Malware Analysis Report

2024-11-13 16:21

Sample ID 220503-chrweaacfq
Target 072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38
SHA256 072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38
Tags
rms aspackv2 evasion rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38

Threat Level: Known bad

The file 072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38 was found to be: Known bad.

Malicious Activity Summary

rms aspackv2 evasion rat trojan upx

RMS

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Sets file to hidden

ASPack v2.12-2.42

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Kills process with taskkill

Runs .reg file with regedit

Suspicious behavior: SetClipboardViewer

Modifies registry class

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-03 02:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-03 02:04

Reported

2022-05-03 03:35

Platform

win7-20220414-en

Max time kernel

181s

Max time network

195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_7123660 C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\mailsend.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A

Launches sc.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 896 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe C:\Windows\SysWOW64\WScript.exe
PID 896 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe C:\Windows\SysWOW64\WScript.exe
PID 896 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe C:\Windows\SysWOW64\WScript.exe
PID 896 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe C:\Windows\SysWOW64\WScript.exe
PID 896 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe C:\Windows\SysWOW64\WScript.exe
PID 896 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe C:\Windows\SysWOW64\WScript.exe
PID 896 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe C:\Windows\SysWOW64\WScript.exe
PID 624 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1216 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1216 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1216 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1216 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1216 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1216 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1216 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1216 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1216 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe

"C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\System\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System" +H +S /S /D

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\System\rutserv.exe

"C:\Program Files (x86)\System\rutserv.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Windows_Defender v6.3"

C:\Windows\SysWOW64\timeout.exe

timeout 120

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/896-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

memory/624-55-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\install.vbs

MD5 c719a030434d3fa96d62868f27e904a6
SHA1 f2f750a752dd1fda8915a47b082af7cf2d3e3655
SHA256 2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f
SHA512 47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

C:\Program Files (x86)\System\install.bat

MD5 f1c22fc901c5802fae89fd164a8a9e1f
SHA1 36cc815126c3ef866a4b360dc0602aed44e22963
SHA256 e44ca2361d2543bc0f786c8b925317859d3be08601a32bdb65a7f5eb8b360a64
SHA512 97ac129d83d86047375679736907bb7bbf2e50eb90bbb0713721ad1b6ee753947a449d45716c870d94fbd85ae6fa6e3860babb792a1825153f25fbe28b2504fe

memory/1216-59-0x0000000000000000-mapping.dmp

memory/2032-61-0x0000000000000000-mapping.dmp

memory/892-63-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\regedit.reg

MD5 251212852a073e6fc5fbe3af92f66adb
SHA1 6ee07cb20f57830325c11867e68fea49ae0e87ea
SHA256 f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb
SHA512 f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be

C:\Program Files (x86)\System\mailsend.exe

MD5 ac23b87f8ec60ddd3f555556f89a6af8
SHA1 3cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA256 80a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA512 57e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\Program Files (x86)\System\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/560-71-0x0000000000000000-mapping.dmp

memory/1556-73-0x0000000000000000-mapping.dmp

memory/1892-75-0x0000000000000000-mapping.dmp

memory/2000-77-0x0000000000000000-mapping.dmp

memory/1728-79-0x0000000000000000-mapping.dmp

memory/1580-81-0x0000000000000000-mapping.dmp

memory/1528-83-0x0000000000000000-mapping.dmp

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1648-86-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1648-89-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1648-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1648-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1648-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1648-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1648-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1504-96-0x0000000000000000-mapping.dmp

memory/1504-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1504-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1504-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1504-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1504-103-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1504-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1832-106-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1832-109-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1832-111-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1832-110-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1832-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1832-113-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1748-116-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1748-117-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1748-118-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1748-120-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1748-119-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1476-122-0x0000000000000000-mapping.dmp

\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/1352-125-0x0000000000000000-mapping.dmp

memory/1476-128-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1352-130-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1352-132-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1476-131-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1476-129-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1352-134-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1352-136-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1832-135-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1352-138-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1476-133-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/268-139-0x0000000000000000-mapping.dmp

memory/1476-137-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1168-141-0x0000000000000000-mapping.dmp

memory/284-143-0x0000000000000000-mapping.dmp

memory/1396-145-0x0000000000000000-mapping.dmp

memory/1800-147-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/1800-155-0x0000000000400000-0x00000000009B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-03 02:04

