Malware Analysis Report

2024-11-15 08:39

Sample ID 220427-wks12abghq
Target b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3
SHA256 b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3
Tags
upx rms aspackv2 rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3

Threat Level: Known bad

The file b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3 was found to be: Known bad.

Malicious Activity Summary

upx rms aspackv2 rat trojan

RMS

ACProtect 1.3x - 1.4x DLL software

ASPack v2.12-2.42

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Delays execution with timeout.exe

Suspicious behavior: SetClipboardViewer

Kills process with taskkill

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-27 17:59

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-27 17:59

Reported

2022-04-27 19:54

Platform

win7-20220414-en

Max time kernel

159s

Max time network

198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_7117218 C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe C:\Windows\SysWOW64\WScript.exe
PID 2036 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe C:\Windows\SysWOW64\WScript.exe
PID 2036 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe C:\Windows\SysWOW64\WScript.exe
PID 2036 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe C:\Windows\SysWOW64\WScript.exe
PID 1712 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1092 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1092 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1092 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1092 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1092 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1092 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1092 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1092 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1092 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1092 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1092 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1092 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1092 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1092 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1092 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1092 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1092 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1932 wrote to memory of 1032 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1932 wrote to memory of 1032 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1932 wrote to memory of 1032 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1932 wrote to memory of 1032 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1932 wrote to memory of 1324 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1932 wrote to memory of 1324 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1932 wrote to memory of 1324 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1932 wrote to memory of 1324 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1032 wrote to memory of 2032 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1032 wrote to memory of 2032 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1032 wrote to memory of 2032 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1032 wrote to memory of 2032 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe

"C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\System\install.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\System\rutserv.exe

"C:\Program Files (x86)\System\rutserv.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/2036-54-0x0000000076461000-0x0000000076463000-memory.dmp

memory/1712-55-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\install.vbs

MD5 65fc32766a238ff3e95984e325357dbb
SHA1 3ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256 a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

C:\Program Files (x86)\System\install.bat

MD5 99db27d776e103cad354b531ee1f20b9
SHA1 0b82d146df8528f66d1d14756f211fd3a8b1b91a
SHA256 240020a1a1941d1455135b5cb134e502a13b148be16cbb1552482aa03c29f8f3
SHA512 bc2ed33495c0a752397b2f1b9b7ba65f94ea5be82dde74c618342c83b68f1b92a4783b672cd427843533799e1af0875e0fd000b12236852e9e2fa93005d7ac69

memory/1092-59-0x0000000000000000-mapping.dmp

memory/904-60-0x0000000000000000-mapping.dmp

memory/1388-61-0x0000000000000000-mapping.dmp

memory/628-62-0x0000000000000000-mapping.dmp

memory/1696-63-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\regedit.reg

MD5 5e2bd8f8dacf1890a6275b51342fafc5
SHA1 29c2d1d951de808effc17799c6b9790323304ab9
SHA256 a0a3baaf5ec4f7b6614698f55c82e5eb68543da6cd8a3769ad514c38ba1a03a9
SHA512 10d874021238ba2b765f6948df4e56e9fd2d3fe53d61a1f44eb350e62727f1968185babed9f27e715b59158a0314d50d33abd323be00032290708d8fca922e09

memory/1648-66-0x0000000000000000-mapping.dmp

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1384-69-0x0000000000000000-mapping.dmp

memory/1384-72-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1384-73-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1384-74-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1384-75-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1384-76-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1384-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/564-78-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/564-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/564-83-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/564-82-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/564-84-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/564-85-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/564-86-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/536-87-0x0000000000000000-mapping.dmp

memory/536-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/536-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/536-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/536-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/536-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1932-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1932-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1932-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1932-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1932-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\Program Files (x86)\System\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/1324-108-0x0000000000000000-mapping.dmp

memory/1032-106-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/536-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1324-114-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1032-113-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1324-116-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1324-118-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1032-117-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1032-115-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1032-119-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1324-120-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1324-122-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1032-121-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2032-123-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/2032-126-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2032-127-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2032-128-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2032-129-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2032-130-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2032-131-0x0000000000400000-0x00000000009B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-27 17:59

