3ee8c249d11eb8db606ba2aa37d4f12f80f2b9685d8f560984bf
SHA512 5b88ee5c7cee966867eec31ad468aa19353a2a2b1a84995ac1bedeaf5e60b1b015f73fcd35644c4365cf8f1981b3de057483838b7deaad5599f9c2a24f60d758

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turkish.lg

MD5 8a4b15f09ab2301fdbf99acd5274bf88
SHA1 88bee09f9690dce0f323909d53525f60e076e854
SHA256 00d3aa64e2afe9b92f2d13255a86eee0f289d9d257229289de0e2020626f0508
SHA512 f2066e60c588b698f3d2d79d19a25b76354c4857df1eda51d60d1371c5a32a87211a8927c0817ef1e2a8ca1d50230516a4521be6e0b40c7c301d93d894548e27

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Swedish.lg

MD5 6b46297240dfc309a99b133e94c916c3
SHA1 ce4f36af4cbf6ebd15cf6e0e6dc8b72e61872027
SHA256 88f45f3cc9999a1e35967cd7f33d2d15c0c31b13336fbf93e754e1af8903d9c1
SHA512 6f808e7627d4d2ac06ec07f55ca72277c12a80e14fadd2822174349ebd0d5398dfcd73c301a4427a64db59b283f3d04a74be72f96e613db1540aeb9859af338e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spanish.lg

MD5 542fb52c74f0f92c5cbe734cf75145b5
SHA1 6bca28849913bf4f61b3d48791737a00f9718ee7
SHA256 c157ce11631f26462c764bab24b0700f019a2213b36a92002d886d156afa7b03
SHA512 ece3518e30d4ddc210afe82751f4b011d2d67fc8130f619656590c45710e3ac11674026445a33e880d13f60a6156c79923badff8d5f68d119d68ab2728dd7c9d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

MD5 264bba2e0ce2710b54af71e45ced220d
SHA1 80460734da936c044a8d02f57ccd46505d6904cf
SHA256 523a3e1aeb0131386be1ac170d4be9166fc54b5c3dbbd91d0a5a4c65ab3d55eb
SHA512 c43468a5b1194c74feb530be6cb4bd3164d6c55371837acd6a9561e932a6bc3b9142142ad9e1a4b90a9094452ec8afd1ae0191791f185897a714c0ba6bec766c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

MD5 534d6f176f6cbc725f9e7db8028cd3f7
SHA1 35b53f2e344f4a908a551409d018a91dc58100d5
SHA256 e713f288a46aad762f76c945467bb3ea7c84edfc56cec1c4c1b40d9f919bdcc0
SHA512 1fc1bd8d094d458541596322588750ecc66a2b3f809b0361a5c104adf72972c4bf2f08e4b58f347e56afd4e8019942ba0ba3346a85169958de1cedfde5a15849

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

MD5 435d9e1fd4b87308f0f91da25530d4ec
SHA1 a9b0c513b930f4c2ef86cb75a8de1fe16eb6d996
SHA256 05040b677d7697b4f97da173c6c07146d3bde327833fd2022bf2cb67f90389ca
SHA512 9a84f8e75c855ca4d3892591e4d2ed4d37368d8ed8c28fd48093534a8283c21a483ab50d930adc10d8dda5fb25338dd247004fdf08dd9f60cf038a0b61fba33f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese, Brazilian.lg

MD5 119f5f60b0d87bd3a9e34eefe510cead
SHA1 07835dce1a48d571d1e8a5a4ff1f47f44bac3992
SHA256 b9793f0ede71f259dc242c926cdc8f70fdb241a8a0f22c7206fb51b7e0a43002
SHA512 5596ab114a4bc5edf98db65e95e2daa367a43034793b07877e3533e98822721ee3293a00760c2367fd3088df681fa0397e1a263efac1fd6850a1e26670cd0678

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Polish.lg

MD5 da9d399b473ccff29e6e8f9a5723cbfb
SHA1 d878b4206aaf64384162e96673845e913db34c69
SHA256 b885b4e1e7bea7c202c71313a60774143dd7cc18d1a0ec8412b47d53016ea3f3
SHA512 893122ce6550dddd793668ea7ff68764ca7676de34d8385df42f09eee50e0ce09670e6aca1245331fb18589207b3870b5564896e4d65eedc229648d985314dc7

