Malware Analysis Report

2024-11-15 08:39

Sample ID 220415-h6kd5aecd7
Target 0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8
SHA256 0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8
Tags
rms rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8

Threat Level: Known bad

The file 0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8 was found to be: Known bad.

Malicious Activity Summary

rms rat trojan

RMS

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 07:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 07:20

Reported

2022-04-15 09:25

Platform

win7-20220414-en

Max time kernel

150s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe"

Signatures

RMS

trojan rat rms

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 284 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 952 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 952 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 952 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1220 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 1220 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 1220 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 1220 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 1860 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
PID 1860 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
PID 1860 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
PID 1860 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
PID 1708 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 1708 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 1708 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 1708 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe

"C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

rfusclient.exe -deploy

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe"

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe -second

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe /tray /user

Network

Country Destination Domain Proto
US 8.8.8.8:53 server.remoteutilities.com udp
US 104.236.34.44:80 server.remoteutilities.com tcp
US 104.236.34.44:80 server.remoteutilities.com tcp
FR 78.198.9.119:5655 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp

Files

memory/284-54-0x0000000076431000-0x0000000076433000-memory.dmp

memory/952-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

MD5 9b7ac054975f8f7b6fe9a41a18e2d6e7
SHA1 d820008d3732f37a7e4030c4bd414e3764de1af7
SHA256 815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255
SHA512 806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/1220-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arabic.lg

MD5 e51a34c8198ba9a59e53f0503777e75b
SHA1 83d93b4a520b08efa14b55c80c5db8f85d5ca9e4
SHA256 5810c1f2453156015e43dc8844b8463eaa47be877c07834e67723815aa60c5d3
SHA512 ed8c7684eeb24afae4f8cffccb870192e5ecb918843f2530439398d5cee783cafd375f851c0334ca6f1272196af984e72e3864a388f243cd6d82449151b722bd

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

MD5 c781bb6c17fe8a7e761c8d2bc3091608
SHA1 eda833b6456f59da63608184dd698ea3790826cf
SHA256 62e88c17bbc4b817b07c0c89b745d1c4c69bf388f86f69f4653081b34d94bb82
SHA512 876f1531201e5096b796da15ba8f2f4bce379109ca74be592cc9d5c8cccf25e1315cdb32d5ce45499434591b0ee08e2082e640fd91f976fec4c2c13784a05321

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Korean.lg

MD5 dc4e41d98050548860bf92ca11345962
SHA1 259fc2aa4622e202799bbb5d352e57da47a6988f
SHA256 87ada3f861a2b04e39f633218b791cc9e08200dafe96b85538c2ce402fe1f0db
SHA512 7f7d18668248c5a3b5b7aacb5616c6dc0e562b8467a9a27ddd021690456b685af3c8dfc0b1fec746ccd799b5a9f41b0968628864087d1b3dbce79b52c49382b4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Japanese.lg

MD5 58319662af8f62390737c9df99f23dba
SHA1 19d0549605e76343555a3486aac9b072fe47e878
SHA256 4df73b25972b4388f2ffe70b88d4cfc739aed58dc0a72163b96cd407eb8d4388
SHA512 97fefa76088474a208e777026d6c4022d8490fe6773b8ca5fe07eaa3ac732a69bdc589c6d4f34cd6d4a41ba73f628fe8160205d4695559f81e6fa19a02a6cc16

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Italian.lg

MD5 dfcc06cd5e145a631806c1d011ad0fba
SHA1 d53236889246db20ad22f4811d24c7257c9b635d
SHA256 9848f250729fe0a81118aa027592ad0ef98d8428e808fa7bafa0903a93c4d94b
SHA512 35767772186b91f502698ce0fb7a25db3d9718fa0faa58f3f67fe711f841f95e14e89cb6bbbc476a29e568a93d670b205b616e07508c12f800d0e20cd3831e00

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hebrew.lg

MD5 516352f3ff5dc96d8cfbd6abf069aabd
SHA1 b52524bec89b956fba232d7a72205e63e029d5d0
SHA256 6387f12ff599445016b7f5b191170f077fe50c8b986a7d9650abfb7ccb6377f5
SHA512 c42e0901731774a15a65c047d8b05551d789e130ac17b53e899bb88f9d6a6448050eaa45b47a2a4cabc333cd36a863cfc5722cb76aebe04c73d9617117f0361c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\German.lg