Reported

2022-04-27 19:54

Platform

win10v2004-20220414-en

Max time kernel

193s

Max time network

199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_240596125 C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A
File created C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3688 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe C:\Windows\SysWOW64\WScript.exe
PID 3688 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe C:\Windows\SysWOW64\WScript.exe
PID 3688 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe C:\Windows\SysWOW64\WScript.exe
PID 3872 wrote to memory of 4680 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 4680 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 4680 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4680 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4680 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4680 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4680 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4680 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4680 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4680 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4680 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4680 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4680 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4680 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4680 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4680 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4680 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4680 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4680 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4680 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4680 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4680 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4680 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 448 wrote to memory of 4156 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 448 wrote to memory of 4156 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 448 wrote to memory of 4156 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 448 wrote to memory of 4248 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 448 wrote to memory of 4248 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 448 wrote to memory of 4248 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4156 wrote to memory of 1080 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4156 wrote to memory of 1080 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4156 wrote to memory of 1080 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe

"C:\Users\Admin\AppData\Local\Temp\b2edb4fbce81855d476856b1aa8f298084a4aa6e46b987554dafe8187f5cfab3.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\System\rutserv.exe

"C:\Program Files (x86)\System\rutserv.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

Network

Country Destination Domain Proto
NL 20.190.160.73:443 tcp
US 8.238.111.254:80 tcp
GB 51.105.71.136:443 tcp
US 8.238.111.254:80 tcp
US 8.238.111.254:80 tcp
US 8.238.111.254:80 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/3872-130-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\install.vbs

MD5 65fc32766a238ff3e95984e325357dbb
SHA1 3ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256 a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

C:\Program Files (x86)\System\install.bat

MD5 99db27d776e103cad354b531ee1f20b9
SHA1 0b82d146df8528f66d1d14756f211fd3a8b1b91a
SHA256 240020a1a1941d1455135b5cb134e502a13b148be16cbb1552482aa03c29f8f3
SHA512 bc2ed33495c0a752397b2f1b9b7ba65f94ea5be82dde74c618342c83b68f1b92a4783b672cd427843533799e1af0875e0fd000b12236852e9e2fa93005d7ac69

memory/4680-133-0x0000000000000000-mapping.dmp

memory/4752-134-0x0000000000000000-mapping.dmp

memory/728-135-0x0000000000000000-mapping.dmp

memory/408-136-0x0000000000000000-mapping.dmp

memory/4596-137-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\regedit.reg

MD5 5e2bd8f8dacf1890a6275b51342fafc5
SHA1 29c2d1d951de808effc17799c6b9790323304ab9
SHA256 a0a3baaf5ec4f7b6614698f55c82e5eb68543da6cd8a3769ad514c38ba1a03a9
SHA512 10d874021238ba2b765f6948df4e56e9fd2d3fe53d61a1f44eb350e62727f1968185babed9f27e715b59158a0314d50d33abd323be00032290708d8fca922e09

memory/4668-139-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4224-140-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4224-143-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4224-144-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4224-145-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4224-146-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4224-147-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4224-148-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/2932-149-0x0000000000000000-mapping.dmp

memory/2932-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2932-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2932-153-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2932-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2932-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/3420-157-0x0000000000000000-mapping.dmp

memory/2932-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3420-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3420-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3420-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3420-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3420-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/448-165-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/448-166-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/448-167-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/448-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/448-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

memory/4248-174-0x0000000000000000-mapping.dmp

memory/4156-173-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/3420-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4156-178-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4248-179-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4156-180-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4248-181-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4156-182-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4248-185-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4156-184-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4248-187-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4156-186-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4248-183-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/1080-188-0x0000000000000000-mapping.dmp

memory/1080-190-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1080-191-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1080-192-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1080-193-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1080-194-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1080-195-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/448-196-0x0000000000400000-0x0000000000AB9000-memory.dmp