Analysis Overview
SHA256
0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8
Threat Level: Known bad
The file 0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8 was found to be: Known bad.
Malicious Activity Summary
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-15 07:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-15 07:20
Reported
2022-04-15 09:25
Platform
win7-20220414-en
Max time kernel
150s
Max time network
172s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe
"C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
rfusclient.exe -deploy
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe"
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe /tray /user
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | server.remoteutilities.com | udp |
| US | 104.236.34.44:80 | server.remoteutilities.com | tcp |
| US | 104.236.34.44:80 | server.remoteutilities.com | tcp |
| FR | 78.198.9.119:5655 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp |
Files
memory/284-54-0x0000000076431000-0x0000000076433000-memory.dmp
memory/952-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd
| MD5 | 9b7ac054975f8f7b6fe9a41a18e2d6e7 |
| SHA1 | d820008d3732f37a7e4030c4bd414e3764de1af7 |
| SHA256 | 815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255 |
| SHA512 | 806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
memory/1220-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arabic.lg
| MD5 | e51a34c8198ba9a59e53f0503777e75b |
| SHA1 | 83d93b4a520b08efa14b55c80c5db8f85d5ca9e4 |
| SHA256 | 5810c1f2453156015e43dc8844b8463eaa47be877c07834e67723815aa60c5d3 |
| SHA512 | ed8c7684eeb24afae4f8cffccb870192e5ecb918843f2530439398d5cee783cafd375f851c0334ca6f1272196af984e72e3864a388f243cd6d82449151b722bd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png
| MD5 | c781bb6c17fe8a7e761c8d2bc3091608 |
| SHA1 | eda833b6456f59da63608184dd698ea3790826cf |
| SHA256 | 62e88c17bbc4b817b07c0c89b745d1c4c69bf388f86f69f4653081b34d94bb82 |
| SHA512 | 876f1531201e5096b796da15ba8f2f4bce379109ca74be592cc9d5c8cccf25e1315cdb32d5ce45499434591b0ee08e2082e640fd91f976fec4c2c13784a05321 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Korean.lg
| MD5 | dc4e41d98050548860bf92ca11345962 |
| SHA1 | 259fc2aa4622e202799bbb5d352e57da47a6988f |
| SHA256 | 87ada3f861a2b04e39f633218b791cc9e08200dafe96b85538c2ce402fe1f0db |
| SHA512 | 7f7d18668248c5a3b5b7aacb5616c6dc0e562b8467a9a27ddd021690456b685af3c8dfc0b1fec746ccd799b5a9f41b0968628864087d1b3dbce79b52c49382b4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Japanese.lg
| MD5 | 58319662af8f62390737c9df99f23dba |
| SHA1 | 19d0549605e76343555a3486aac9b072fe47e878 |
| SHA256 | 4df73b25972b4388f2ffe70b88d4cfc739aed58dc0a72163b96cd407eb8d4388 |
| SHA512 | 97fefa76088474a208e777026d6c4022d8490fe6773b8ca5fe07eaa3ac732a69bdc589c6d4f34cd6d4a41ba73f628fe8160205d4695559f81e6fa19a02a6cc16 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Italian.lg
| MD5 | dfcc06cd5e145a631806c1d011ad0fba |
| SHA1 | d53236889246db20ad22f4811d24c7257c9b635d |
| SHA256 | 9848f250729fe0a81118aa027592ad0ef98d8428e808fa7bafa0903a93c4d94b |
| SHA512 | 35767772186b91f502698ce0fb7a25db3d9718fa0faa58f3f67fe711f841f95e14e89cb6bbbc476a29e568a93d670b205b616e07508c12f800d0e20cd3831e00 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hebrew.lg
| MD5 | 516352f3ff5dc96d8cfbd6abf069aabd |
| SHA1 | b52524bec89b956fba232d7a72205e63e029d5d0 |
| SHA256 | 6387f12ff599445016b7f5b191170f077fe50c8b986a7d9650abfb7ccb6377f5 |
| SHA512 | c42e0901731774a15a65c047d8b05551d789e130ac17b53e899bb88f9d6a6448050eaa45b47a2a4cabc333cd36a863cfc5722cb76aebe04c73d9617117f0361c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\German.lg