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Norwegian.lg

MD5 3cdf55746e6889e8fff300e54a287bcc
SHA1 57c38147c92b86f7bceeb4dbd9ad1d720410b07d
SHA256 d3014f26e0b5bd84f694c8ad18f0de48ce3cbcbaa2f649070f161c64702cae3d
SHA512 df2fe1b2f16238c1de4b3982ed31cca71490eba41fe9588864b3a58f0f5ee8bf6ef28a63528e7bf06524780d19812e8cd3991472a82ed5559a6a32146c04830a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

MD5 62be7d41972c92002b74d1f2d3e604b3
SHA1 5cb448c9af214703ecd8a61d5d95c5da2e35312e
SHA256 9da57cd6d471aa220fd63b19b411ed5cf94a86ad1c914a867c6a4e938b152e71
SHA512 571541f32ed71e9e87d9a3ad4c8182a9d9e0764512b4159c03f8cc0826ea017de8cf45df26b207ad7ba99b848d95cce5bb1d2d9663889a4fa64efce69fd184ec

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Korean.lg

MD5 dc4e41d98050548860bf92ca11345962
SHA1 259fc2aa4622e202799bbb5d352e57da47a6988f
SHA256 87ada3f861a2b04e39f633218b791cc9e08200dafe96b85538c2ce402fe1f0db
SHA512 7f7d18668248c5a3b5b7aacb5616c6dc0e562b8467a9a27ddd021690456b685af3c8dfc0b1fec746ccd799b5a9f41b0968628864087d1b3dbce79b52c49382b4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Japanese.lg

MD5 58319662af8f62390737c9df99f23dba
SHA1 19d0549605e76343555a3486aac9b072fe47e878
SHA256 4df73b25972b4388f2ffe70b88d4cfc739aed58dc0a72163b96cd407eb8d4388
SHA512 97fefa76088474a208e777026d6c4022d8490fe6773b8ca5fe07eaa3ac732a69bdc589c6d4f34cd6d4a41ba73f628fe8160205d4695559f81e6fa19a02a6cc16

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Italian.lg

MD5 dfcc06cd5e145a631806c1d011ad0fba
SHA1 d53236889246db20ad22f4811d24c7257c9b635d
SHA256 9848f250729fe0a81118aa027592ad0ef98d8428e808fa7bafa0903a93c4d94b
SHA512 35767772186b91f502698ce0fb7a25db3d9718fa0faa58f3f67fe711f841f95e14e89cb6bbbc476a29e568a93d670b205b616e07508c12f800d0e20cd3831e00

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hebrew.lg

MD5 516352f3ff5dc96d8cfbd6abf069aabd
SHA1 b52524bec89b956fba232d7a72205e63e029d5d0
SHA256 6387f12ff599445016b7f5b191170f077fe50c8b986a7d9650abfb7ccb6377f5
SHA512 c42e0901731774a15a65c047d8b05551d789e130ac17b53e899bb88f9d6a6448050eaa45b47a2a4cabc333cd36a863cfc5722cb76aebe04c73d9617117f0361c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\German.lg

MD5 42b83b0d09167cb42582b5f830b44ebb
SHA1 a9d5d467643aca034a983ebbb595d2fedd19062a
SHA256 56b73a451ecc9d3f99892b397ef1b5006b6f9296765d01fbdc7fc3d979400bbd
SHA512 2ef138d4e45554d594abbce7a2987fb17eeac63c607815120d4a415b7c3e3280a84b4068429d7743523c4366da0b5aec73c8152ec30185b3b18f14e39a22a781

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\French.lg

MD5 7c2276331e1e744cf702858fbb041039
SHA1 a5c7c0067a96b7e8cd11d8b3c205494147a2da4e
SHA256 0b05f6ada359e0c3295d32087874bf2888e60400fe3a9ec4d54a849031bfe915
SHA512 e3fe3aafeaa6f295c53b2317aec8581a61260cc76072d814b913084b740397c3d77df4a63acc677f95aa6d40ff70fb52041432f903a128d5b54184c085d7a16b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf

