Malware Analysis Report

2024-11-15 08:39

Sample ID 220502-d6schsbdh7
Target 84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add
SHA256 84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add
Tags
rms aspackv2 evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add

Threat Level: Known bad

The file 84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add was found to be: Known bad.

Malicious Activity Summary

rms aspackv2 evasion rat trojan

RMS

Identifies VirtualBox via ACPI registry values (likely anti-VM)

ASPack v2.12-2.42

Executes dropped EXE

Sets file to hidden

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Checks computer location settings

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Enumerates physical storage devices

Runs .reg file with regedit

Delays execution with timeout.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious behavior: SetClipboardViewer

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-02 03:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-02 03:37

Reported

2022-05-02 03:40

Platform

win7-20220414-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe"

Signatures

RMS

trojan rat rms

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\ProgramData\App\rutserv.exe N/A
N/A N/A C:\ProgramData\App\rutserv.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe N/A

Launches sc.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\App\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\App\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1764 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1764 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1764 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1764 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1764 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1764 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1764 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1764 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1764 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1764 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1764 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1764 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1764 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1844 wrote to memory of 1532 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe

"C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\App\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib -r -a -s -h "C:\ProgramData\App\install.bat" /S /D

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\System Corporation Update" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\ProgramData\App\rutserv.exe

rutserv.exe /silentinstall

C:\ProgramData\App\rutserv.exe

rutserv.exe /firewall

C:\ProgramData\App\rutserv.exe

rutserv.exe /start

C:\ProgramData\App\rutserv.exe

C:\ProgramData\App\rutserv.exe

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe /tray

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe

C:\Windows\SysWOW64\sc.exe

sc config RManService start= auto

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\rutserv.exe" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\rfusclient.exe" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\vp8decoder.dll" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\vp8encoder.dll" /S /D

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1836-54-0x0000000076011000-0x0000000076013000-memory.dmp

memory/1764-55-0x0000000000000000-mapping.dmp

C:\ProgramData\App\install.bat

MD5 6ec51eea8e8ca78d0086df72e0b10228
SHA1 b7c5a2e76841bb1100a846490f79b5de5f90f128
SHA256 6d13d9ad28789125fb70e0fdbfa7ee0e1a1c99c7161c0cbeddeb25eb1d7f1498
SHA512 6cfefcedd2433afed69f02abc4d2259fd124730ddcb74444d41c1be827bc385ff89e1d8c4646615c73d0d2fa6681045100d2da3f03320628894310e4a7e6a105

memory/1580-57-0x0000000000000000-mapping.dmp

memory/1872-58-0x0000000000000000-mapping.dmp

memory/1348-59-0x0000000000000000-mapping.dmp

memory/1780-60-0x0000000000000000-mapping.dmp

memory/1704-61-0x0000000000000000-mapping.dmp

memory/1068-62-0x0000000000000000-mapping.dmp

memory/2000-63-0x0000000000000000-mapping.dmp

memory/1540-64-0x0000000000000000-mapping.dmp

memory/1132-65-0x0000000000000000-mapping.dmp

memory/628-66-0x0000000000000000-mapping.dmp

C:\ProgramData\App\regedit.reg

MD5 64c927360c077b3e766b1a4a9bdf8f3a
SHA1 0bb94ae83d4d4223f5908269a1ab6fdf79405a66
SHA256 f8abc166a4efc51f2c6066d7f989c34eb1bdfe95adda8a6c3766e8a956ab6fb9
SHA512 3cf275d0c741615b75197dc257d4b1d851ade9fa848eae64eeeb4412d431bd43c3fac21aa1ade8941f1b6d2d765d2413f97e2fd209b141dc2fe721f5fae97cd1

memory/1596-69-0x0000000000000000-mapping.dmp

memory/1836-70-0x0000000077DC0000-0x0000000077F40000-memory.dmp

memory/1836-71-0x0000000000400000-0x0000000001718000-memory.dmp

\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

C:\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

memory/1896-74-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

memory/1896-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1896-78-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1896-79-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1896-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1896-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1896-82-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

memory/928-83-0x0000000000000000-mapping.dmp

memory/928-86-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/928-87-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/928-88-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/928-89-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/928-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/928-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

memory/1692-92-0x0000000000000000-mapping.dmp

memory/1692-95-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1692-96-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1692-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1692-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1692-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

memory/1844-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1844-103-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1844-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1844-105-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1844-106-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\App\rfusclient.exe

