Malware Analysis Report

2024-11-13 16:21

Sample ID 220507-z4k2bahehm
Target faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253
SHA256 faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253
Tags
aspackv2 rms evasion rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253

Threat Level: Known bad

The file faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253 was found to be: Known bad.

Malicious Activity Summary

aspackv2 rms evasion rat trojan upx

RMS

Executes dropped EXE

Sets file to hidden

UPX packed file

ASPack v2.12-2.42

Checks computer location settings

Loads dropped DLL

Launches sc.exe

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Kills process with taskkill

Runs .reg file with regedit

Suspicious behavior: SetClipboardViewer

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-07 21:16

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-07 21:16

Reported

2022-05-07 21:47

Platform

win7-20220414-en

Max time kernel

201s

Max time network

266s

Command Line

"C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\ProgramData\App\rutserv.exe N/A

Launches sc.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\App\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\App\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 940 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 940 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 940 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 940 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 940 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 940 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 940 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 940 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 940 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 940 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 940 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 940 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 940 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 940 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 1592 wrote to memory of 1664 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe

"C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\App\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib -r -a -s -h "C:\ProgramData\App\install.bat" /S /D

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\System Corporation Update" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\ProgramData\App\rutserv.exe

rutserv.exe /silentinstall

C:\ProgramData\App\rutserv.exe

rutserv.exe /firewall

C:\ProgramData\App\rutserv.exe

rutserv.exe /start

C:\ProgramData\App\rutserv.exe

C:\ProgramData\App\rutserv.exe

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe /tray

C:\Windows\SysWOW64\sc.exe

sc config RManService start= auto

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\rutserv.exe" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\vp8encoder.dll" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\vp8decoder.dll" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\rfusclient.exe" /S /D

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1776-54-0x0000000075721000-0x0000000075723000-memory.dmp

memory/1776-55-0x0000000000400000-0x0000000001208000-memory.dmp

memory/1776-56-0x0000000000400000-0x0000000001208000-memory.dmp

memory/1776-57-0x0000000000400000-0x0000000001208000-memory.dmp

memory/1776-58-0x0000000000400000-0x0000000001208000-memory.dmp

memory/940-59-0x0000000000000000-mapping.dmp

C:\ProgramData\App\install.bat

MD5 6ec51eea8e8ca78d0086df72e0b10228
SHA1 b7c5a2e76841bb1100a846490f79b5de5f90f128
SHA256 6d13d9ad28789125fb70e0fdbfa7ee0e1a1c99c7161c0cbeddeb25eb1d7f1498
SHA512 6cfefcedd2433afed69f02abc4d2259fd124730ddcb74444d41c1be827bc385ff89e1d8c4646615c73d0d2fa6681045100d2da3f03320628894310e4a7e6a105

memory/1132-61-0x0000000000000000-mapping.dmp

memory/1360-62-0x0000000000000000-mapping.dmp

memory/980-63-0x0000000000000000-mapping.dmp

memory/732-64-0x0000000000000000-mapping.dmp

memory/1872-65-0x0000000000000000-mapping.dmp

memory/272-66-0x0000000000000000-mapping.dmp

memory/680-67-0x0000000000000000-mapping.dmp

memory/1728-68-0x0000000000000000-mapping.dmp

memory/1480-69-0x0000000000000000-mapping.dmp

memory/300-70-0x0000000000000000-mapping.dmp

C:\ProgramData\App\regedit.reg

MD5 64c927360c077b3e766b1a4a9bdf8f3a
SHA1 0bb94ae83d4d4223f5908269a1ab6fdf79405a66
SHA256 f8abc166a4efc51f2c6066d7f989c34eb1bdfe95adda8a6c3766e8a956ab6fb9
SHA512 3cf275d0c741615b75197dc257d4b1d851ade9fa848eae64eeeb4412d431bd43c3fac21aa1ade8941f1b6d2d765d2413f97e2fd209b141dc2fe721f5fae97cd1

memory/1632-73-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

memory/644-76-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

memory/652-79-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

C:\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

memory/1292-82-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

C:\ProgramData\App\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\ProgramData\App\rfusclient.exe

MD5 5dd41537431207d6f0c8d7574b345edd
SHA1 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA256 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512 b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4

C:\ProgramData\App\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

\ProgramData\App\rfusclient.exe

MD5 5dd41537431207d6f0c8d7574b345edd
SHA1 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA256 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512 b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4

C:\ProgramData\App\rfusclient.exe

MD5 5dd41537431207d6f0c8d7574b345edd
SHA1 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA256 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512 b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4

C:\ProgramData\App\rfusclient.exe

MD5 5dd41537431207d6f0c8d7574b345edd
SHA1 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA256 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512 b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4

memory/1360-94-0x0000000000000000-mapping.dmp

memory/1664-91-0x0000000000000000-mapping.dmp

memory/976-97-0x0000000000000000-mapping.dmp

memory/1724-98-0x0000000000000000-mapping.dmp

memory/1424-100-0x0000000000000000-mapping.dmp

memory/1896-101-0x0000000000000000-mapping.dmp

memory/1060-102-0x0000000000000000-mapping.dmp

memory/1840-99-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rfusclient.exe

MD5 5dd41537431207d6f0c8d7574b345edd
SHA1 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA256 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512 b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4

memory/1936-103-0x0000000000000000-mapping.dmp

memory/1776-106-0x0000000000400000-0x0000000001208000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-07 21:16