MD5 42b83b0d09167cb42582b5f830b44ebb
SHA1 a9d5d467643aca034a983ebbb595d2fedd19062a
SHA256 56b73a451ecc9d3f99892b397ef1b5006b6f9296765d01fbdc7fc3d979400bbd
SHA512 2ef138d4e45554d594abbce7a2987fb17eeac63c607815120d4a415b7c3e3280a84b4068429d7743523c4366da0b5aec73c8152ec30185b3b18f14e39a22a781

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\French.lg

MD5 7c2276331e1e744cf702858fbb041039
SHA1 a5c7c0067a96b7e8cd11d8b3c205494147a2da4e
SHA256 0b05f6ada359e0c3295d32087874bf2888e60400fe3a9ec4d54a849031bfe915
SHA512 e3fe3aafeaa6f295c53b2317aec8581a61260cc76072d814b913084b740397c3d77df4a63acc677f95aa6d40ff70fb52041432f903a128d5b54184c085d7a16b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf

MD5 722fe688f60b4649265f5177a8c0c0ca
SHA1 9532e0de2b2d1eeacc19f15602904ae14231df6b
SHA256 2e551329bf8cb93e665c17bac916776d75091ff190b7ccff8a48fb0de0d582b5
SHA512 1248a6e94c1f75e398096f2d773822b2faf4e18438628e4874e4fc143bcf8adfc59f145de5838e1d9127795ab2de443ba6ba149e9dac3958d534356f98aa791d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

MD5 6396e5ade56e4f45c4f59ca210385f58
SHA1 88f8778e8f960001ee558255e22418d8ea17446a
SHA256 fe57254a0c2a3593d618bea7d43074c7b637ec3021f0b51073c0d95f65bae882
SHA512 58d0b3a45249338b41affbdc81cf01fb68e1f710b1f378bcc4eae58d6e8e8402be0a06c9b4e74a4cfa1d2631ad9281921a081bf597b24f12f7ea2a4fbcd5d020

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dutch.lg

MD5 00c905e8da73cf386c210d28e3797f6c
SHA1 512b1c68ad520bbd77733cf71e376333c509c183
SHA256 83813ca174f76a126e05f6cca58be24ce2a48a2632e9bf6bfa46a353d01111b6
SHA512 b302035bd8379ddc18be49575b92cfd0219b6847cbd2d9acb9d6faf26fc0b0774bfae11a599e52266849663c5adf3de2c217ca5214339bb5400daae5ac35363f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Danish.lg

MD5 ab723f51a48801456d39bb48396beada
SHA1 a721d0afa24cbfb99c97431be42113426ab6638f
SHA256 3db7b110d7df4402b0ac207d28debb735cfd476ef42c2f71bbba5108a0b96da5
SHA512 b5fe82a2d00f277bf9fd75fae659a75e7f3aeb6629c6e034c7d9ee477abcba89dc4661035310ffdebd6aa3115c79c7621bf42af43b32568d5408d229b4d285bd

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Czech.lg

MD5 d39727c9980021059a0f2073277e039e
SHA1 a59b8f6d517741a8cf8c88cbb9bc7ddfa8879f75
SHA256 f1900d97610996e7a71c354f3899c26324e5a5493374a4d697558e4c4f669257
SHA512 f0fa8eed8f9b72775c8c574edb4299cced7e6ca71c3cc907d1914d3cd6a86987fc7b031960b8d496030ea9b2b4eaecddcf5d0f5ee6236514e0d21232680e9c15

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt

MD5 90b15937ff9ec75f7016e171bd1261ce
SHA1 3fa80c58e8bf6c3ab356047cfaa14187328c3732
SHA256 eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a
SHA512 993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Traditional.lg

MD5 420f3450e1dbf4ecbe48125bef79155e
SHA1 eedd628146fe8722aa8f5a9cc9a84ff86bc403ee
SHA256 ac397a585dd2e48f8ee01d2e50d4d87e138d24d6f6f7c442507feab796c3a9ed
SHA512 7b14bccb0daedf62186fafdb9224ce5c96b493950e4c7a9c6c9d330831c4e660efa77bf661a39bcb5b93014a9c3a7f28a633c4f6a1618b2a7ea551e811950857