MD5 0930e28f2efa09ff724051b0ffee2517
SHA1 97180a268f10d37c4e331edb0201a03ad9de6083
SHA256 a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e
SHA512 e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

C:\ProgramData\App\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\ProgramData\App\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

\ProgramData\App\rfusclient.exe

MD5 0930e28f2efa09ff724051b0ffee2517
SHA1 97180a268f10d37c4e331edb0201a03ad9de6083
SHA256 a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e
SHA512 e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

memory/1532-111-0x0000000000000000-mapping.dmp

memory/1736-113-0x0000000000000000-mapping.dmp

\ProgramData\App\rfusclient.exe

MD5 0930e28f2efa09ff724051b0ffee2517
SHA1 97180a268f10d37c4e331edb0201a03ad9de6083
SHA256 a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e
SHA512 e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

C:\ProgramData\App\rfusclient.exe

MD5 0930e28f2efa09ff724051b0ffee2517
SHA1 97180a268f10d37c4e331edb0201a03ad9de6083
SHA256 a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e
SHA512 e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

C:\ProgramData\App\rfusclient.exe

MD5 0930e28f2efa09ff724051b0ffee2517
SHA1 97180a268f10d37c4e331edb0201a03ad9de6083
SHA256 a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e
SHA512 e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

memory/1692-118-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/964-119-0x0000000000000000-mapping.dmp

memory/1736-120-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1532-122-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1532-124-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1532-128-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1736-127-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1532-129-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1532-126-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1736-125-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1736-123-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1736-121-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/812-130-0x0000000000000000-mapping.dmp

memory/1756-134-0x0000000000000000-mapping.dmp

memory/768-133-0x0000000000000000-mapping.dmp

memory/1696-132-0x0000000000000000-mapping.dmp

memory/1524-131-0x0000000000000000-mapping.dmp

memory/828-135-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rfusclient.exe

MD5 0930e28f2efa09ff724051b0ffee2517
SHA1 97180a268f10d37c4e331edb0201a03ad9de6083
SHA256 a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e
SHA512 e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

memory/828-138-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/828-139-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/828-140-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/828-141-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/828-142-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/828-143-0x0000000000400000-0x00000000009B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-02 03:37

Reported

2022-05-02 03:40

Platform

win10v2004-20220414-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe"

Signatures

RMS

trojan rat rms

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rutserv.pdb C:\ProgramData\App\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb C:\ProgramData\App\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb C:\ProgramData\App\rutserv.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe N/A

Launches sc.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\App\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3544 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3544 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3544 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3544 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3544 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3544 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3544 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3544 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3544 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3544 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3544 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3544 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3544 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3544 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3544 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3188 wrote to memory of 4668 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 3188 wrote to memory of 4668 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 3188 wrote to memory of 4668 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 3188 wrote to memory of 1716 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 3188 wrote to memory of 1716 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 3188 wrote to memory of 1716 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 3544 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3544 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3544 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3544 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3544 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe

"C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\App\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib -r -a -s -h "C:\ProgramData\App\install.bat" /S /D

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\System Corporation Update" /f

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\ProgramData\App\rutserv.exe

rutserv.exe /silentinstall

C:\ProgramData\App\rutserv.exe

rutserv.exe /firewall

C:\ProgramData\App\rutserv.exe

rutserv.exe /start

C:\ProgramData\App\rutserv.exe

C:\ProgramData\App\rutserv.exe

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe /tray

C:\Windows\SysWOW64\sc.exe

sc config RManService start= auto

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\rutserv.exe" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\rfusclient.exe" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\vp8decoder.dll" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\vp8encoder.dll" /S /D

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe /tray

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc config RManService start= auto

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc config RManService start= auto

C:\Windows\SysWOW64\sc.exe

sc config RManService start= auto

C:\Windows\SysWOW64\sc.exe

sc config RManService start= auto

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
RU 95.213.205.83:563 rms-server.tektonit.ru tcp
US 8.8.8.8:53 unayt.ru udp
RU 91.227.18.139:80 unayt.ru tcp