MD5 722fe688f60b4649265f5177a8c0c0ca
SHA1 9532e0de2b2d1eeacc19f15602904ae14231df6b
SHA256 2e551329bf8cb93e665c17bac916776d75091ff190b7ccff8a48fb0de0d582b5
SHA512 1248a6e94c1f75e398096f2d773822b2faf4e18438628e4874e4fc143bcf8adfc59f145de5838e1d9127795ab2de443ba6ba149e9dac3958d534356f98aa791d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

MD5 6396e5ade56e4f45c4f59ca210385f58
SHA1 88f8778e8f960001ee558255e22418d8ea17446a
SHA256 fe57254a0c2a3593d618bea7d43074c7b637ec3021f0b51073c0d95f65bae882
SHA512 58d0b3a45249338b41affbdc81cf01fb68e1f710b1f378bcc4eae58d6e8e8402be0a06c9b4e74a4cfa1d2631ad9281921a081bf597b24f12f7ea2a4fbcd5d020

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dutch.lg

MD5 00c905e8da73cf386c210d28e3797f6c
SHA1 512b1c68ad520bbd77733cf71e376333c509c183
SHA256 83813ca174f76a126e05f6cca58be24ce2a48a2632e9bf6bfa46a353d01111b6
SHA512 b302035bd8379ddc18be49575b92cfd0219b6847cbd2d9acb9d6faf26fc0b0774bfae11a599e52266849663c5adf3de2c217ca5214339bb5400daae5ac35363f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Danish.lg

MD5 ab723f51a48801456d39bb48396beada
SHA1 a721d0afa24cbfb99c97431be42113426ab6638f
SHA256 3db7b110d7df4402b0ac207d28debb735cfd476ef42c2f71bbba5108a0b96da5
SHA512 b5fe82a2d00f277bf9fd75fae659a75e7f3aeb6629c6e034c7d9ee477abcba89dc4661035310ffdebd6aa3115c79c7621bf42af43b32568d5408d229b4d285bd

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Czech.lg

MD5 d39727c9980021059a0f2073277e039e
SHA1 a59b8f6d517741a8cf8c88cbb9bc7ddfa8879f75
SHA256 f1900d97610996e7a71c354f3899c26324e5a5493374a4d697558e4c4f669257
SHA512 f0fa8eed8f9b72775c8c574edb4299cced7e6ca71c3cc907d1914d3cd6a86987fc7b031960b8d496030ea9b2b4eaecddcf5d0f5ee6236514e0d21232680e9c15

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt

MD5 90b15937ff9ec75f7016e171bd1261ce
SHA1 3fa80c58e8bf6c3ab356047cfaa14187328c3732
SHA256 eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a
SHA512 993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Traditional.lg

MD5 420f3450e1dbf4ecbe48125bef79155e
SHA1 eedd628146fe8722aa8f5a9cc9a84ff86bc403ee
SHA256 ac397a585dd2e48f8ee01d2e50d4d87e138d24d6f6f7c442507feab796c3a9ed
SHA512 7b14bccb0daedf62186fafdb9224ce5c96b493950e4c7a9c6c9d330831c4e660efa77bf661a39bcb5b93014a9c3a7f28a633c4f6a1618b2a7ea551e811950857

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/872-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

memory/1792-104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/1760-110-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 07:13

Reported

2022-04-15 09:49

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe"

Signatures

RMS

trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4924 created 1668 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 4796 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 4796 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 932 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 932 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 932 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 4352 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe
PID 4352 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe
PID 4352 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe
PID 4924 wrote to memory of 4676 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe
PID 4924 wrote to memory of 4676 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe
PID 4924 wrote to memory of 4676 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe
PID 4676 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 4676 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe
PID 4676 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe

