Malware Analysis Report

2024-11-13 16:21

Sample ID 220502-xhg2esgbem
Target 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1
SHA256 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1
Tags
rms evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1

Threat Level: Known bad

The file 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1 was found to be: Known bad.

Malicious Activity Summary

rms evasion rat trojan

RMS

Executes dropped EXE

Sets file to hidden

Loads dropped DLL

Checks computer location settings

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Runs .reg file with regedit

Delays execution with timeout.exe

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-02 18:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-02 18:51

Reported

2022-05-02 20:33

Platform

win7-20220414-en

Max time kernel

24s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe C:\Windows\SysWOW64\WScript.exe
PID 1524 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe C:\Windows\SysWOW64\WScript.exe
PID 1524 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe C:\Windows\SysWOW64\WScript.exe
PID 1524 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe C:\Windows\SysWOW64\WScript.exe
PID 1524 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe C:\Windows\SysWOW64\WScript.exe
PID 1524 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe C:\Windows\SysWOW64\WScript.exe
PID 1524 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe C:\Windows\SysWOW64\WScript.exe
PID 1064 wrote to memory of 2020 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
PID 1064 wrote to memory of 2020 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
PID 1064 wrote to memory of 2020 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
PID 1064 wrote to memory of 2020 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
PID 1064 wrote to memory of 2020 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
PID 1064 wrote to memory of 2020 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
PID 1064 wrote to memory of 2020 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
PID 2020 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 564 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 564 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 564 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 564 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 564 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 564 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2020 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe

"C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs"

C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

"C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp

C:\Windows\SysWOW64\attrib.exe

attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

N/A

Files

memory/1524-54-0x0000000076851000-0x0000000076853000-memory.dmp

memory/1064-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs

MD5 7c274b85448ea218e5c6d5521876f698
SHA1 bdd771453446e1e8654985f5c4b7ebb0bb9ada4d
SHA256 427b7d229ae6a8717edb0e5cc156c2025d0d737400d6a22d5de9d4504b7b3185
SHA512 3c0a482e3f5b628cccae9730fb7fbf2f9e8c6fb7d8c52d39beffe8b3a3de184d2df6d5fa412801eca6cf80a7ee8109394e4918c467af88dac767462f01051df6

C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

MD5 5f56f53c24ea5f9bda096511228c9e40
SHA1 1103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA256 4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512 a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

\Users\Admin\AppData\Roaming\Windows\control\run.exe

MD5 5f56f53c24ea5f9bda096511228c9e40
SHA1 1103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA256 4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512 a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

memory/2020-61-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Windows\control\run.exe

MD5 5f56f53c24ea5f9bda096511228c9e40
SHA1 1103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA256 4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512 a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

MD5 5f56f53c24ea5f9bda096511228c9e40
SHA1 1103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA256 4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512 a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

memory/952-64-0x0000000000000000-mapping.dmp

memory/1768-66-0x0000000000000000-mapping.dmp

memory/564-68-0x0000000000000000-mapping.dmp

memory/652-70-0x0000000000000000-mapping.dmp

memory/1164-72-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-02 18:51

Reported

2022-05-02 20:33

Platform

win10v2004-20220414-en

Max time kernel

190s

Max time network

216s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Windows\control\data.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\RMS\rfusclient.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\RMS\russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\RMS\vp8encoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\RMS\vp8encoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\RMS\vp8decoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\RMS\rutserv.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\RMS C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\RMS\russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\RMS\regedit.reg C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\RMS\rfusclient.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\RMS\rutserv.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\RMS\vp8encoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\RMS\regedit.reg C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\RMS\rfusclient.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\RMS\rutserv.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\RMS\vp8decoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\RMS\vp8decoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\RMS\rfusclient.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\RMS\regedit.reg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\RMS\russian.lg C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\RMS\rutserv.exe C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Windows\control\data.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\RMS\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\RMS\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\RMS\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\RMS\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\RMS\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\RMS\rutserv.exe N/A
N/A N/A C:\Program Files\RMS\rutserv.exe N/A
N/A N/A C:\Program Files\RMS\rutserv.exe N/A
N/A N/A C:\Program Files\RMS\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4956 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe C:\Windows\SysWOW64\WScript.exe
PID 4956 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe C:\Windows\SysWOW64\WScript.exe
PID 4956 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe C:\Windows\SysWOW64\WScript.exe
PID 1768 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
PID 1768 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
PID 1768 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
PID 2704 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 4696 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4696 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4696 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2704 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 376 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 376 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 376 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\Windows\control\run.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Windows\control\data.exe
PID 1312 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Windows\control\data.exe
PID 1312 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Windows\control\data.exe
PID 1000 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\Windows\control\data.exe C:\Windows\SysWOW64\WScript.exe
PID 1000 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\Windows\control\data.exe C:\Windows\SysWOW64\WScript.exe
PID 1000 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\Windows\control\data.exe C:\Windows\SysWOW64\WScript.exe
PID 3640 wrote to memory of 1964 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 1964 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 1964 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1964 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1964 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1964 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1964 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1964 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1964 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe