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Simplified.lg

MD5 844e2b8e4ad580ff845402a6b3b88846
SHA1 1e76d2008eee1a896d207dd9c3c1a504dc9d06de
SHA256 4d646a6af146c05cdb4644f62605cb40196595e6ed3aabcaf92e7d081c4eebf1
SHA512 01590c09f0cb43e1ccbc27b591a06ee16485a176439512f121a1b29d1fdc8ba9eb216a26c619abdd3ca8b441d80bd23ab165cf9f36e7ade0fb57f60645ff94ed

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

MD5 9595a75bbd951a27ef3a69751cab8fa0
SHA1 cbe60d3b4e391f57a0bf14aacc203375cb48caf5
SHA256 a4bb1af5f5e87477a35caaab553ec5ff41723c7986b2fcaba248f06cdb22582e
SHA512 2d41074d959e0a0959b1e96930fe1f0991d97dcbd0fe54a943a8b09f94e2dfe6957e012a740a994623c969815507fd73a7bcbd6e0ccaff868d9214772be26c71

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

MD5 381f1b7d8f7da904827980dae02f77a9
SHA1 81d4d5724533b26391301be2b462f580395d5485
SHA256 f14dab0b9f18aced330729b4a772e6b139817be01783b97b92e9af5fc26615d2
SHA512 44a5eee558c727c9c07301dc0190a00807d1749f83c57f76c4f8cdde4bbdf4b44bb1086cc2fcb7aff0a73949ae7aaa17d33d9cd3b0a70c4f51b724812e1bd6d3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

MD5 74a8ebf5d8e08e284d734fe5feebd67d
SHA1 87fb627c6e63eb41e26f389b38d525ccf0c11590
SHA256 1a9632b9e061b56017d2eb8d15c20e60a9518b4de5faa0399eaba0a17c10045d
SHA512 230f84f3fdb335a6044e6a83154de27e853b66ce6b8963b5f1991c462d69cc702a5cf7ee20717ec9f6e688398579fe18102a48f418b74333f476255b1cdbf8b9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

MD5 2943b9910b1c7cc04024888502885256
SHA1 e2ac697a558fa85ff4c9e2bb114138870a80f146
SHA256 78115050f4e99372fc10b19a14af60e623ddfda224c8e96340cb5d8166507e2b
SHA512 8d9d0d60622b958ab0f7c1f1d050fb53ba11cf19aa513fde9f7b7772fb6949b3e50907ed519fdc89e2bdf0ffb33ff084094af56abd3f9d1d2faef9d27990fe1b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

MD5 026d12b240e081794c730c1ed24a6f33
SHA1 bb6c0544ecc2c8db68b23b8e4feab5b3261b4666
SHA256 d639adb51c6e3ee8c249d11eb8db606ba2aa37d4f12f80f2b9685d8f560984bf
SHA512 5b88ee5c7cee966867eec31ad468aa19353a2a2b1a84995ac1bedeaf5e60b1b015f73fcd35644c4365cf8f1981b3de057483838b7deaad5599f9c2a24f60d758

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

MD5 3e6c2703e1c8b6b2b3512aff48099462
SHA1 b17a7f9cce16540b1f0e3dceae9dc7e8e855cb1b
SHA256 616a0047b5f28a071fc26dd9b0fd90d5110c77a3635565cebc24b6362d8c9844
SHA512 70d0c5cb8542ca0600d38aee9030ea3dd9b0951a7d96ac1b8f1af9e71c5357c33f433913ef9d2e3254a9ac95e5678764ab22184fbcec998a9bbb8d75731c9dc8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turkish.lg

MD5 8a4b15f09ab2301fdbf99acd5274bf88
SHA1 88bee09f9690dce0f323909d53525f60e076e854
SHA256 00d3aa64e2afe9b92f2d13255a86eee0f289d9d257229289de0e2020626f0508
SHA512 f2066e60c588b698f3d2d79d19a25b76354c4857df1eda51d60d1371c5a32a87211a8927c0817ef1e2a8ca1d50230516a4521be6e0b40c7c301d93d894548e27

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Swedish.lg

MD5 6b46297240dfc309a99b133e94c916c3
SHA1 ce4f36af4cbf6ebd15cf6e0e6dc8b72e61872027
SHA256 88f45f3cc9999a1e35967cd7f33d2d15c0c31b13336fbf93e754e1af8903d9c1
SHA512 6f808e7627d4d2ac06ec07f55ca72277c12a80e14fadd2822174349ebd0d5398dfcd73c301a4427a64db59b283f3d04a74be72f96e613db1540aeb9859af338e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spanish.lg