"C:\Users\Admin\AppData\Local\Temp\93e50513752ec7431a1e1a5a50fbaf66d1dabebb00753fb40c5ea3cb74f797ca.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

rfusclient.exe -deploy

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe -second

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe /tray /user

Network

Country Destination Domain Proto
US 20.42.65.85:443 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 204.79.197.203:80 tcp

Files

memory/4796-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

MD5 9b7ac054975f8f7b6fe9a41a18e2d6e7
SHA1 d820008d3732f37a7e4030c4bd414e3764de1af7
SHA256 815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255
SHA512 806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/932-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\German.lg

MD5 42b83b0d09167cb42582b5f830b44ebb
SHA1 a9d5d467643aca034a983ebbb595d2fedd19062a
SHA256 56b73a451ecc9d3f99892b397ef1b5006b6f9296765d01fbdc7fc3d979400bbd
SHA512 2ef138d4e45554d594abbce7a2987fb17eeac63c607815120d4a415b7c3e3280a84b4068429d7743523c4366da0b5aec73c8152ec30185b3b18f14e39a22a781

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Japanese.lg

MD5 58319662af8f62390737c9df99f23dba
SHA1 19d0549605e76343555a3486aac9b072fe47e878
SHA256 4df73b25972b4388f2ffe70b88d4cfc739aed58dc0a72163b96cd407eb8d4388
SHA512 97fefa76088474a208e777026d6c4022d8490fe6773b8ca5fe07eaa3ac732a69bdc589c6d4f34cd6d4a41ba73f628fe8160205d4695559f81e6fa19a02a6cc16

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese.lg

MD5 18e6affb3bee46aeaf86efb1977f358b
SHA1 0df0b1fb0e3e59bc2f52d2a2bdadd29bf0adebc7
SHA256 c6e7b98ea6fd6bd60d26c46ba6432000cf4c47c5ba137fb63e905cfc2b3d36ba
SHA512 fb6428024e22b48c0a66f556973fb434a9a33593942541c1a42d175d0335a83152d8247f875138be014c5f9c98167003498717029eb36780cd7a374a3f59e6e4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese, Brazilian.lg

MD5 119f5f60b0d87bd3a9e34eefe510cead
SHA1 07835dce1a48d571d1e8a5a4ff1f47f44bac3992
SHA256 b9793f0ede71f259dc242c926cdc8f70fdb241a8a0f22c7206fb51b7e0a43002
SHA512 5596ab114a4bc5edf98db65e95e2daa367a43034793b07877e3533e98822721ee3293a00760c2367fd3088df681fa0397e1a263efac1fd6850a1e26670cd0678

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Polish.lg

MD5 da9d399b473ccff29e6e8f9a5723cbfb
SHA1 d878b4206aaf64384162e96673845e913db34c69
SHA256 b885b4e1e7bea7c202c71313a60774143dd7cc18d1a0ec8412b47d53016ea3f3
SHA512 893122ce6550dddd793668ea7ff68764ca7676de34d8385df42f09eee50e0ce09670e6aca1245331fb18589207b3870b5564896e4d65eedc229648d985314dc7

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Norwegian.lg

MD5 3cdf55746e6889e8fff300e54a287bcc
SHA1 57c38147c92b86f7bceeb4dbd9ad1d720410b07d
SHA256 d3014f26e0b5bd84f694c8ad18f0de48ce3cbcbaa2f649070f161c64702cae3d
SHA512 df2fe1b2f16238c1de4b3982ed31cca71490eba41fe9588864b3a58f0f5ee8bf6ef28a63528e7bf06524780d19812e8cd3991472a82ed5559a6a32146c04830a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

MD5 62be7d41972c92002b74d1f2d3e604b3
SHA1 5cb448c9af214703ecd8a61d5d95c5da2e35312e
SHA256 9da57cd6d471aa220fd63b19b411ed5cf94a86ad1c914a867c6a4e938b152e71
SHA512 571541f32ed71e9e87d9a3ad4c8182a9d9e0764512b4159c03f8cc0826ea017de8cf45df26b207ad7ba99b848d95cce5bb1d2d9663889a4fa64efce69fd184ec