Reported

2022-05-03 03:36

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

270s

Command Line

"C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rutserv.pdb C:\Program Files (x86)\System\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb C:\Program Files (x86)\System\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb C:\Program Files (x86)\System\rutserv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.pdb C:\Program Files (x86)\System\rutserv.exe N/A
File created C:\Program Files (x86)\System\id.txt C:\Windows\SysWOW64\reg.exe N/A
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_240645828 C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\mailsend.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\id.txt C:\Windows\SysWOW64\reg.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File created C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A

Launches sc.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe C:\Windows\SysWOW64\WScript.exe
PID 4480 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe C:\Windows\SysWOW64\WScript.exe
PID 4480 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe C:\Windows\SysWOW64\WScript.exe
PID 2128 wrote to memory of 3024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 3024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 3024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3024 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3024 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3024 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3024 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3024 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3024 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3024 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3024 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3024 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3024 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3024 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3024 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 3024 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 3024 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 3024 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 3024 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 3024 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 3024 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 3024 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 3024 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1452 wrote to memory of 2096 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1452 wrote to memory of 2096 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1452 wrote to memory of 2096 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1452 wrote to memory of 1020 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1452 wrote to memory of 1020 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1452 wrote to memory of 1020 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 3024 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3024 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3024 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1020 wrote to memory of 3408 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1020 wrote to memory of 3408 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1020 wrote to memory of 3408 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 3024 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe

"C:\Users\Admin\AppData\Local\Temp\072ec6544d897a4a9a6ef56a0795f3612a350f43596882c2573f79f02878ef38.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System" +H +S /S /D

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\System\rutserv.exe

"C:\Program Files (x86)\System\rutserv.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe"

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Windows_Defender v6.3"

C:\Windows\SysWOW64\timeout.exe

timeout 120

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Windows\SysWOW64\reg.exe

reg export "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4" "id.txt"

C:\Windows\SysWOW64\timeout.exe

timeout 10

Network

Country Destination Domain Proto
IE 52.109.76.31:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/2128-130-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\install.vbs

MD5 c719a030434d3fa96d62868f27e904a6
SHA1 f2f750a752dd1fda8915a47b082af7cf2d3e3655
SHA256 2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f
SHA512 47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

C:\Program Files (x86)\System\install.bat

MD5 f1c22fc901c5802fae89fd164a8a9e1f
SHA1 36cc815126c3ef866a4b360dc0602aed44e22963
SHA256 e44ca2361d2543bc0f786c8b925317859d3be08601a32bdb65a7f5eb8b360a64
SHA512 97ac129d83d86047375679736907bb7bbf2e50eb90bbb0713721ad1b6ee753947a449d45716c870d94fbd85ae6fa6e3860babb792a1825153f25fbe28b2504fe

memory/3024-133-0x0000000000000000-mapping.dmp

memory/3728-134-0x0000000000000000-mapping.dmp

memory/644-135-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\mailsend.exe

MD5 ac23b87f8ec60ddd3f555556f89a6af8
SHA1 3cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA256 80a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA512 57e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167

C:\Program Files (x86)\System\regedit.reg

MD5 251212852a073e6fc5fbe3af92f66adb
SHA1 6ee07cb20f57830325c11867e68fea49ae0e87ea
SHA256 f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb
SHA512 f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

memory/1716-142-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/3196-143-0x0000000000000000-mapping.dmp

memory/1840-144-0x0000000000000000-mapping.dmp

memory/1320-145-0x0000000000000000-mapping.dmp

memory/1848-146-0x0000000000000000-mapping.dmp

memory/4956-147-0x0000000000000000-mapping.dmp

memory/4516-148-0x0000000000000000-mapping.dmp

memory/4604-149-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4604-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4604-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4604-153-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4604-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4604-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4604-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1076-157-0x0000000000000000-mapping.dmp

memory/1076-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1076-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1076-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1076-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1076-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1076-164-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/2744-165-0x0000000000000000-mapping.dmp

memory/2744-167-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2744-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2744-170-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2744-171-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2744-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1452-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1452-174-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1452-175-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1452-176-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1452-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1020-179-0x0000000000000000-mapping.dmp

memory/2096-178-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/2744-182-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1020-183-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2096-184-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2096-186-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2096-188-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1020-187-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1020-189-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1020-190-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1020-185-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2096-191-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2096-192-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1048-193-0x0000000000000000-mapping.dmp

memory/4468-194-0x0000000000000000-mapping.dmp

memory/2320-195-0x0000000000000000-mapping.dmp

memory/1440-196-0x0000000000000000-mapping.dmp

memory/3408-197-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/3408-199-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3408-200-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3408-201-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3408-202-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3408-203-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3408-204-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1452-205-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3736-206-0x0000000000000000-mapping.dmp

memory/4092-207-0x0000000000000000-mapping.dmp