MD5 542fb52c74f0f92c5cbe734cf75145b5
SHA1 6bca28849913bf4f61b3d48791737a00f9718ee7
SHA256 c157ce11631f26462c764bab24b0700f019a2213b36a92002d886d156afa7b03
SHA512 ece3518e30d4ddc210afe82751f4b011d2d67fc8130f619656590c45710e3ac11674026445a33e880d13f60a6156c79923badff8d5f68d119d68ab2728dd7c9d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

MD5 3024e0d388436f35c9549f9b7332f2f6
SHA1 f576bab58e560600e6369057b1b334d595e5b3df
SHA256 ebc9586690485fa310cc7c365a2433c57cb95f32074e15b282e3f3d05083d891
SHA512 2516f278abdbb267082754a8ba17854ddb4627981c2f34be5d6c075c1c33984aa46c3b44d4a404509fede693ef44bcd236950084b74139104ef7b3a20026c547

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

MD5 534d6f176f6cbc725f9e7db8028cd3f7
SHA1 35b53f2e344f4a908a551409d018a91dc58100d5
SHA256 e713f288a46aad762f76c945467bb3ea7c84edfc56cec1c4c1b40d9f919bdcc0
SHA512 1fc1bd8d094d458541596322588750ecc66a2b3f809b0361a5c104adf72972c4bf2f08e4b58f347e56afd4e8019942ba0ba3346a85169958de1cedfde5a15849

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

MD5 435d9e1fd4b87308f0f91da25530d4ec
SHA1 a9b0c513b930f4c2ef86cb75a8de1fe16eb6d996
SHA256 05040b677d7697b4f97da173c6c07146d3bde327833fd2022bf2cb67f90389ca
SHA512 9a84f8e75c855ca4d3892591e4d2ed4d37368d8ed8c28fd48093534a8283c21a483ab50d930adc10d8dda5fb25338dd247004fdf08dd9f60cf038a0b61fba33f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese.lg

MD5 18e6affb3bee46aeaf86efb1977f358b
SHA1 0df0b1fb0e3e59bc2f52d2a2bdadd29bf0adebc7
SHA256 c6e7b98ea6fd6bd60d26c46ba6432000cf4c47c5ba137fb63e905cfc2b3d36ba
SHA512 fb6428024e22b48c0a66f556973fb434a9a33593942541c1a42d175d0335a83152d8247f875138be014c5f9c98167003498717029eb36780cd7a374a3f59e6e4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese, Brazilian.lg

MD5 119f5f60b0d87bd3a9e34eefe510cead
SHA1 07835dce1a48d571d1e8a5a4ff1f47f44bac3992
SHA256 b9793f0ede71f259dc242c926cdc8f70fdb241a8a0f22c7206fb51b7e0a43002
SHA512 5596ab114a4bc5edf98db65e95e2daa367a43034793b07877e3533e98822721ee3293a00760c2367fd3088df681fa0397e1a263efac1fd6850a1e26670cd0678

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Polish.lg

MD5 da9d399b473ccff29e6e8f9a5723cbfb
SHA1 d878b4206aaf64384162e96673845e913db34c69
SHA256 b885b4e1e7bea7c202c71313a60774143dd7cc18d1a0ec8412b47d53016ea3f3
SHA512 893122ce6550dddd793668ea7ff68764ca7676de34d8385df42f09eee50e0ce09670e6aca1245331fb18589207b3870b5564896e4d65eedc229648d985314dc7

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Norwegian.lg

MD5 3cdf55746e6889e8fff300e54a287bcc
SHA1 57c38147c92b86f7bceeb4dbd9ad1d720410b07d
SHA256 d3014f26e0b5bd84f694c8ad18f0de48ce3cbcbaa2f649070f161c64702cae3d
SHA512 df2fe1b2f16238c1de4b3982ed31cca71490eba41fe9588864b3a58f0f5ee8bf6ef28a63528e7bf06524780d19812e8cd3991472a82ed5559a6a32146c04830a

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/1860-97-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

memory/824-104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/1776-110-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 07:20

Reported

2022-04-15 09:25

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe"