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Korean.lg

MD5 dc4e41d98050548860bf92ca11345962
SHA1 259fc2aa4622e202799bbb5d352e57da47a6988f
SHA256 87ada3f861a2b04e39f633218b791cc9e08200dafe96b85538c2ce402fe1f0db
SHA512 7f7d18668248c5a3b5b7aacb5616c6dc0e562b8467a9a27ddd021690456b685af3c8dfc0b1fec746ccd799b5a9f41b0968628864087d1b3dbce79b52c49382b4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hebrew.lg

MD5 516352f3ff5dc96d8cfbd6abf069aabd
SHA1 b52524bec89b956fba232d7a72205e63e029d5d0
SHA256 6387f12ff599445016b7f5b191170f077fe50c8b986a7d9650abfb7ccb6377f5
SHA512 c42e0901731774a15a65c047d8b05551d789e130ac17b53e899bb88f9d6a6448050eaa45b47a2a4cabc333cd36a863cfc5722cb76aebe04c73d9617117f0361c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Italian.lg

MD5 dfcc06cd5e145a631806c1d011ad0fba
SHA1 d53236889246db20ad22f4811d24c7257c9b635d
SHA256 9848f250729fe0a81118aa027592ad0ef98d8428e808fa7bafa0903a93c4d94b
SHA512 35767772186b91f502698ce0fb7a25db3d9718fa0faa58f3f67fe711f841f95e14e89cb6bbbc476a29e568a93d670b205b616e07508c12f800d0e20cd3831e00

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

MD5 435d9e1fd4b87308f0f91da25530d4ec
SHA1 a9b0c513b930f4c2ef86cb75a8de1fe16eb6d996
SHA256 05040b677d7697b4f97da173c6c07146d3bde327833fd2022bf2cb67f90389ca
SHA512 9a84f8e75c855ca4d3892591e4d2ed4d37368d8ed8c28fd48093534a8283c21a483ab50d930adc10d8dda5fb25338dd247004fdf08dd9f60cf038a0b61fba33f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\French.lg

MD5 7c2276331e1e744cf702858fbb041039
SHA1 a5c7c0067a96b7e8cd11d8b3c205494147a2da4e
SHA256 0b05f6ada359e0c3295d32087874bf2888e60400fe3a9ec4d54a849031bfe915
SHA512 e3fe3aafeaa6f295c53b2317aec8581a61260cc76072d814b913084b740397c3d77df4a63acc677f95aa6d40ff70fb52041432f903a128d5b54184c085d7a16b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf

MD5 722fe688f60b4649265f5177a8c0c0ca
SHA1 9532e0de2b2d1eeacc19f15602904ae14231df6b
SHA256 2e551329bf8cb93e665c17bac916776d75091ff190b7ccff8a48fb0de0d582b5
SHA512 1248a6e94c1f75e398096f2d773822b2faf4e18438628e4874e4fc143bcf8adfc59f145de5838e1d9127795ab2de443ba6ba149e9dac3958d534356f98aa791d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

MD5 6396e5ade56e4f45c4f59ca210385f58
SHA1 88f8778e8f960001ee558255e22418d8ea17446a
SHA256 fe57254a0c2a3593d618bea7d43074c7b637ec3021f0b51073c0d95f65bae882
SHA512 58d0b3a45249338b41affbdc81cf01fb68e1f710b1f378bcc4eae58d6e8e8402be0a06c9b4e74a4cfa1d2631ad9281921a081bf597b24f12f7ea2a4fbcd5d020

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dutch.lg

MD5 00c905e8da73cf386c210d28e3797f6c
SHA1 512b1c68ad520bbd77733cf71e376333c509c183
SHA256 83813ca174f76a126e05f6cca58be24ce2a48a2632e9bf6bfa46a353d01111b6
SHA512 b302035bd8379ddc18be49575b92cfd0219b6847cbd2d9acb9d6faf26fc0b0774bfae11a599e52266849663c5adf3de2c217ca5214339bb5400daae5ac35363f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Danish.lg