"C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs"

C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

"C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp

C:\Windows\SysWOW64\attrib.exe

attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat "C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"

C:\Users\Admin\AppData\Roaming\Windows\control\data.exe

data.exe -p4387548329574239857234 -d C:\Log

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Log\start.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Log\install.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RMS"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RMS\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Program Files\RMS\rfusclient.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Program Files\RMS\rutserv.exe"

C:\Windows\SysWOW64\regedit.exe

regedit /s regedit.reg

C:\Program Files\RMS\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files\RMS\rutserv.exe

rutserv.exe /firewall

C:\Program Files\RMS\rutserv.exe

rutserv.exe /start

C:\Program Files\RMS\rutserv.exe

"C:\Program Files\RMS\rutserv.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Program Files\RMS\rfusclient.exe

"C:\Program Files\RMS\rfusclient.exe" /tray

C:\Program Files\RMS\rfusclient.exe

"C:\Program Files\RMS\rfusclient.exe"

C:\Program Files\RMS\rfusclient.exe

"C:\Program Files\RMS\rfusclient.exe" /tray

Network

Country Destination Domain Proto
GB 173.222.211.107:80 tcp
GB 173.222.211.107:80 tcp
US 40.125.122.151:443 tcp
IE 13.69.239.72:443 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
NL 104.123.41.162:80 tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1768-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs

MD5 7c274b85448ea218e5c6d5521876f698
SHA1 bdd771453446e1e8654985f5c4b7ebb0bb9ada4d
SHA256 427b7d229ae6a8717edb0e5cc156c2025d0d737400d6a22d5de9d4504b7b3185
SHA512 3c0a482e3f5b628cccae9730fb7fbf2f9e8c6fb7d8c52d39beffe8b3a3de184d2df6d5fa412801eca6cf80a7ee8109394e4918c467af88dac767462f01051df6

C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

MD5 5f56f53c24ea5f9bda096511228c9e40
SHA1 1103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA256 4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512 a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

memory/2704-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

MD5 5f56f53c24ea5f9bda096511228c9e40
SHA1 1103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA256 4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512 a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

memory/3204-135-0x0000000000000000-mapping.dmp

memory/636-136-0x0000000000000000-mapping.dmp

memory/4696-137-0x0000000000000000-mapping.dmp

memory/3648-138-0x0000000000000000-mapping.dmp

memory/3460-139-0x0000000000000000-mapping.dmp

memory/4836-140-0x0000000000000000-mapping.dmp

memory/4832-141-0x0000000000000000-mapping.dmp

memory/4924-142-0x0000000000000000-mapping.dmp

memory/376-143-0x0000000000000000-mapping.dmp

memory/5116-144-0x0000000000000000-mapping.dmp

memory/1600-145-0x0000000000000000-mapping.dmp

memory/952-146-0x0000000000000000-mapping.dmp

memory/3928-147-0x0000000000000000-mapping.dmp

memory/1312-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat

MD5 b4e641b6d4270e78c83ca4b207b80325
SHA1 47a5202e6b8c8d3577f37a9923bc820d0c7a0864
SHA256 6d480e4d29dcfd48e33a2bf7d41a1d4a8079e90251913a6780b307f35fd74c02
SHA512 470e783f0999ecbb43ebe40332cda8ba02b99efc9384cb269fedf986f74d9209278e5e8b83e3793ca3a733c3374a87e7529f30c91c315692d972d2445fbb48b9

memory/1000-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\control\data.exe

MD5 8073902d5731af195706c0737d42337b
SHA1 ee501e11ecf3d14f59d54750de7f35af663e6bb9
SHA256 511e239339255dc29b68ee438b7889e0e437d011dda6b5f715c73ceab9a42d2a
SHA512 ac0ee5a5fb9eb5e52a84683bbbda52d9dc1606e714cded78b18da738db803c61fa197b7c15cbf786c4722af04d42bb1d9e3eade823cf09d6ed069b17124c3241

C:\Users\Admin\AppData\Roaming\Windows\control\data.exe

MD5 8073902d5731af195706c0737d42337b
SHA1 ee501e11ecf3d14f59d54750de7f35af663e6bb9
SHA256 511e239339255dc29b68ee438b7889e0e437d011dda6b5f715c73ceab9a42d2a
SHA512 ac0ee5a5fb9eb5e52a84683bbbda52d9dc1606e714cded78b18da738db803c61fa197b7c15cbf786c4722af04d42bb1d9e3eade823cf09d6ed069b17124c3241

memory/3640-153-0x0000000000000000-mapping.dmp

C:\Log\start.vbs

MD5 65fc32766a238ff3e95984e325357dbb
SHA1 3ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256 a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