| MD5 | 42b83b0d09167cb42582b5f830b44ebb |
| SHA1 | a9d5d467643aca034a983ebbb595d2fedd19062a |
| SHA256 | 56b73a451ecc9d3f99892b397ef1b5006b6f9296765d01fbdc7fc3d979400bbd |
| SHA512 | 2ef138d4e45554d594abbce7a2987fb17eeac63c607815120d4a415b7c3e3280a84b4068429d7743523c4366da0b5aec73c8152ec30185b3b18f14e39a22a781 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\French.lg
| MD5 | 7c2276331e1e744cf702858fbb041039 |
| SHA1 | a5c7c0067a96b7e8cd11d8b3c205494147a2da4e |
| SHA256 | 0b05f6ada359e0c3295d32087874bf2888e60400fe3a9ec4d54a849031bfe915 |
| SHA512 | e3fe3aafeaa6f295c53b2317aec8581a61260cc76072d814b913084b740397c3d77df4a63acc677f95aa6d40ff70fb52041432f903a128d5b54184c085d7a16b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf
| MD5 | 722fe688f60b4649265f5177a8c0c0ca |
| SHA1 | 9532e0de2b2d1eeacc19f15602904ae14231df6b |
| SHA256 | 2e551329bf8cb93e665c17bac916776d75091ff190b7ccff8a48fb0de0d582b5 |
| SHA512 | 1248a6e94c1f75e398096f2d773822b2faf4e18438628e4874e4fc143bcf8adfc59f145de5838e1d9127795ab2de443ba6ba149e9dac3958d534356f98aa791d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg
| MD5 | 6396e5ade56e4f45c4f59ca210385f58 |
| SHA1 | 88f8778e8f960001ee558255e22418d8ea17446a |
| SHA256 | fe57254a0c2a3593d618bea7d43074c7b637ec3021f0b51073c0d95f65bae882 |
| SHA512 | 58d0b3a45249338b41affbdc81cf01fb68e1f710b1f378bcc4eae58d6e8e8402be0a06c9b4e74a4cfa1d2631ad9281921a081bf597b24f12f7ea2a4fbcd5d020 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dutch.lg
| MD5 | 00c905e8da73cf386c210d28e3797f6c |
| SHA1 | 512b1c68ad520bbd77733cf71e376333c509c183 |
| SHA256 | 83813ca174f76a126e05f6cca58be24ce2a48a2632e9bf6bfa46a353d01111b6 |
| SHA512 | b302035bd8379ddc18be49575b92cfd0219b6847cbd2d9acb9d6faf26fc0b0774bfae11a599e52266849663c5adf3de2c217ca5214339bb5400daae5ac35363f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Danish.lg
| MD5 | ab723f51a48801456d39bb48396beada |
| SHA1 | a721d0afa24cbfb99c97431be42113426ab6638f |
| SHA256 | 3db7b110d7df4402b0ac207d28debb735cfd476ef42c2f71bbba5108a0b96da5 |
| SHA512 | b5fe82a2d00f277bf9fd75fae659a75e7f3aeb6629c6e034c7d9ee477abcba89dc4661035310ffdebd6aa3115c79c7621bf42af43b32568d5408d229b4d285bd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Czech.lg
| MD5 | d39727c9980021059a0f2073277e039e |
| SHA1 | a59b8f6d517741a8cf8c88cbb9bc7ddfa8879f75 |
| SHA256 | f1900d97610996e7a71c354f3899c26324e5a5493374a4d697558e4c4f669257 |
| SHA512 | f0fa8eed8f9b72775c8c574edb4299cced7e6ca71c3cc907d1914d3cd6a86987fc7b031960b8d496030ea9b2b4eaecddcf5d0f5ee6236514e0d21232680e9c15 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt
| MD5 | 90b15937ff9ec75f7016e171bd1261ce |
| SHA1 | 3fa80c58e8bf6c3ab356047cfaa14187328c3732 |
| SHA256 | eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a |
| SHA512 | 993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Traditional.lg
| MD5 | 420f3450e1dbf4ecbe48125bef79155e |
| SHA1 | eedd628146fe8722aa8f5a9cc9a84ff86bc403ee |
| SHA256 | ac397a585dd2e48f8ee01d2e50d4d87e138d24d6f6f7c442507feab796c3a9ed |
| SHA512 | 7b14bccb0daedf62186fafdb9224ce5c96b493950e4c7a9c6c9d330831c4e660efa77bf661a39bcb5b93014a9c3a7f28a633c4f6a1618b2a7ea551e811950857 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Simplified.lg
| MD5 | 844e2b8e4ad580ff845402a6b3b88846 |
| SHA1 | 1e76d2008eee1a896d207dd9c3c1a504dc9d06de |
| SHA256 | 4d646a6af146c05cdb4644f62605cb40196595e6ed3aabcaf92e7d081c4eebf1 |
| SHA512 | 01590c09f0cb43e1ccbc27b591a06ee16485a176439512f121a1b29d1fdc8ba9eb216a26c619abdd3ca8b441d80bd23ab165cf9f36e7ade0fb57f60645ff94ed |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini
| MD5 | 9595a75bbd951a27ef3a69751cab8fa0 |
| SHA1 | cbe60d3b4e391f57a0bf14aacc203375cb48caf5 |