MD5 ab723f51a48801456d39bb48396beada
SHA1 a721d0afa24cbfb99c97431be42113426ab6638f
SHA256 3db7b110d7df4402b0ac207d28debb735cfd476ef42c2f71bbba5108a0b96da5
SHA512 b5fe82a2d00f277bf9fd75fae659a75e7f3aeb6629c6e034c7d9ee477abcba89dc4661035310ffdebd6aa3115c79c7621bf42af43b32568d5408d229b4d285bd

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Czech.lg

MD5 d39727c9980021059a0f2073277e039e
SHA1 a59b8f6d517741a8cf8c88cbb9bc7ddfa8879f75
SHA256 f1900d97610996e7a71c354f3899c26324e5a5493374a4d697558e4c4f669257
SHA512 f0fa8eed8f9b72775c8c574edb4299cced7e6ca71c3cc907d1914d3cd6a86987fc7b031960b8d496030ea9b2b4eaecddcf5d0f5ee6236514e0d21232680e9c15

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt

MD5 90b15937ff9ec75f7016e171bd1261ce
SHA1 3fa80c58e8bf6c3ab356047cfaa14187328c3732
SHA256 eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a
SHA512 993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Traditional.lg

MD5 420f3450e1dbf4ecbe48125bef79155e
SHA1 eedd628146fe8722aa8f5a9cc9a84ff86bc403ee
SHA256 ac397a585dd2e48f8ee01d2e50d4d87e138d24d6f6f7c442507feab796c3a9ed
SHA512 7b14bccb0daedf62186fafdb9224ce5c96b493950e4c7a9c6c9d330831c4e660efa77bf661a39bcb5b93014a9c3a7f28a633c4f6a1618b2a7ea551e811950857

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Simplified.lg

MD5 844e2b8e4ad580ff845402a6b3b88846
SHA1 1e76d2008eee1a896d207dd9c3c1a504dc9d06de
SHA256 4d646a6af146c05cdb4644f62605cb40196595e6ed3aabcaf92e7d081c4eebf1
SHA512 01590c09f0cb43e1ccbc27b591a06ee16485a176439512f121a1b29d1fdc8ba9eb216a26c619abdd3ca8b441d80bd23ab165cf9f36e7ade0fb57f60645ff94ed

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

MD5 0ec2151eaa7029a335029aa619a2ac52
SHA1 db84f576b070f9f4128c82c1a17ed21cdd0bc5db
SHA256 8fc26439ed7808f5466fe46a0ddf5e7e93b9f597bcce0d806ac6908dc0b8df83
SHA512 87129b698d5f7becf12dcc13829250c40ebe1a5be20587828299e7c3f0a9fec865c76850135cee95e0fb39758ec70e4a849caec80a01861ba6d2340d7715c1db

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arabic.lg

MD5 e51a34c8198ba9a59e53f0503777e75b
SHA1 83d93b4a520b08efa14b55c80c5db8f85d5ca9e4
SHA256 5810c1f2453156015e43dc8844b8463eaa47be877c07834e67723815aa60c5d3
SHA512 ed8c7684eeb24afae4f8cffccb870192e5ecb918843f2530439398d5cee783cafd375f851c0334ca6f1272196af984e72e3864a388f243cd6d82449151b722bd

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

MD5 534d6f176f6cbc725f9e7db8028cd3f7
SHA1 35b53f2e344f4a908a551409d018a91dc58100d5
SHA256 e713f288a46aad762f76c945467bb3ea7c84edfc56cec1c4c1b40d9f919bdcc0
SHA512 1fc1bd8d094d458541596322588750ecc66a2b3f809b0361a5c104adf72972c4bf2f08e4b58f347e56afd4e8019942ba0ba3346a85169958de1cedfde5a15849

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

MD5 026d12b240e081794c730c1ed24a6f33
SHA1 bb6c0544ecc2c8db68b23b8e4feab5b3261b4666
SHA256 d639adb51c6e3ee8c249d11eb8db606ba2aa37d4f12f80f2b9685d8f560984bf
SHA512 5b88ee5c7cee966867eec31ad468aa19353a2a2b1a84995ac1bedeaf5e60b1b015f73fcd35644c4365cf8f1981b3de057483838b7deaad5599f9c2a24f60d758