Reported

2022-05-07 21:44

Platform

win10v2004-20220414-en

Max time kernel

197s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe N/A

Launches sc.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\App\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\App\rutserv.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3552 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3552 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3552 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3552 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3552 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3552 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3552 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3552 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3552 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3552 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3552 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3552 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3552 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3552 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3552 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3552 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3552 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3552 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3552 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 3552 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\App\rutserv.exe
PID 4448 wrote to memory of 4576 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 4448 wrote to memory of 4576 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 4448 wrote to memory of 4576 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 4448 wrote to memory of 4512 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 4448 wrote to memory of 4512 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 4448 wrote to memory of 4512 N/A C:\ProgramData\App\rutserv.exe C:\ProgramData\App\rfusclient.exe
PID 3552 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3552 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3552 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3552 wrote to memory of 3844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 3844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 3844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3552 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe

"C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\App\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib -r -a -s -h "C:\ProgramData\App\install.bat" /S /D

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\System Corporation Update" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\ProgramData\App\rutserv.exe

rutserv.exe /silentinstall

C:\ProgramData\App\rutserv.exe

rutserv.exe /firewall

C:\ProgramData\App\rutserv.exe

rutserv.exe /start

C:\ProgramData\App\rutserv.exe

C:\ProgramData\App\rutserv.exe

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe /tray

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe

C:\Windows\SysWOW64\sc.exe

sc config RManService start= auto

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\rutserv.exe" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\rfusclient.exe" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\vp8decoder.dll" /S /D

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\ProgramData\App\vp8encoder.dll" /S /D

C:\ProgramData\App\rfusclient.exe

C:\ProgramData\App\rfusclient.exe /tray

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc config RManService start= auto

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc config RManService start= auto

C:\Windows\SysWOW64\sc.exe

sc config RManService start= auto

C:\Windows\SysWOW64\sc.exe

sc config RManService start= auto

Network

Country Destination Domain Proto
US 20.42.65.85:443 tcp
FR 2.18.109.224:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 87.248.202.1:80 tcp
US 104.18.24.243:80 tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 unayt.ru udp
RU 91.227.18.139:80 unayt.ru tcp

Files

memory/2168-130-0x0000000000400000-0x0000000001208000-memory.dmp

memory/2168-131-0x0000000000400000-0x0000000001208000-memory.dmp

memory/2168-132-0x0000000000400000-0x0000000001208000-memory.dmp

memory/2168-133-0x0000000000400000-0x0000000001208000-memory.dmp

memory/3552-134-0x0000000000000000-mapping.dmp

C:\ProgramData\App\install.bat

MD5 6ec51eea8e8ca78d0086df72e0b10228
SHA1 b7c5a2e76841bb1100a846490f79b5de5f90f128
SHA256 6d13d9ad28789125fb70e0fdbfa7ee0e1a1c99c7161c0cbeddeb25eb1d7f1498
SHA512 6cfefcedd2433afed69f02abc4d2259fd124730ddcb74444d41c1be827bc385ff89e1d8c4646615c73d0d2fa6681045100d2da3f03320628894310e4a7e6a105

memory/4536-136-0x0000000000000000-mapping.dmp

memory/3496-137-0x0000000000000000-mapping.dmp

memory/4652-138-0x0000000000000000-mapping.dmp

memory/4472-139-0x0000000000000000-mapping.dmp

memory/4316-140-0x0000000000000000-mapping.dmp

memory/1860-141-0x0000000000000000-mapping.dmp

memory/3584-142-0x0000000000000000-mapping.dmp

memory/3864-143-0x0000000000000000-mapping.dmp

memory/3048-144-0x0000000000000000-mapping.dmp

memory/4544-145-0x0000000000000000-mapping.dmp

C:\ProgramData\App\regedit.reg

MD5 64c927360c077b3e766b1a4a9bdf8f3a
SHA1 0bb94ae83d4d4223f5908269a1ab6fdf79405a66
SHA256 f8abc166a4efc51f2c6066d7f989c34eb1bdfe95adda8a6c3766e8a956ab6fb9
SHA512 3cf275d0c741615b75197dc257d4b1d851ade9fa848eae64eeeb4412d431bd43c3fac21aa1ade8941f1b6d2d765d2413f97e2fd209b141dc2fe721f5fae97cd1

memory/4768-147-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

memory/3992-148-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

memory/4092-151-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

memory/4432-153-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

C:\ProgramData\App\rutserv.exe

MD5 ba2fb371384526b0f7fd3d6372560bce
SHA1 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA256 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512 a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e

C:\ProgramData\App\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\ProgramData\App\rfusclient.exe

MD5 5dd41537431207d6f0c8d7574b345edd
SHA1 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA256 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512 b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4

C:\ProgramData\App\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

memory/4576-159-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rfusclient.exe

MD5 5dd41537431207d6f0c8d7574b345edd
SHA1 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA256 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512 b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4

C:\ProgramData\App\rfusclient.exe

MD5 5dd41537431207d6f0c8d7574b345edd
SHA1 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA256 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512 b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4

memory/4512-160-0x0000000000000000-mapping.dmp

memory/3168-163-0x0000000000000000-mapping.dmp

memory/3844-164-0x0000000000000000-mapping.dmp

memory/2072-165-0x0000000000000000-mapping.dmp

memory/2080-166-0x0000000000000000-mapping.dmp

memory/3536-167-0x0000000000000000-mapping.dmp

memory/1984-168-0x0000000000000000-mapping.dmp

memory/3924-169-0x0000000000000000-mapping.dmp

C:\ProgramData\App\rfusclient.exe

MD5 5dd41537431207d6f0c8d7574b345edd
SHA1 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA256 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512 b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4

memory/1476-171-0x0000000000000000-mapping.dmp

memory/384-172-0x0000000000000000-mapping.dmp

memory/3956-173-0x0000000000000000-mapping.dmp

memory/1904-174-0x0000000000000000-mapping.dmp

memory/2168-175-0x0000000000400000-0x0000000001208000-memory.dmp