C:\Log\install.bat

MD5 f02f205c3aa7e6344e02d9ae24e0c1d8
SHA1 922a9ac42cfe6cf4a8c92b1c8f0966aa06bd16db
SHA256 e7a8b3a79a24e96abdbc31fa6e5888d9a7486f161fd99aa0211d39856bcd8f99
SHA512 8af98e7d161eb0bb90d8eee6f5ec424c029a62ae04fa6787de926044008db09f4a62eea2cf69c889cec219114d45fd15f0a729a27a688c5275b545f4280cfa9a

memory/1964-156-0x0000000000000000-mapping.dmp

memory/392-157-0x0000000000000000-mapping.dmp

memory/1304-158-0x0000000000000000-mapping.dmp

memory/4984-159-0x0000000000000000-mapping.dmp

memory/4968-160-0x0000000000000000-mapping.dmp

C:\Log\regedit.reg

MD5 4c8a6b9bfbfb9af122a791330e33dbc5
SHA1 77583460b3cbe89c77569cc6d8f701903069072e
SHA256 245ce8372b8a88ccad7e79600d9fe737f53f0a61b1951aa849b2a0bb7971eda0
SHA512 a37731d92e7ae803ce84dbf32806642df0895673e57dad131c799a6626fbc504eb1843dac9236eb61e17da381d853c20e1cc023b3db023adc4dc85667433f4c4

memory/1628-162-0x0000000000000000-mapping.dmp

memory/648-163-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe

MD5 3c52638971ead82b5929d605c1314ee0
SHA1 7318148a40faca203ac402dff51bbb04e638545c
SHA256 5614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab
SHA512 46f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b

memory/4788-165-0x0000000000000000-mapping.dmp

memory/2516-166-0x0000000000000000-mapping.dmp

C:\Log\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Log\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

C:\Log\russian.lg

MD5 37b80cc200e62cdb350f7c86ee61264c
SHA1 35885999a4dc527dfc6d67079c5f82dd4759d78d
SHA256 5c394e7f7e6571ea2de8ebf23d087d452ccfda4b7468db793ce11cafac3e92a1
SHA512 7c1831fdf6584eab78d63245295014ab9361fbfe30c4304c11b4d8ce3eca784d2528c3a3d5183bc05118ab4054ae90cfcfe6a7b1f666839dc45acf5bc4ac2481

C:\Log\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Log\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

memory/2256-172-0x0000000000000000-mapping.dmp

C:\Program Files\RMS\russian.lg

MD5 37b80cc200e62cdb350f7c86ee61264c
SHA1 35885999a4dc527dfc6d67079c5f82dd4759d78d
SHA256 5c394e7f7e6571ea2de8ebf23d087d452ccfda4b7468db793ce11cafac3e92a1
SHA512 7c1831fdf6584eab78d63245295014ab9361fbfe30c4304c11b4d8ce3eca784d2528c3a3d5183bc05118ab4054ae90cfcfe6a7b1f666839dc45acf5bc4ac2481

memory/1468-180-0x0000000000000000-mapping.dmp

memory/3752-179-0x0000000000000000-mapping.dmp

memory/3448-181-0x0000000000000000-mapping.dmp

C:\Program Files\RMS\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Program Files\RMS\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Program Files\RMS\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

C:\Program Files\RMS\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Program Files\RMS\regedit.reg

MD5 4c8a6b9bfbfb9af122a791330e33dbc5
SHA1 77583460b3cbe89c77569cc6d8f701903069072e
SHA256 245ce8372b8a88ccad7e79600d9fe737f53f0a61b1951aa849b2a0bb7971eda0
SHA512 a37731d92e7ae803ce84dbf32806642df0895673e57dad131c799a6626fbc504eb1843dac9236eb61e17da381d853c20e1cc023b3db023adc4dc85667433f4c4

memory/2804-182-0x0000000000000000-mapping.dmp

C:\Program Files\RMS\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

C:\Program Files\RMS\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

memory/4184-184-0x0000000000000000-mapping.dmp

C:\Program Files\RMS\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

memory/5068-186-0x0000000000000000-mapping.dmp

C:\Program Files\RMS\rutserv.exe

MD5 8f6e38cc55206473121c8bf63fcbcf2d
SHA1 35504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256 fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

memory/432-191-0x0000000000000000-mapping.dmp

memory/4728-189-0x0000000000000000-mapping.dmp

C:\Program Files\RMS\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

C:\Program Files\RMS\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

memory/5056-190-0x0000000000000000-mapping.dmp

memory/1096-194-0x0000000000000000-mapping.dmp

C:\Program Files\RMS\rfusclient.exe

MD5 e3c15e4d44c2b546d640b5808a9a2818
SHA1 090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256 b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512 c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494