| SHA256 | a4bb1af5f5e87477a35caaab553ec5ff41723c7986b2fcaba248f06cdb22582e |
| SHA512 | 2d41074d959e0a0959b1e96930fe1f0991d97dcbd0fe54a943a8b09f94e2dfe6957e012a740a994623c969815507fd73a7bcbd6e0ccaff868d9214772be26c71 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll
| MD5 | 381f1b7d8f7da904827980dae02f77a9 |
| SHA1 | 81d4d5724533b26391301be2b462f580395d5485 |
| SHA256 | f14dab0b9f18aced330729b4a772e6b139817be01783b97b92e9af5fc26615d2 |
| SHA512 | 44a5eee558c727c9c07301dc0190a00807d1749f83c57f76c4f8cdde4bbdf4b44bb1086cc2fcb7aff0a73949ae7aaa17d33d9cd3b0a70c4f51b724812e1bd6d3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll
| MD5 | 74a8ebf5d8e08e284d734fe5feebd67d |
| SHA1 | 87fb627c6e63eb41e26f389b38d525ccf0c11590 |
| SHA256 | 1a9632b9e061b56017d2eb8d15c20e60a9518b4de5faa0399eaba0a17c10045d |
| SHA512 | 230f84f3fdb335a6044e6a83154de27e853b66ce6b8963b5f1991c462d69cc702a5cf7ee20717ec9f6e688398579fe18102a48f418b74333f476255b1cdbf8b9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll
| MD5 | 2943b9910b1c7cc04024888502885256 |
| SHA1 | e2ac697a558fa85ff4c9e2bb114138870a80f146 |
| SHA256 | 78115050f4e99372fc10b19a14af60e623ddfda224c8e96340cb5d8166507e2b |
| SHA512 | 8d9d0d60622b958ab0f7c1f1d050fb53ba11cf19aa513fde9f7b7772fb6949b3e50907ed519fdc89e2bdf0ffb33ff084094af56abd3f9d1d2faef9d27990fe1b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll
| MD5 | 026d12b240e081794c730c1ed24a6f33 |
| SHA1 | bb6c0544ecc2c8db68b23b8e4feab5b3261b4666 |
| SHA256 | d639adb51c6e3ee8c249d11eb8db606ba2aa37d4f12f80f2b9685d8f560984bf |
| SHA512 | 5b88ee5c7cee966867eec31ad468aa19353a2a2b1a84995ac1bedeaf5e60b1b015f73fcd35644c4365cf8f1981b3de057483838b7deaad5599f9c2a24f60d758 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll
| MD5 | 3e6c2703e1c8b6b2b3512aff48099462 |
| SHA1 | b17a7f9cce16540b1f0e3dceae9dc7e8e855cb1b |
| SHA256 | 616a0047b5f28a071fc26dd9b0fd90d5110c77a3635565cebc24b6362d8c9844 |
| SHA512 | 70d0c5cb8542ca0600d38aee9030ea3dd9b0951a7d96ac1b8f1af9e71c5357c33f433913ef9d2e3254a9ac95e5678764ab22184fbcec998a9bbb8d75731c9dc8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turkish.lg
| MD5 | 8a4b15f09ab2301fdbf99acd5274bf88 |
| SHA1 | 88bee09f9690dce0f323909d53525f60e076e854 |
| SHA256 | 00d3aa64e2afe9b92f2d13255a86eee0f289d9d257229289de0e2020626f0508 |
| SHA512 | f2066e60c588b698f3d2d79d19a25b76354c4857df1eda51d60d1371c5a32a87211a8927c0817ef1e2a8ca1d50230516a4521be6e0b40c7c301d93d894548e27 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Swedish.lg
| MD5 | 6b46297240dfc309a99b133e94c916c3 |
| SHA1 | ce4f36af4cbf6ebd15cf6e0e6dc8b72e61872027 |
| SHA256 | 88f45f3cc9999a1e35967cd7f33d2d15c0c31b13336fbf93e754e1af8903d9c1 |
| SHA512 | 6f808e7627d4d2ac06ec07f55ca72277c12a80e14fadd2822174349ebd0d5398dfcd73c301a4427a64db59b283f3d04a74be72f96e613db1540aeb9859af338e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spanish.lg
| MD5 | 542fb52c74f0f92c5cbe734cf75145b5 |
| SHA1 | 6bca28849913bf4f61b3d48791737a00f9718ee7 |
| SHA256 | c157ce11631f26462c764bab24b0700f019a2213b36a92002d886d156afa7b03 |
| SHA512 | ece3518e30d4ddc210afe82751f4b011d2d67fc8130f619656590c45710e3ac11674026445a33e880d13f60a6156c79923badff8d5f68d119d68ab2728dd7c9d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat
| MD5 | 3024e0d388436f35c9549f9b7332f2f6 |
| SHA1 | f576bab58e560600e6369057b1b334d595e5b3df |
| SHA256 | ebc9586690485fa310cc7c365a2433c57cb95f32074e15b282e3f3d05083d891 |
| SHA512 | 2516f278abdbb267082754a8ba17854ddb4627981c2f34be5d6c075c1c33984aa46c3b44d4a404509fede693ef44bcd236950084b74139104ef7b3a20026c547 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll
| MD5 | 534d6f176f6cbc725f9e7db8028cd3f7 |
| SHA1 | 35b53f2e344f4a908a551409d018a91dc58100d5 |