Signatures

RMS

trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2884 created 760 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 4860 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 4860 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 2996 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 2996 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 2996 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 2924 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
PID 2924 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
PID 2924 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
PID 2884 wrote to memory of 5056 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
PID 2884 wrote to memory of 5056 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
PID 2884 wrote to memory of 5056 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
PID 5056 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 5056 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
PID 5056 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe

"C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

rfusclient.exe -deploy

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe -second

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe /tray /user

Network

Country Destination Domain Proto
US 8.8.8.8:53 server.remoteutilities.com udp
US 104.236.34.44:80 server.remoteutilities.com tcp
US 104.236.34.44:80 server.remoteutilities.com tcp
FR 78.198.9.119:5655 tcp
US 20.42.65.85:443 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
US 13.107.42.16:443 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp
FR 78.198.9.119:5655 tcp

Files

memory/4860-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

MD5 9b7ac054975f8f7b6fe9a41a18e2d6e7
SHA1 d820008d3732f37a7e4030c4bd414e3764de1af7
SHA256 815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255
SHA512 806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9

memory/2996-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arabic.lg

MD5 e51a34c8198ba9a59e53f0503777e75b
SHA1 83d93b4a520b08efa14b55c80c5db8f85d5ca9e4
SHA256 5810c1f2453156015e43dc8844b8463eaa47be877c07834e67723815aa60c5d3
SHA512 ed8c7684eeb24afae4f8cffccb870192e5ecb918843f2530439398d5cee783cafd375f851c0334ca6f1272196af984e72e3864a388f243cd6d82449151b722bd

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dutch.lg

MD5 00c905e8da73cf386c210d28e3797f6c
SHA1 512b1c68ad520bbd77733cf71e376333c509c183
SHA256 83813ca174f76a126e05f6cca58be24ce2a48a2632e9bf6bfa46a353d01111b6
SHA512 b302035bd8379ddc18be49575b92cfd0219b6847cbd2d9acb9d6faf26fc0b0774bfae11a599e52266849663c5adf3de2c217ca5214339bb5400daae5ac35363f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Swedish.lg

MD5 6b46297240dfc309a99b133e94c916c3
SHA1 ce4f36af4cbf6ebd15cf6e0e6dc8b72e61872027
SHA256 88f45f3cc9999a1e35967cd7f33d2d15c0c31b13336fbf93e754e1af8903d9c1
SHA512 6f808e7627d4d2ac06ec07f55ca72277c12a80e14fadd2822174349ebd0d5398dfcd73c301a4427a64db59b283f3d04a74be72f96e613db1540aeb9859af338e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spanish.lg

MD5 542fb52c74f0f92c5cbe734cf75145b5
SHA1 6bca28849913bf4f61b3d48791737a00f9718ee7
SHA256 c157ce11631f26462c764bab24b0700f019a2213b36a92002d886d156afa7b03
SHA512 ece3518e30d4ddc210afe82751f4b011d2d67fc8130f619656590c45710e3ac11674026445a33e880d13f60a6156c79923badff8d5f68d119d68ab2728dd7c9d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

MD5 3024e0d388436f35c9549f9b7332f2f6
SHA1 f576bab58e560600e6369057b1b334d595e5b3df
SHA256 ebc9586690485fa310cc7c365a2433c57cb95f32074e15b282e3f3d05083d891
SHA512 2516f278abdbb267082754a8ba17854ddb4627981c2f34be5d6c075c1c33984aa46c3b44d4a404509fede693ef44bcd236950084b74139104ef7b3a20026c547

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

MD5 534d6f176f6cbc725f9e7db8028cd3f7
SHA1 35b53f2e344f4a908a551409d018a91dc58100d5
SHA256 e713f288a46aad762f76c945467bb3ea7c84edfc56cec1c4c1b40d9f919bdcc0
SHA512 1fc1bd8d094d458541596322588750ecc66a2b3f809b0361a5c104adf72972c4bf2f08e4b58f347e56afd4e8019942ba0ba3346a85169958de1cedfde5a15849

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

MD5 435d9e1fd4b87308f0f91da25530d4ec
SHA1 a9b0c513b930f4c2ef86cb75a8de1fe16eb6d996
SHA256 05040b677d7697b4f97da173c6c07146d3bde327833fd2022bf2cb67f90389ca
SHA512 9a84f8e75c855ca4d3892591e4d2ed4d37368d8ed8c28fd48093534a8283c21a483ab50d930adc10d8dda5fb25338dd247004fdf08dd9f60cf038a0b61fba33f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese.lg