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

MD5 74a8ebf5d8e08e284d734fe5feebd67d
SHA1 87fb627c6e63eb41e26f389b38d525ccf0c11590
SHA256 1a9632b9e061b56017d2eb8d15c20e60a9518b4de5faa0399eaba0a17c10045d
SHA512 230f84f3fdb335a6044e6a83154de27e853b66ce6b8963b5f1991c462d69cc702a5cf7ee20717ec9f6e688398579fe18102a48f418b74333f476255b1cdbf8b9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

MD5 2943b9910b1c7cc04024888502885256
SHA1 e2ac697a558fa85ff4c9e2bb114138870a80f146
SHA256 78115050f4e99372fc10b19a14af60e623ddfda224c8e96340cb5d8166507e2b
SHA512 8d9d0d60622b958ab0f7c1f1d050fb53ba11cf19aa513fde9f7b7772fb6949b3e50907ed519fdc89e2bdf0ffb33ff084094af56abd3f9d1d2faef9d27990fe1b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

MD5 381f1b7d8f7da904827980dae02f77a9
SHA1 81d4d5724533b26391301be2b462f580395d5485
SHA256 f14dab0b9f18aced330729b4a772e6b139817be01783b97b92e9af5fc26615d2
SHA512 44a5eee558c727c9c07301dc0190a00807d1749f83c57f76c4f8cdde4bbdf4b44bb1086cc2fcb7aff0a73949ae7aaa17d33d9cd3b0a70c4f51b724812e1bd6d3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turkish.lg

MD5 8a4b15f09ab2301fdbf99acd5274bf88
SHA1 88bee09f9690dce0f323909d53525f60e076e854
SHA256 00d3aa64e2afe9b92f2d13255a86eee0f289d9d257229289de0e2020626f0508
SHA512 f2066e60c588b698f3d2d79d19a25b76354c4857df1eda51d60d1371c5a32a87211a8927c0817ef1e2a8ca1d50230516a4521be6e0b40c7c301d93d894548e27

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spanish.lg

MD5 542fb52c74f0f92c5cbe734cf75145b5
SHA1 6bca28849913bf4f61b3d48791737a00f9718ee7
SHA256 c157ce11631f26462c764bab24b0700f019a2213b36a92002d886d156afa7b03
SHA512 ece3518e30d4ddc210afe82751f4b011d2d67fc8130f619656590c45710e3ac11674026445a33e880d13f60a6156c79923badff8d5f68d119d68ab2728dd7c9d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

MD5 3e6c2703e1c8b6b2b3512aff48099462
SHA1 b17a7f9cce16540b1f0e3dceae9dc7e8e855cb1b
SHA256 616a0047b5f28a071fc26dd9b0fd90d5110c77a3635565cebc24b6362d8c9844
SHA512 70d0c5cb8542ca0600d38aee9030ea3dd9b0951a7d96ac1b8f1af9e71c5357c33f433913ef9d2e3254a9ac95e5678764ab22184fbcec998a9bbb8d75731c9dc8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Swedish.lg

MD5 6b46297240dfc309a99b133e94c916c3
SHA1 ce4f36af4cbf6ebd15cf6e0e6dc8b72e61872027
SHA256 88f45f3cc9999a1e35967cd7f33d2d15c0c31b13336fbf93e754e1af8903d9c1
SHA512 6f808e7627d4d2ac06ec07f55ca72277c12a80e14fadd2822174349ebd0d5398dfcd73c301a4427a64db59b283f3d04a74be72f96e613db1540aeb9859af338e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

MD5 264bba2e0ce2710b54af71e45ced220d
SHA1 80460734da936c044a8d02f57ccd46505d6904cf
SHA256 523a3e1aeb0131386be1ac170d4be9166fc54b5c3dbbd91d0a5a4c65ab3d55eb
SHA512 c43468a5b1194c74feb530be6cb4bd3164d6c55371837acd6a9561e932a6bc3b9142142ad9e1a4b90a9094452ec8afd1ae0191791f185897a714c0ba6bec766c

memory/4352-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/1668-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

memory/4676-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/4368-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\1F7403F976\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633