| SHA256 | e713f288a46aad762f76c945467bb3ea7c84edfc56cec1c4c1b40d9f919bdcc0 |
| SHA512 | 1fc1bd8d094d458541596322588750ecc66a2b3f809b0361a5c104adf72972c4bf2f08e4b58f347e56afd4e8019942ba0ba3346a85169958de1cedfde5a15849 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
| MD5 | 3c5850ef227bb206e507551c471ee8df |
| SHA1 | 8943aab98043f28918a0c8d31d7a0076b5bffb1c |
| SHA256 | a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445 |
| SHA512 | aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll
| MD5 | 435d9e1fd4b87308f0f91da25530d4ec |
| SHA1 | a9b0c513b930f4c2ef86cb75a8de1fe16eb6d996 |
| SHA256 | 05040b677d7697b4f97da173c6c07146d3bde327833fd2022bf2cb67f90389ca |
| SHA512 | 9a84f8e75c855ca4d3892591e4d2ed4d37368d8ed8c28fd48093534a8283c21a483ab50d930adc10d8dda5fb25338dd247004fdf08dd9f60cf038a0b61fba33f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese.lg
| MD5 | 18e6affb3bee46aeaf86efb1977f358b |
| SHA1 | 0df0b1fb0e3e59bc2f52d2a2bdadd29bf0adebc7 |
| SHA256 | c6e7b98ea6fd6bd60d26c46ba6432000cf4c47c5ba137fb63e905cfc2b3d36ba |
| SHA512 | fb6428024e22b48c0a66f556973fb434a9a33593942541c1a42d175d0335a83152d8247f875138be014c5f9c98167003498717029eb36780cd7a374a3f59e6e4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese, Brazilian.lg
| MD5 | 119f5f60b0d87bd3a9e34eefe510cead |
| SHA1 | 07835dce1a48d571d1e8a5a4ff1f47f44bac3992 |
| SHA256 | b9793f0ede71f259dc242c926cdc8f70fdb241a8a0f22c7206fb51b7e0a43002 |
| SHA512 | 5596ab114a4bc5edf98db65e95e2daa367a43034793b07877e3533e98822721ee3293a00760c2367fd3088df681fa0397e1a263efac1fd6850a1e26670cd0678 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Polish.lg
| MD5 | da9d399b473ccff29e6e8f9a5723cbfb |
| SHA1 | d878b4206aaf64384162e96673845e913db34c69 |
| SHA256 | b885b4e1e7bea7c202c71313a60774143dd7cc18d1a0ec8412b47d53016ea3f3 |
| SHA512 | 893122ce6550dddd793668ea7ff68764ca7676de34d8385df42f09eee50e0ce09670e6aca1245331fb18589207b3870b5564896e4d65eedc229648d985314dc7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Norwegian.lg
| MD5 | 3cdf55746e6889e8fff300e54a287bcc |
| SHA1 | 57c38147c92b86f7bceeb4dbd9ad1d720410b07d |
| SHA256 | d3014f26e0b5bd84f694c8ad18f0de48ce3cbcbaa2f649070f161c64702cae3d |
| SHA512 | df2fe1b2f16238c1de4b3982ed31cca71490eba41fe9588864b3a58f0f5ee8bf6ef28a63528e7bf06524780d19812e8cd3991472a82ed5559a6a32146c04830a |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
memory/1860-97-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
| MD5 | 3c5850ef227bb206e507551c471ee8df |
| SHA1 | 8943aab98043f28918a0c8d31d7a0076b5bffb1c |
| SHA256 | a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445 |
| SHA512 | aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a |
\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
| MD5 | 3c5850ef227bb206e507551c471ee8df |
| SHA1 | 8943aab98043f28918a0c8d31d7a0076b5bffb1c |
| SHA256 | a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445 |
| SHA512 | aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a |
\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
| MD5 | 3c5850ef227bb206e507551c471ee8df |
| SHA1 | 8943aab98043f28918a0c8d31d7a0076b5bffb1c |
| SHA256 | a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445 |
| SHA512 | aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a |
\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
| MD5 | 3c5850ef227bb206e507551c471ee8df |
| SHA1 | 8943aab98043f28918a0c8d31d7a0076b5bffb1c |
| SHA256 | a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445 |
| SHA512 | aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a |
memory/824-104-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
| MD5 | 3c5850ef227bb206e507551c471ee8df |
| SHA1 | 8943aab98043f28918a0c8d31d7a0076b5bffb1c |