MD5 18e6affb3bee46aeaf86efb1977f358b
SHA1 0df0b1fb0e3e59bc2f52d2a2bdadd29bf0adebc7
SHA256 c6e7b98ea6fd6bd60d26c46ba6432000cf4c47c5ba137fb63e905cfc2b3d36ba
SHA512 fb6428024e22b48c0a66f556973fb434a9a33593942541c1a42d175d0335a83152d8247f875138be014c5f9c98167003498717029eb36780cd7a374a3f59e6e4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese, Brazilian.lg

MD5 119f5f60b0d87bd3a9e34eefe510cead
SHA1 07835dce1a48d571d1e8a5a4ff1f47f44bac3992
SHA256 b9793f0ede71f259dc242c926cdc8f70fdb241a8a0f22c7206fb51b7e0a43002
SHA512 5596ab114a4bc5edf98db65e95e2daa367a43034793b07877e3533e98822721ee3293a00760c2367fd3088df681fa0397e1a263efac1fd6850a1e26670cd0678

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Polish.lg

MD5 da9d399b473ccff29e6e8f9a5723cbfb
SHA1 d878b4206aaf64384162e96673845e913db34c69
SHA256 b885b4e1e7bea7c202c71313a60774143dd7cc18d1a0ec8412b47d53016ea3f3
SHA512 893122ce6550dddd793668ea7ff68764ca7676de34d8385df42f09eee50e0ce09670e6aca1245331fb18589207b3870b5564896e4d65eedc229648d985314dc7

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Norwegian.lg

MD5 3cdf55746e6889e8fff300e54a287bcc
SHA1 57c38147c92b86f7bceeb4dbd9ad1d720410b07d
SHA256 d3014f26e0b5bd84f694c8ad18f0de48ce3cbcbaa2f649070f161c64702cae3d
SHA512 df2fe1b2f16238c1de4b3982ed31cca71490eba41fe9588864b3a58f0f5ee8bf6ef28a63528e7bf06524780d19812e8cd3991472a82ed5559a6a32146c04830a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

MD5 c781bb6c17fe8a7e761c8d2bc3091608
SHA1 eda833b6456f59da63608184dd698ea3790826cf
SHA256 62e88c17bbc4b817b07c0c89b745d1c4c69bf388f86f69f4653081b34d94bb82
SHA512 876f1531201e5096b796da15ba8f2f4bce379109ca74be592cc9d5c8cccf25e1315cdb32d5ce45499434591b0ee08e2082e640fd91f976fec4c2c13784a05321

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Korean.lg

MD5 dc4e41d98050548860bf92ca11345962
SHA1 259fc2aa4622e202799bbb5d352e57da47a6988f
SHA256 87ada3f861a2b04e39f633218b791cc9e08200dafe96b85538c2ce402fe1f0db
SHA512 7f7d18668248c5a3b5b7aacb5616c6dc0e562b8467a9a27ddd021690456b685af3c8dfc0b1fec746ccd799b5a9f41b0968628864087d1b3dbce79b52c49382b4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Japanese.lg

MD5 58319662af8f62390737c9df99f23dba
SHA1 19d0549605e76343555a3486aac9b072fe47e878
SHA256 4df73b25972b4388f2ffe70b88d4cfc739aed58dc0a72163b96cd407eb8d4388
SHA512 97fefa76088474a208e777026d6c4022d8490fe6773b8ca5fe07eaa3ac732a69bdc589c6d4f34cd6d4a41ba73f628fe8160205d4695559f81e6fa19a02a6cc16

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Italian.lg

MD5 dfcc06cd5e145a631806c1d011ad0fba
SHA1 d53236889246db20ad22f4811d24c7257c9b635d
SHA256 9848f250729fe0a81118aa027592ad0ef98d8428e808fa7bafa0903a93c4d94b
SHA512 35767772186b91f502698ce0fb7a25db3d9718fa0faa58f3f67fe711f841f95e14e89cb6bbbc476a29e568a93d670b205b616e07508c12f800d0e20cd3831e00