Files

memory/2824-130-0x0000000077440000-0x00000000775E3000-memory.dmp

memory/2824-131-0x0000000000400000-0x0000000001718000-memory.dmp

memory/3544-132-0x0000000000000000-mapping.dmp

C:\ProgramData\App\install.bat

MD5 6ec51eea8e8ca78d0086df72e0b10228
SHA1 b7c5a2e76841bb1100a846490f79b5de5f90f128
SHA256 6d13d9ad28789125fb70e0fdbfa7ee0e1a1c99c7161c0cbeddeb25eb1d7f1498
SHA512 6cfefcedd2433afed69f02abc4d2259fd124730ddcb74444d41c1be827bc385ff89e1d8c4646615c73d0d2fa6681045100d2da3f03320628894310e4a7e6a105

memory/824-134-0x0000000000000000-mapping.dmp

memory/740-135-0x0000000000000000-mapping.dmp

memory/624-136-0x0000000000000000-mapping.dmp

memory/4408-137-0x0000000000000000-mapping.dmp

memory/4196-138-0x0000000000000000-mapping.dmp

memory/404-139-0x0000000000000000-mapping.dmp

memory/4792-140-0x0000000000000000-mapping.dmp

memory/4760-141-0x0000000000000000-mapping.dmp

memory/224-143-0x0000000000000000-mapping.dmp

memory/100-142-0x0000000000000000-mapping.dmp

C:\ProgramData\App\regedit.reg

MD5 64c927360c077b3e766b1a4a9bdf8f3a
SHA1 0bb94ae83d4d4223f5908269a1ab6fdf79405a66
SHA256 f8abc166a4efc51f2c6066d7f989c34eb1bdfe95adda8a6c3766e8a956ab6fb9
SHA512 3cf275d0c741615b75197dc257d4b1d851ade9fa848eae64eeeb4412d431bd43c3fac21aa1ade8941f1b6d2d765d2413f97e2fd209b141dc2fe721f5fae97cd1

memory/1040-145-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

memory/4928-146-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

memory/4928-149-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4928-150-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4928-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4928-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4928-153-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4928-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2104-155-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

memory/2104-157-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2104-158-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2104-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2104-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2104-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

memory/2936-163-0x0000000000000000-mapping.dmp

memory/2104-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2936-165-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2936-166-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2936-167-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2936-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2936-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\App\rutserv.exe

MD5 5c4b2152e37d7c74df6e5267a8d0dd61
SHA1 711ab9242b93cf065aa19f79388f090d07ee35b4
SHA256 200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5
SHA512 743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

memory/3188-171-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3188-172-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3188-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3188-174-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3188-175-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\App\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\ProgramData\App\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\ProgramData\App\rfusclient.exe

MD5 0930e28f2efa09ff724051b0ffee2517
SHA1 97180a268f10d37c4e331edb0201a03ad9de6083
SHA256 a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e
SHA512 e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

memory/1716-180-0x0000000000000000-mapping.dmp

memory/4668-179-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rfusclient.exe

MD5 0930e28f2efa09ff724051b0ffee2517
SHA1 97180a268f10d37c4e331edb0201a03ad9de6083
SHA256 a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e
SHA512 e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

C:\ProgramData\App\rfusclient.exe

MD5 0930e28f2efa09ff724051b0ffee2517
SHA1 97180a268f10d37c4e331edb0201a03ad9de6083
SHA256 a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e
SHA512 e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

memory/2936-183-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4668-184-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1716-185-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1716-186-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4668-187-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4668-189-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1716-191-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1716-193-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4668-192-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4668-190-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1716-188-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4932-194-0x0000000000000000-mapping.dmp

memory/2728-195-0x0000000000000000-mapping.dmp

memory/756-196-0x0000000000000000-mapping.dmp

memory/2200-197-0x0000000000000000-mapping.dmp

memory/4972-198-0x0000000000000000-mapping.dmp

memory/2872-199-0x0000000000000000-mapping.dmp

memory/2608-200-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rfusclient.exe

MD5 0930e28f2efa09ff724051b0ffee2517
SHA1 97180a268f10d37c4e331edb0201a03ad9de6083
SHA256 a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e
SHA512 e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

memory/2608-202-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2608-203-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2608-205-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2608-204-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2608-206-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2608-207-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4164-208-0x0000000000000000-mapping.dmp

memory/4816-209-0x0000000000000000-mapping.dmp

memory/32-210-0x0000000000000000-mapping.dmp

memory/4872-211-0x0000000000000000-mapping.dmp

memory/3188-212-0x0000000000400000-0x0000000000AB9000-memory.dmp