| SHA256 | a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445 |
| SHA512 | aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a |
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
| MD5 | 3c5850ef227bb206e507551c471ee8df |
| SHA1 | 8943aab98043f28918a0c8d31d7a0076b5bffb1c |
| SHA256 | a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445 |
| SHA512 | aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a |
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
memory/1776-110-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-15 07:20
Reported
2022-04-15 09:25
Platform
win10v2004-20220414-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2884 created 760 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe
"C:\Users\Admin\AppData\Local\Temp\0e972efe20db99cff2af7f8d6bbc029e6c107e849045c5c5209f8f0308c8a4a8.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
rfusclient.exe -deploy
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe /tray /user
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | server.remoteutilities.com | udp |
| US | 104.236.34.44:80 | server.remoteutilities.com | tcp |
| US | 104.236.34.44:80 | server.remoteutilities.com | tcp |
| FR | 78.198.9.119:5655 | tcp | |
| US | 20.42.65.85:443 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| US | 13.107.42.16:443 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp | |
| FR | 78.198.9.119:5655 | tcp |
Files
memory/4860-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd
| MD5 | 9b7ac054975f8f7b6fe9a41a18e2d6e7 |
| SHA1 | d820008d3732f37a7e4030c4bd414e3764de1af7 |
| SHA256 | 815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255 |
| SHA512 | 806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9 |
memory/2996-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arabic.lg
| MD5 | e51a34c8198ba9a59e53f0503777e75b |
| SHA1 | 83d93b4a520b08efa14b55c80c5db8f85d5ca9e4 |
| SHA256 | 5810c1f2453156015e43dc8844b8463eaa47be877c07834e67723815aa60c5d3 |
| SHA512 | ed8c7684eeb24afae4f8cffccb870192e5ecb918843f2530439398d5cee783cafd375f851c0334ca6f1272196af984e72e3864a388f243cd6d82449151b722bd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dutch.lg
| MD5 | 00c905e8da73cf386c210d28e3797f6c |
| SHA1 | 512b1c68ad520bbd77733cf71e376333c509c183 |
| SHA256 | 83813ca174f76a126e05f6cca58be24ce2a48a2632e9bf6bfa46a353d01111b6 |
| SHA512 | b302035bd8379ddc18be49575b92cfd0219b6847cbd2d9acb9d6faf26fc0b0774bfae11a599e52266849663c5adf3de2c217ca5214339bb5400daae5ac35363f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
| MD5 | 3c5850ef227bb206e507551c471ee8df |
| SHA1 | 8943aab98043f28918a0c8d31d7a0076b5bffb1c |
| SHA256 | a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445 |
| SHA512 | aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Swedish.lg
| MD5 | 6b46297240dfc309a99b133e94c916c3 |
| SHA1 | ce4f36af4cbf6ebd15cf6e0e6dc8b72e61872027 |
| SHA256 | 88f45f3cc9999a1e35967cd7f33d2d15c0c31b13336fbf93e754e1af8903d9c1 |
| SHA512 | 6f808e7627d4d2ac06ec07f55ca72277c12a80e14fadd2822174349ebd0d5398dfcd73c301a4427a64db59b283f3d04a74be72f96e613db1540aeb9859af338e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spanish.lg
| MD5 | 542fb52c74f0f92c5cbe734cf75145b5 |
| SHA1 | 6bca28849913bf4f61b3d48791737a00f9718ee7 |
| SHA256 | c157ce11631f26462c764bab24b0700f019a2213b36a92002d886d156afa7b03 |
| SHA512 | ece3518e30d4ddc210afe82751f4b011d2d67fc8130f619656590c45710e3ac11674026445a33e880d13f60a6156c79923badff8d5f68d119d68ab2728dd7c9d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat
| MD5 | 3024e0d388436f35c9549f9b7332f2f6 |
| SHA1 | f576bab58e560600e6369057b1b334d595e5b3df |
| SHA256 | ebc9586690485fa310cc7c365a2433c57cb95f32074e15b282e3f3d05083d891 |