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hebrew.lg

MD5 516352f3ff5dc96d8cfbd6abf069aabd
SHA1 b52524bec89b956fba232d7a72205e63e029d5d0
SHA256 6387f12ff599445016b7f5b191170f077fe50c8b986a7d9650abfb7ccb6377f5
SHA512 c42e0901731774a15a65c047d8b05551d789e130ac17b53e899bb88f9d6a6448050eaa45b47a2a4cabc333cd36a863cfc5722cb76aebe04c73d9617117f0361c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\German.lg

MD5 42b83b0d09167cb42582b5f830b44ebb
SHA1 a9d5d467643aca034a983ebbb595d2fedd19062a
SHA256 56b73a451ecc9d3f99892b397ef1b5006b6f9296765d01fbdc7fc3d979400bbd
SHA512 2ef138d4e45554d594abbce7a2987fb17eeac63c607815120d4a415b7c3e3280a84b4068429d7743523c4366da0b5aec73c8152ec30185b3b18f14e39a22a781

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\French.lg

MD5 7c2276331e1e744cf702858fbb041039
SHA1 a5c7c0067a96b7e8cd11d8b3c205494147a2da4e
SHA256 0b05f6ada359e0c3295d32087874bf2888e60400fe3a9ec4d54a849031bfe915
SHA512 e3fe3aafeaa6f295c53b2317aec8581a61260cc76072d814b913084b740397c3d77df4a63acc677f95aa6d40ff70fb52041432f903a128d5b54184c085d7a16b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf

MD5 722fe688f60b4649265f5177a8c0c0ca
SHA1 9532e0de2b2d1eeacc19f15602904ae14231df6b
SHA256 2e551329bf8cb93e665c17bac916776d75091ff190b7ccff8a48fb0de0d582b5
SHA512 1248a6e94c1f75e398096f2d773822b2faf4e18438628e4874e4fc143bcf8adfc59f145de5838e1d9127795ab2de443ba6ba149e9dac3958d534356f98aa791d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

MD5 6396e5ade56e4f45c4f59ca210385f58
SHA1 88f8778e8f960001ee558255e22418d8ea17446a
SHA256 fe57254a0c2a3593d618bea7d43074c7b637ec3021f0b51073c0d95f65bae882
SHA512 58d0b3a45249338b41affbdc81cf01fb68e1f710b1f378bcc4eae58d6e8e8402be0a06c9b4e74a4cfa1d2631ad9281921a081bf597b24f12f7ea2a4fbcd5d020

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Danish.lg

MD5 ab723f51a48801456d39bb48396beada
SHA1 a721d0afa24cbfb99c97431be42113426ab6638f
SHA256 3db7b110d7df4402b0ac207d28debb735cfd476ef42c2f71bbba5108a0b96da5
SHA512 b5fe82a2d00f277bf9fd75fae659a75e7f3aeb6629c6e034c7d9ee477abcba89dc4661035310ffdebd6aa3115c79c7621bf42af43b32568d5408d229b4d285bd

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Czech.lg

MD5 d39727c9980021059a0f2073277e039e
SHA1 a59b8f6d517741a8cf8c88cbb9bc7ddfa8879f75
SHA256 f1900d97610996e7a71c354f3899c26324e5a5493374a4d697558e4c4f669257
SHA512 f0fa8eed8f9b72775c8c574edb4299cced7e6ca71c3cc907d1914d3cd6a86987fc7b031960b8d496030ea9b2b4eaecddcf5d0f5ee6236514e0d21232680e9c15

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt

MD5 90b15937ff9ec75f7016e171bd1261ce
SHA1 3fa80c58e8bf6c3ab356047cfaa14187328c3732
SHA256 eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a
SHA512 993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Traditional.lg

MD5 420f3450e1dbf4ecbe48125bef79155e
SHA1 eedd628146fe8722aa8f5a9cc9a84ff86bc403ee
SHA256 ac397a585dd2e48f8ee01d2e50d4d87e138d24d6f6f7c442507feab796c3a9ed
SHA512 7b14bccb0daedf62186fafdb9224ce5c96b493950e4c7a9c6c9d330831c4e660efa77bf661a39bcb5b93014a9c3a7f28a633c4f6a1618b2a7ea551e811950857