| SHA512 | 2516f278abdbb267082754a8ba17854ddb4627981c2f34be5d6c075c1c33984aa46c3b44d4a404509fede693ef44bcd236950084b74139104ef7b3a20026c547 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll
| MD5 | 534d6f176f6cbc725f9e7db8028cd3f7 |
| SHA1 | 35b53f2e344f4a908a551409d018a91dc58100d5 |
| SHA256 | e713f288a46aad762f76c945467bb3ea7c84edfc56cec1c4c1b40d9f919bdcc0 |
| SHA512 | 1fc1bd8d094d458541596322588750ecc66a2b3f809b0361a5c104adf72972c4bf2f08e4b58f347e56afd4e8019942ba0ba3346a85169958de1cedfde5a15849 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll
| MD5 | 435d9e1fd4b87308f0f91da25530d4ec |
| SHA1 | a9b0c513b930f4c2ef86cb75a8de1fe16eb6d996 |
| SHA256 | 05040b677d7697b4f97da173c6c07146d3bde327833fd2022bf2cb67f90389ca |
| SHA512 | 9a84f8e75c855ca4d3892591e4d2ed4d37368d8ed8c28fd48093534a8283c21a483ab50d930adc10d8dda5fb25338dd247004fdf08dd9f60cf038a0b61fba33f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese.lg
| MD5 | 18e6affb3bee46aeaf86efb1977f358b |
| SHA1 | 0df0b1fb0e3e59bc2f52d2a2bdadd29bf0adebc7 |
| SHA256 | c6e7b98ea6fd6bd60d26c46ba6432000cf4c47c5ba137fb63e905cfc2b3d36ba |
| SHA512 | fb6428024e22b48c0a66f556973fb434a9a33593942541c1a42d175d0335a83152d8247f875138be014c5f9c98167003498717029eb36780cd7a374a3f59e6e4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese, Brazilian.lg
| MD5 | 119f5f60b0d87bd3a9e34eefe510cead |
| SHA1 | 07835dce1a48d571d1e8a5a4ff1f47f44bac3992 |
| SHA256 | b9793f0ede71f259dc242c926cdc8f70fdb241a8a0f22c7206fb51b7e0a43002 |
| SHA512 | 5596ab114a4bc5edf98db65e95e2daa367a43034793b07877e3533e98822721ee3293a00760c2367fd3088df681fa0397e1a263efac1fd6850a1e26670cd0678 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Polish.lg
| MD5 | da9d399b473ccff29e6e8f9a5723cbfb |
| SHA1 | d878b4206aaf64384162e96673845e913db34c69 |
| SHA256 | b885b4e1e7bea7c202c71313a60774143dd7cc18d1a0ec8412b47d53016ea3f3 |
| SHA512 | 893122ce6550dddd793668ea7ff68764ca7676de34d8385df42f09eee50e0ce09670e6aca1245331fb18589207b3870b5564896e4d65eedc229648d985314dc7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Norwegian.lg
| MD5 | 3cdf55746e6889e8fff300e54a287bcc |
| SHA1 | 57c38147c92b86f7bceeb4dbd9ad1d720410b07d |
| SHA256 | d3014f26e0b5bd84f694c8ad18f0de48ce3cbcbaa2f649070f161c64702cae3d |
| SHA512 | df2fe1b2f16238c1de4b3982ed31cca71490eba41fe9588864b3a58f0f5ee8bf6ef28a63528e7bf06524780d19812e8cd3991472a82ed5559a6a32146c04830a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png
| MD5 | c781bb6c17fe8a7e761c8d2bc3091608 |
| SHA1 | eda833b6456f59da63608184dd698ea3790826cf |
| SHA256 | 62e88c17bbc4b817b07c0c89b745d1c4c69bf388f86f69f4653081b34d94bb82 |
| SHA512 | 876f1531201e5096b796da15ba8f2f4bce379109ca74be592cc9d5c8cccf25e1315cdb32d5ce45499434591b0ee08e2082e640fd91f976fec4c2c13784a05321 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Korean.lg
| MD5 | dc4e41d98050548860bf92ca11345962 |
| SHA1 | 259fc2aa4622e202799bbb5d352e57da47a6988f |
| SHA256 | 87ada3f861a2b04e39f633218b791cc9e08200dafe96b85538c2ce402fe1f0db |
| SHA512 | 7f7d18668248c5a3b5b7aacb5616c6dc0e562b8467a9a27ddd021690456b685af3c8dfc0b1fec746ccd799b5a9f41b0968628864087d1b3dbce79b52c49382b4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Japanese.lg
| MD5 | 58319662af8f62390737c9df99f23dba |
| SHA1 | 19d0549605e76343555a3486aac9b072fe47e878 |
| SHA256 | 4df73b25972b4388f2ffe70b88d4cfc739aed58dc0a72163b96cd407eb8d4388 |
| SHA512 | 97fefa76088474a208e777026d6c4022d8490fe6773b8ca5fe07eaa3ac732a69bdc589c6d4f34cd6d4a41ba73f628fe8160205d4695559f81e6fa19a02a6cc16 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Italian.lg
| MD5 | dfcc06cd5e145a631806c1d011ad0fba |
| SHA1 | d53236889246db20ad22f4811d24c7257c9b635d |
| SHA256 | 9848f250729fe0a81118aa027592ad0ef98d8428e808fa7bafa0903a93c4d94b |
| SHA512 | 35767772186b91f502698ce0fb7a25db3d9718fa0faa58f3f67fe711f841f95e14e89cb6bbbc476a29e568a93d670b205b616e07508c12f800d0e20cd3831e00 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hebrew.lg
| MD5 | 516352f3ff5dc96d8cfbd6abf069aabd |
| SHA1 | b52524bec89b956fba232d7a72205e63e029d5d0 |
| SHA256 | 6387f12ff599445016b7f5b191170f077fe50c8b986a7d9650abfb7ccb6377f5 |
| SHA512 | c42e0901731774a15a65c047d8b05551d789e130ac17b53e899bb88f9d6a6448050eaa45b47a2a4cabc333cd36a863cfc5722cb76aebe04c73d9617117f0361c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\German.lg
| MD5 | 42b83b0d09167cb42582b5f830b44ebb |
| SHA1 | a9d5d467643aca034a983ebbb595d2fedd19062a |
| SHA256 | 56b73a451ecc9d3f99892b397ef1b5006b6f9296765d01fbdc7fc3d979400bbd |
| SHA512 | 2ef138d4e45554d594abbce7a2987fb17eeac63c607815120d4a415b7c3e3280a84b4068429d7743523c4366da0b5aec73c8152ec30185b3b18f14e39a22a781 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\French.lg
| MD5 | 7c2276331e1e744cf702858fbb041039 |
| SHA1 | a5c7c0067a96b7e8cd11d8b3c205494147a2da4e |
| SHA256 | 0b05f6ada359e0c3295d32087874bf2888e60400fe3a9ec4d54a849031bfe915 |
| SHA512 | e3fe3aafeaa6f295c53b2317aec8581a61260cc76072d814b913084b740397c3d77df4a63acc677f95aa6d40ff70fb52041432f903a128d5b54184c085d7a16b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf
| MD5 | 722fe688f60b4649265f5177a8c0c0ca |
| SHA1 | 9532e0de2b2d1eeacc19f15602904ae14231df6b |
| SHA256 | 2e551329bf8cb93e665c17bac916776d75091ff190b7ccff8a48fb0de0d582b5 |
| SHA512 | 1248a6e94c1f75e398096f2d773822b2faf4e18438628e4874e4fc143bcf8adfc59f145de5838e1d9127795ab2de443ba6ba149e9dac3958d534356f98aa791d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg
| MD5 | 6396e5ade56e4f45c4f59ca210385f58 |
| SHA1 | 88f8778e8f960001ee558255e22418d8ea17446a |
| SHA256 | fe57254a0c2a3593d618bea7d43074c7b637ec3021f0b51073c0d95f65bae882 |
| SHA512 | 58d0b3a45249338b41affbdc81cf01fb68e1f710b1f378bcc4eae58d6e8e8402be0a06c9b4e74a4cfa1d2631ad9281921a081bf597b24f12f7ea2a4fbcd5d020 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Danish.lg
| MD5 | ab723f51a48801456d39bb48396beada |
| SHA1 | a721d0afa24cbfb99c97431be42113426ab6638f |
| SHA256 | 3db7b110d7df4402b0ac207d28debb735cfd476ef42c2f71bbba5108a0b96da5 |
| SHA512 | b5fe82a2d00f277bf9fd75fae659a75e7f3aeb6629c6e034c7d9ee477abcba89dc4661035310ffdebd6aa3115c79c7621bf42af43b32568d5408d229b4d285bd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Czech.lg
| MD5 | d39727c9980021059a0f2073277e039e |
| SHA1 | a59b8f6d517741a8cf8c88cbb9bc7ddfa8879f75 |
| SHA256 | f1900d97610996e7a71c354f3899c26324e5a5493374a4d697558e4c4f669257 |
| SHA512 | f0fa8eed8f9b72775c8c574edb4299cced7e6ca71c3cc907d1914d3cd6a86987fc7b031960b8d496030ea9b2b4eaecddcf5d0f5ee6236514e0d21232680e9c15 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt
| MD5 | 90b15937ff9ec75f7016e171bd1261ce |
| SHA1 | 3fa80c58e8bf6c3ab356047cfaa14187328c3732 |
| SHA256 | eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a |
| SHA512 | 993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Traditional.lg
| MD5 | 420f3450e1dbf4ecbe48125bef79155e |
| SHA1 | eedd628146fe8722aa8f5a9cc9a84ff86bc403ee |
| SHA256 | ac397a585dd2e48f8ee01d2e50d4d87e138d24d6f6f7c442507feab796c3a9ed |
| SHA512 | 7b14bccb0daedf62186fafdb9224ce5c96b493950e4c7a9c6c9d330831c4e660efa77bf661a39bcb5b93014a9c3a7f28a633c4f6a1618b2a7ea551e811950857 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Simplified.lg
| MD5 | 844e2b8e4ad580ff845402a6b3b88846 |
| SHA1 | 1e76d2008eee1a896d207dd9c3c1a504dc9d06de |
| SHA256 | 4d646a6af146c05cdb4644f62605cb40196595e6ed3aabcaf92e7d081c4eebf1 |