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Simplified.lg

MD5 844e2b8e4ad580ff845402a6b3b88846
SHA1 1e76d2008eee1a896d207dd9c3c1a504dc9d06de
SHA256 4d646a6af146c05cdb4644f62605cb40196595e6ed3aabcaf92e7d081c4eebf1
SHA512 01590c09f0cb43e1ccbc27b591a06ee16485a176439512f121a1b29d1fdc8ba9eb216a26c619abdd3ca8b441d80bd23ab165cf9f36e7ade0fb57f60645ff94ed

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

MD5 9595a75bbd951a27ef3a69751cab8fa0
SHA1 cbe60d3b4e391f57a0bf14aacc203375cb48caf5
SHA256 a4bb1af5f5e87477a35caaab553ec5ff41723c7986b2fcaba248f06cdb22582e
SHA512 2d41074d959e0a0959b1e96930fe1f0991d97dcbd0fe54a943a8b09f94e2dfe6957e012a740a994623c969815507fd73a7bcbd6e0ccaff868d9214772be26c71

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turkish.lg

MD5 8a4b15f09ab2301fdbf99acd5274bf88
SHA1 88bee09f9690dce0f323909d53525f60e076e854
SHA256 00d3aa64e2afe9b92f2d13255a86eee0f289d9d257229289de0e2020626f0508
SHA512 f2066e60c588b698f3d2d79d19a25b76354c4857df1eda51d60d1371c5a32a87211a8927c0817ef1e2a8ca1d50230516a4521be6e0b40c7c301d93d894548e27

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

MD5 381f1b7d8f7da904827980dae02f77a9
SHA1 81d4d5724533b26391301be2b462f580395d5485
SHA256 f14dab0b9f18aced330729b4a772e6b139817be01783b97b92e9af5fc26615d2
SHA512 44a5eee558c727c9c07301dc0190a00807d1749f83c57f76c4f8cdde4bbdf4b44bb1086cc2fcb7aff0a73949ae7aaa17d33d9cd3b0a70c4f51b724812e1bd6d3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

MD5 3e6c2703e1c8b6b2b3512aff48099462
SHA1 b17a7f9cce16540b1f0e3dceae9dc7e8e855cb1b
SHA256 616a0047b5f28a071fc26dd9b0fd90d5110c77a3635565cebc24b6362d8c9844
SHA512 70d0c5cb8542ca0600d38aee9030ea3dd9b0951a7d96ac1b8f1af9e71c5357c33f433913ef9d2e3254a9ac95e5678764ab22184fbcec998a9bbb8d75731c9dc8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

MD5 2943b9910b1c7cc04024888502885256
SHA1 e2ac697a558fa85ff4c9e2bb114138870a80f146
SHA256 78115050f4e99372fc10b19a14af60e623ddfda224c8e96340cb5d8166507e2b
SHA512 8d9d0d60622b958ab0f7c1f1d050fb53ba11cf19aa513fde9f7b7772fb6949b3e50907ed519fdc89e2bdf0ffb33ff084094af56abd3f9d1d2faef9d27990fe1b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

MD5 026d12b240e081794c730c1ed24a6f33
SHA1 bb6c0544ecc2c8db68b23b8e4feab5b3261b4666
SHA256 d639adb51c6e3ee8c249d11eb8db606ba2aa37d4f12f80f2b9685d8f560984bf
SHA512 5b88ee5c7cee966867eec31ad468aa19353a2a2b1a84995ac1bedeaf5e60b1b015f73fcd35644c4365cf8f1981b3de057483838b7deaad5599f9c2a24f60d758

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

MD5 74a8ebf5d8e08e284d734fe5feebd67d
SHA1 87fb627c6e63eb41e26f389b38d525ccf0c11590
SHA256 1a9632b9e061b56017d2eb8d15c20e60a9518b4de5faa0399eaba0a17c10045d
SHA512 230f84f3fdb335a6044e6a83154de27e853b66ce6b8963b5f1991c462d69cc702a5cf7ee20717ec9f6e688398579fe18102a48f418b74333f476255b1cdbf8b9

memory/2924-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/760-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

memory/5056-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe

MD5 3c5850ef227bb206e507551c471ee8df
SHA1 8943aab98043f28918a0c8d31d7a0076b5bffb1c
SHA256 a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445
SHA512 aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

memory/3272-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe

MD5 848a53dc549be0386e5da0f49700c389
SHA1 e918192d2b5c565a9b2756a1d01070c6608f361c
SHA256 faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976
SHA512 fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633