| SHA512 | 01590c09f0cb43e1ccbc27b591a06ee16485a176439512f121a1b29d1fdc8ba9eb216a26c619abdd3ca8b441d80bd23ab165cf9f36e7ade0fb57f60645ff94ed |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini
| MD5 | 9595a75bbd951a27ef3a69751cab8fa0 |
| SHA1 | cbe60d3b4e391f57a0bf14aacc203375cb48caf5 |
| SHA256 | a4bb1af5f5e87477a35caaab553ec5ff41723c7986b2fcaba248f06cdb22582e |
| SHA512 | 2d41074d959e0a0959b1e96930fe1f0991d97dcbd0fe54a943a8b09f94e2dfe6957e012a740a994623c969815507fd73a7bcbd6e0ccaff868d9214772be26c71 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turkish.lg
| MD5 | 8a4b15f09ab2301fdbf99acd5274bf88 |
| SHA1 | 88bee09f9690dce0f323909d53525f60e076e854 |
| SHA256 | 00d3aa64e2afe9b92f2d13255a86eee0f289d9d257229289de0e2020626f0508 |
| SHA512 | f2066e60c588b698f3d2d79d19a25b76354c4857df1eda51d60d1371c5a32a87211a8927c0817ef1e2a8ca1d50230516a4521be6e0b40c7c301d93d894548e27 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll
| MD5 | 381f1b7d8f7da904827980dae02f77a9 |
| SHA1 | 81d4d5724533b26391301be2b462f580395d5485 |
| SHA256 | f14dab0b9f18aced330729b4a772e6b139817be01783b97b92e9af5fc26615d2 |
| SHA512 | 44a5eee558c727c9c07301dc0190a00807d1749f83c57f76c4f8cdde4bbdf4b44bb1086cc2fcb7aff0a73949ae7aaa17d33d9cd3b0a70c4f51b724812e1bd6d3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll
| MD5 | 3e6c2703e1c8b6b2b3512aff48099462 |
| SHA1 | b17a7f9cce16540b1f0e3dceae9dc7e8e855cb1b |
| SHA256 | 616a0047b5f28a071fc26dd9b0fd90d5110c77a3635565cebc24b6362d8c9844 |
| SHA512 | 70d0c5cb8542ca0600d38aee9030ea3dd9b0951a7d96ac1b8f1af9e71c5357c33f433913ef9d2e3254a9ac95e5678764ab22184fbcec998a9bbb8d75731c9dc8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll
| MD5 | 2943b9910b1c7cc04024888502885256 |
| SHA1 | e2ac697a558fa85ff4c9e2bb114138870a80f146 |
| SHA256 | 78115050f4e99372fc10b19a14af60e623ddfda224c8e96340cb5d8166507e2b |
| SHA512 | 8d9d0d60622b958ab0f7c1f1d050fb53ba11cf19aa513fde9f7b7772fb6949b3e50907ed519fdc89e2bdf0ffb33ff084094af56abd3f9d1d2faef9d27990fe1b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll
| MD5 | 026d12b240e081794c730c1ed24a6f33 |
| SHA1 | bb6c0544ecc2c8db68b23b8e4feab5b3261b4666 |
| SHA256 | d639adb51c6e3ee8c249d11eb8db606ba2aa37d4f12f80f2b9685d8f560984bf |
| SHA512 | 5b88ee5c7cee966867eec31ad468aa19353a2a2b1a84995ac1bedeaf5e60b1b015f73fcd35644c4365cf8f1981b3de057483838b7deaad5599f9c2a24f60d758 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll
| MD5 | 74a8ebf5d8e08e284d734fe5feebd67d |
| SHA1 | 87fb627c6e63eb41e26f389b38d525ccf0c11590 |
| SHA256 | 1a9632b9e061b56017d2eb8d15c20e60a9518b4de5faa0399eaba0a17c10045d |
| SHA512 | 230f84f3fdb335a6044e6a83154de27e853b66ce6b8963b5f1991c462d69cc702a5cf7ee20717ec9f6e688398579fe18102a48f418b74333f476255b1cdbf8b9 |
memory/2924-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
memory/760-170-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
| MD5 | 3c5850ef227bb206e507551c471ee8df |
| SHA1 | 8943aab98043f28918a0c8d31d7a0076b5bffb1c |
| SHA256 | a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445 |
| SHA512 | aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a |
memory/5056-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rutserv.exe
| MD5 | 3c5850ef227bb206e507551c471ee8df |
| SHA1 | 8943aab98043f28918a0c8d31d7a0076b5bffb1c |
| SHA256 | a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445 |
| SHA512 | aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a |
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |
memory/3272-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\98B7032A14\rfusclient.exe
| MD5 | 848a53dc549be0386e5da0f49700c389 |
| SHA1 | e918192d2b5c565a9b2756a1d01070c6608f361c |
| SHA256 | faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976 |
| SHA512 | fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633 |